e13051091b47bf5a1174877b14a2a63b9f6095df1a7a55735098b081f9e02c29

Analysis

max time kernel
148s
max time network
480s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

robloxapp-20221114-0929554.wmv
Size

3.3MB
MD5

680ca8d5d1ad9e8f1dc66dd6ab4a6672
SHA1

69ac1bdea7d32b2d017a132471885db5e38af2ac
SHA256

e13051091b47bf5a1174877b14a2a63b9f6095df1a7a55735098b081f9e02c29
SHA512

c3503a7438f7ce424aaff29ef02cd63788df6b38f1ce86b5e414fcd358aa8c7b930dfc5682678e214377de4f7e5b9c1c42d0211785173fd345195df77ec9ed2c
SSDEEP

98304:1sn/tq2Uo9H2o9T9GUfV7w96x2g4LGYAhm:i423H2ITwUK6LY3

Score

8^/10

bootkit discovery evasion exploit persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Holzer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Holzer.exe

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

6288 icacls.exe
9388 takeown.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

6288 icacls.exe
9388 takeown.exe

pid	process
6288	icacls.exe
9388	takeown.exe

pid	process
6288	icacls.exe
9388	takeown.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Holzer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Holzer.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5924 sc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Holzer.exe

pid	process
5924	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3060	4400	WerFault.exe
9052	8788	WerFault.exe	OneDriveSetup.exe
9040	8884	WerFault.exe	OneDriveSetup.exe
2240	5292	WerFault.exe	Windows.WARP.JITService.exe
3484	8552	WerFault.exe	WWAHost.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bootcfg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bootcfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bootcfg.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

9912 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

9572 tasklist.exe

pid	process
9912	timeout.exe

pid	process
9572	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

5788 ipconfig.exe
7292 NETSTAT.EXE
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

SystemInfo.exesysteminfo.exe

pid process

3328 SystemInfo.exe
5124 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

9540 taskkill.exe

pid	process
5788	ipconfig.exe
7292	NETSTAT.EXE

pid	process
3328	SystemInfo.exe
5124	systeminfo.exe

pid	process
9540	taskkill.exe

Modifies registry class 22 IoCs

Processes:

calc.execertreq.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 5a0031000000000072553b96100053797374656d33320000420009000400efbe874f7748000000002e000000b90c00000000010000000000000000000000000000005a0e7c00530079007300740065006d0033003200000018000000	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 56003100000000000c55629d100057696e646f777300400009000400efbe874f7748000000002e00000000060000000001000000000000000000000000000000f0871201570069006e0064006f0077007300000016000000	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "3"	certreq.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8808 PING.EXE
Runs regedit.exe 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2992 regedit.exe
8612 regedit.exe

pid	process
8808	PING.EXE

pid	process
2992	regedit.exe
8612	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4516	chrome.exe
4516	chrome.exe
796	chrome.exe
796	chrome.exe
4848	chrome.exe
4848	chrome.exe
3612	chrome.exe
3612	chrome.exe
400	chrome.exe
400	chrome.exe
4400	chrome.exe
4400	chrome.exe
3820	chrome.exe
3820	chrome.exe
4576	chrome.exe
4576	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Holzer.exe

pid process

1768 Holzer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

796 chrome.exe
796 chrome.exe
796 chrome.exe
796 chrome.exe
796 chrome.exe
796 chrome.exe
796 chrome.exe
796 chrome.exe

pid	process
1768	Holzer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

unregmp2.exeAUDIODG.EXEHolzer.exesvchost.exeauditpol.exe

description	pid	process
Token: SeShutdownPrivilege	2556	unregmp2.exe
Token: SeCreatePagefilePrivilege	2556	unregmp2.exe
Token: 33	360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	360	AUDIODG.EXE
Token: SeSystemtimePrivilege	1768	Holzer.exe
Token: SeSystemtimePrivilege	1768	Holzer.exe
Token: SeSystemtimePrivilege	1768	Holzer.exe
Token: SeSystemtimePrivilege	1768	Holzer.exe
Token: SeSystemtimePrivilege	1768	Holzer.exe
Token: SeShutdownPrivilege	4492	svchost.exe
Token: SeShutdownPrivilege	4492	svchost.exe
Token: SeCreatePagefilePrivilege	4492	svchost.exe
Token: SeSecurityPrivilege	4336	auditpol.exe
Token: SeSystemtimePrivilege	1768	Holzer.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.execertreq.exe

pid process

3728 OpenWith.exe
3200 certreq.exe

pid	process
3728	OpenWith.exe
3200	certreq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exechrome.exe

description	pid	process	target process
PID 676 wrote to memory of 4304	676	wmplayer.exe	setup_wm.exe
PID 676 wrote to memory of 4304	676	wmplayer.exe	setup_wm.exe
PID 676 wrote to memory of 4304	676	wmplayer.exe	setup_wm.exe
PID 676 wrote to memory of 5108	676	wmplayer.exe	unregmp2.exe
PID 676 wrote to memory of 5108	676	wmplayer.exe	unregmp2.exe
PID 676 wrote to memory of 5108	676	wmplayer.exe	unregmp2.exe
PID 5108 wrote to memory of 2556	5108	unregmp2.exe	unregmp2.exe
PID 5108 wrote to memory of 2556	5108	unregmp2.exe	unregmp2.exe
PID 796 wrote to memory of 2696	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 2696	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 3816	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4516	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4516	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe
PID 796 wrote to memory of 4364	796	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

7200 attrib.exe
3040 attrib.exe

pid	process
7200	attrib.exe
3040	attrib.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20221114-0929554.wmv"
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20221114-0929554.wmv"
2⤵
PID:4304

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf5c04f50,0x7ffdf5c04f60,0x7ffdf5c04f70
2⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6623384613375836597,17287805848542894304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
2⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4400 -ip 4400
1⤵
PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4400 -s 1696
1⤵
- Program crash
PID:3060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\Temp1_Holzer.zip\Holzer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Holzer.zip\Holzer.exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
"C:\Windows\System32\agentactivationruntimestarter.exe"
2⤵
PID:2000

C:\Windows\SysWOW64\appidtel.exe
"C:\Windows\System32\appidtel.exe"
2⤵
PID:1108

C:\Windows\SysWOW64\ARP.EXE
"C:\Windows\System32\ARP.EXE"
2⤵
PID:2856

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
2⤵
PID:3576

C:\Windows\SysWOW64\AtBroker.exe
"C:\Windows\System32\AtBroker.exe"
2⤵
PID:3344

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe"
2⤵
- Views/modifies file attributes
PID:3040

C:\Windows\SysWOW64\auditpol.exe
"C:\Windows\System32\auditpol.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\System32\autochk.exe"
2⤵
PID:1464

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\System32\autoconv.exe"
2⤵
PID:4364

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\System32\autofmt.exe"
2⤵
PID:2184

C:\Windows\SysWOW64\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
2⤵
PID:3196

C:\Windows\SysWOW64\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
2⤵
PID:3560

C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe"
2⤵
PID:4216

C:\Windows\SysWOW64\bootcfg.exe
"C:\Windows\System32\bootcfg.exe"
2⤵
- Checks processor information in registry
PID:4312

C:\Windows\SysWOW64\bthudtask.exe
"C:\Windows\System32\bthudtask.exe"
2⤵
PID:848

C:\Windows\SysWOW64\ByteCodeGenerator.exe
"C:\Windows\System32\ByteCodeGenerator.exe"
2⤵
PID:2488

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe"
2⤵
PID:4124

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
- Modifies registry class
PID:2204

C:\Windows\SysWOW64\CameraSettingsUIHost.exe
"C:\Windows\System32\CameraSettingsUIHost.exe"
2⤵
PID:3820

C:\Windows\SysWOW64\CertEnrollCtrl.exe
"C:\Windows\System32\CertEnrollCtrl.exe"
2⤵
PID:648

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\System32\certreq.exe"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe"
2⤵
PID:4340

C:\Windows\SysWOW64\charmap.exe
"C:\Windows\System32\charmap.exe"
2⤵
PID:2908

C:\Windows\SysWOW64\CheckNetIsolation.exe
"C:\Windows\System32\CheckNetIsolation.exe"
2⤵
PID:3344

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\System32\chkdsk.exe"
2⤵
PID:3412

C:\Windows\SysWOW64\chkntfs.exe
"C:\Windows\System32\chkntfs.exe"
2⤵
PID:3196

C:\Windows\SysWOW64\choice.exe
"C:\Windows\System32\choice.exe"
2⤵
PID:4696

C:\Windows\SysWOW64\cipher.exe
"C:\Windows\System32\cipher.exe"
2⤵
PID:5036

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
2⤵
PID:848

C:\Windows\SysWOW64\cliconfg.exe
"C:\Windows\System32\cliconfg.exe"
2⤵
PID:4684

C:\Windows\SysWOW64\clip.exe
"C:\Windows\System32\clip.exe"
2⤵
PID:380

C:\Windows\SysWOW64\CloudNotifications.exe
"C:\Windows\System32\CloudNotifications.exe"
2⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:4644

C:\Windows\SysWOW64\cmdkey.exe
"C:\Windows\System32\cmdkey.exe"
2⤵
PID:1404

C:\Windows\SysWOW64\cmdl32.exe
"C:\Windows\System32\cmdl32.exe"
2⤵
PID:4240

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\System32\cmmon32.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\System32\cmstp.exe"
2⤵
PID:1108

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\System32\colorcpl.exe"
2⤵
PID:260

C:\Windows\SysWOW64\comp.exe
"C:\Windows\System32\comp.exe"
2⤵
PID:5044

C:\Windows\SysWOW64\compact.exe
"C:\Windows\System32\compact.exe"
2⤵
PID:1816

C:\Windows\SysWOW64\ComputerDefaults.exe
"C:\Windows\System32\ComputerDefaults.exe"
2⤵
PID:4544

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
2⤵
PID:3652

C:\Windows\SysWOW64\convert.exe
"C:\Windows\System32\convert.exe"
2⤵
PID:624

C:\Windows\SysWOW64\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe"
2⤵
PID:3972

C:\Windows\SysWOW64\credwiz.exe
"C:\Windows\System32\credwiz.exe"
2⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe"
2⤵
PID:5148

C:\Windows\SysWOW64\ctfmon.exe
"C:\Windows\System32\ctfmon.exe"
2⤵
PID:5224

C:\Windows\SysWOW64\cttune.exe
"C:\Windows\System32\cttune.exe"
2⤵
PID:5272

C:\Windows\SysWOW64\cttunesvr.exe
"C:\Windows\System32\cttunesvr.exe"
2⤵
PID:5368

C:\Windows\SysWOW64\curl.exe
"C:\Windows\System32\curl.exe"
2⤵
PID:5460

C:\Windows\SysWOW64\dccw.exe
"C:\Windows\System32\dccw.exe"
2⤵
PID:5560

C:\Windows\SysWOW64\dcomcnfg.exe
"C:\Windows\System32\dcomcnfg.exe"
2⤵
PID:5652

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
3⤵
PID:5676

C:\Windows\SysWOW64\ddodiag.exe
"C:\Windows\System32\ddodiag.exe"
2⤵
PID:5760

C:\Windows\SysWOW64\DevicePairingWizard.exe
"C:\Windows\System32\DevicePairingWizard.exe"
2⤵
PID:5852

C:\Windows\SysWOW64\dfrgui.exe
"C:\Windows\System32\dfrgui.exe"
2⤵
PID:5932

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\System32\dialer.exe"
2⤵
PID:6008

C:\Windows\SysWOW64\diskpart.exe
"C:\Windows\System32\diskpart.exe"
2⤵
PID:5184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\System32\diskperf.exe"
2⤵
PID:752

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\System32\Dism.exe"
2⤵
PID:5100

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:6208

C:\Windows\SysWOW64\dllhst3g.exe
"C:\Windows\System32\dllhst3g.exe"
2⤵
PID:6316

C:\Windows\SysWOW64\doskey.exe
"C:\Windows\System32\doskey.exe"
2⤵
PID:6432

C:\Windows\SysWOW64\dpapimig.exe
"C:\Windows\System32\dpapimig.exe"
2⤵
PID:6496

C:\Windows\SysWOW64\DpiScaling.exe
"C:\Windows\System32\DpiScaling.exe"
2⤵
PID:6600

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ms-settings:display
3⤵
PID:6660

C:\Windows\SysWOW64\driverquery.exe
"C:\Windows\System32\driverquery.exe"
2⤵
PID:6752

C:\Windows\SysWOW64\dtdump.exe
"C:\Windows\System32\dtdump.exe"
2⤵
PID:6804

C:\Windows\SysWOW64\dvdplay.exe
"C:\Windows\System32\dvdplay.exe"
2⤵
PID:6920

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
/device:dvd
3⤵
PID:6948

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce: /device:dvd
4⤵
PID:7076

C:\Windows\SysWOW64\DWWIN.EXE
"C:\Windows\System32\DWWIN.EXE"
2⤵
PID:7084

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe"
2⤵
PID:7132

C:\Windows\SysWOW64\EaseOfAccessDialog.exe
"C:\Windows\System32\EaseOfAccessDialog.exe"
2⤵
PID:7164

C:\Windows\SysWOW64\edpnotify.exe
"C:\Windows\System32\edpnotify.exe"
2⤵
PID:5260

C:\Windows\SysWOW64\efsui.exe
"C:\Windows\System32\efsui.exe"
2⤵
PID:5920

C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
2⤵
PID:6160

C:\Windows\SysWOW64\esentutl.exe
"C:\Windows\System32\esentutl.exe"
2⤵
PID:6172

C:\Windows\SysWOW64\eudcedit.exe
"C:\Windows\System32\eudcedit.exe"
2⤵
PID:4032

C:\Windows\SysWOW64\eventcreate.exe
"C:\Windows\System32\eventcreate.exe"
2⤵
PID:6460

C:\Windows\SysWOW64\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
2⤵
PID:5504

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
3⤵
PID:6632

C:\Windows\system32\mmc.exe
"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
4⤵
PID:6644

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe"
2⤵
PID:6844

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
2⤵
PID:6672

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\System32\extrac32.exe"
2⤵
PID:7100

C:\Windows\SysWOW64\fc.exe
"C:\Windows\System32\fc.exe"
2⤵
PID:1696

C:\Windows\SysWOW64\find.exe
"C:\Windows\System32\find.exe"
2⤵
PID:5936

C:\Windows\SysWOW64\findstr.exe
"C:\Windows\System32\findstr.exe"
2⤵
PID:2960

C:\Windows\SysWOW64\finger.exe
"C:\Windows\System32\finger.exe"
2⤵
PID:5220

C:\Windows\SysWOW64\fixmapi.exe
"C:\Windows\System32\fixmapi.exe"
2⤵
PID:5812

C:\Windows\SysWOW64\fltMC.exe
"C:\Windows\System32\fltMC.exe"
2⤵
PID:6656

C:\Windows\SysWOW64\Fondue.exe
"C:\Windows\System32\Fondue.exe"
2⤵
PID:6636

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
2⤵
PID:6836

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\System32\fontview.exe"
2⤵
PID:6688

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe"
2⤵
PID:7100

C:\Windows\SysWOW64\cmd.exe
/c echo "0409"
3⤵
PID:5944

C:\Windows\SysWOW64\fsquirt.exe
"C:\Windows\System32\fsquirt.exe"
2⤵
PID:5976

C:\Windows\SysWOW64\fsutil.exe
"C:\Windows\System32\fsutil.exe"
2⤵
PID:5956

C:\Windows\SysWOW64\ftp.exe
"C:\Windows\System32\ftp.exe"
2⤵
PID:6212

C:\Windows\SysWOW64\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe"
2⤵
PID:6540

C:\Windows\SysWOW64\GamePanel.exe
"C:\Windows\System32\GamePanel.exe"
2⤵
PID:1216

C:\Windows\SysWOW64\getmac.exe
"C:\Windows\System32\getmac.exe"
2⤵
PID:2692

C:\Windows\SysWOW64\gpresult.exe
"C:\Windows\System32\gpresult.exe"
2⤵
PID:5932

C:\Windows\SysWOW64\gpscript.exe
"C:\Windows\System32\gpscript.exe"
2⤵
PID:2632

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe"
2⤵
PID:6760

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe"
2⤵
PID:1284

C:\Windows\SysWOW64\hdwwiz.exe
"C:\Windows\System32\hdwwiz.exe"
2⤵
PID:1644

C:\Windows\SysWOW64\help.exe
"C:\Windows\System32\help.exe"
2⤵
PID:6200

C:\Windows\SysWOW64\hh.exe
"C:\Windows\System32\hh.exe"
2⤵
PID:6772

C:\Windows\SysWOW64\HOSTNAME.EXE
"C:\Windows\System32\HOSTNAME.EXE"
2⤵
PID:2444

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6288

C:\Windows\SysWOW64\icsunattend.exe
"C:\Windows\System32\icsunattend.exe"
2⤵
PID:448

C:\Windows\SysWOW64\ieUnatt.exe
"C:\Windows\System32\ieUnatt.exe"
2⤵
PID:1216

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\System32\iexpress.exe"
2⤵
PID:6768

C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe"
2⤵
PID:2684

C:\Windows\SysWOW64\InputSwitchToastHandler.exe
"C:\Windows\System32\InputSwitchToastHandler.exe"
2⤵
PID:2632

C:\Windows\SysWOW64\instnm.exe
"C:\Windows\System32\instnm.exe"
2⤵
PID:5936

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe"
2⤵
- Gathers network information
PID:5788

C:\Windows\SysWOW64\iscsicli.exe
"C:\Windows\System32\iscsicli.exe"
2⤵
PID:5936

C:\Windows\SysWOW64\iscsicpl.exe
"C:\Windows\System32\iscsicpl.exe"
2⤵
PID:2456

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
3⤵
PID:4908

C:\Windows\SysWOW64\isoburn.exe
"C:\Windows\System32\isoburn.exe"
2⤵
PID:5920

C:\Windows\SysWOW64\ktmutil.exe
"C:\Windows\System32\ktmutil.exe"
2⤵
PID:5220

C:\Windows\SysWOW64\label.exe
"C:\Windows\System32\label.exe"
2⤵
PID:6460

C:\Windows\SysWOW64\LaunchTM.exe
"C:\Windows\System32\LaunchTM.exe"
2⤵
PID:6088

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
3⤵
PID:5316

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\System32\LaunchWinApp.exe"
2⤵
PID:1216

C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\System32\lodctr.exe"
2⤵
PID:3596

C:\Windows\SysWOW64\logagent.exe
"C:\Windows\System32\logagent.exe"
2⤵
PID:748

C:\Windows\SysWOW64\logman.exe
"C:\Windows\System32\logman.exe"
2⤵
PID:7256

C:\Windows\SysWOW64\Magnify.exe
"C:\Windows\System32\Magnify.exe"
2⤵
PID:7308

C:\Windows\SysWOW64\makecab.exe
"C:\Windows\System32\makecab.exe"
2⤵
PID:7372

C:\Windows\SysWOW64\mavinject.exe
"C:\Windows\System32\mavinject.exe"
2⤵
PID:7428

C:\Windows\SysWOW64\mcbuilder.exe
"C:\Windows\System32\mcbuilder.exe"
2⤵
PID:7484

C:\Windows\SysWOW64\mfpmp.exe
"C:\Windows\System32\mfpmp.exe"
2⤵
PID:7568

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
2⤵
PID:7636

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
3⤵
PID:7656

C:\Windows\SysWOW64\mmgaserver.exe
"C:\Windows\System32\mmgaserver.exe"
2⤵
PID:7708

C:\Windows\SysWOW64\mobsync.exe
"C:\Windows\System32\mobsync.exe"
2⤵
PID:7752

C:\Windows\SysWOW64\mountvol.exe
"C:\Windows\System32\mountvol.exe"
2⤵
PID:7844

C:\Windows\SysWOW64\MRINFO.EXE
"C:\Windows\System32\MRINFO.EXE"
2⤵
PID:7992

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\System32\msdt.exe"
2⤵
PID:8076

C:\Windows\SysWOW64\msfeedssync.exe
"C:\Windows\System32\msfeedssync.exe"
2⤵
PID:8136

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe"
2⤵
PID:8164

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe"
2⤵
PID:4344

C:\Windows\SysWOW64\msinfo32.exe
"C:\Windows\System32\msinfo32.exe"
2⤵
PID:7296

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
2⤵
PID:7084

C:\Windows\SysWOW64\msra.exe
"C:\Windows\System32\msra.exe"
2⤵
PID:8136

C:\Windows\system32\msra.exe
"C:\Windows\system32\msra.exe"
3⤵
PID:7760

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\System32\mstsc.exe"
2⤵
PID:7356

C:\Windows\system32\mstsc.exe
"C:\Windows\System32\mstsc.exe"
3⤵
PID:4792

C:\Windows\SysWOW64\mtstocom.exe
"C:\Windows\System32\mtstocom.exe"
2⤵
PID:1452

C:\Windows\SysWOW64\MuiUnattend.exe
"C:\Windows\System32\MuiUnattend.exe"
2⤵
PID:7376

C:\Windows\SysWOW64\ndadmin.exe
"C:\Windows\System32\ndadmin.exe"
2⤵
PID:7372

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe"
2⤵
PID:7836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1
3⤵
PID:1508

C:\Windows\SysWOW64\net1.exe
"C:\Windows\System32\net1.exe"
2⤵
PID:7420

C:\Windows\SysWOW64\netbtugc.exe
"C:\Windows\System32\netbtugc.exe"
2⤵
PID:7176

C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
"C:\Windows\System32\NetCfgNotifyObjectHost.exe"
2⤵
PID:7468

C:\Windows\SysWOW64\netiougc.exe
"C:\Windows\System32\netiougc.exe"
2⤵
PID:3664

C:\Windows\SysWOW64\Netplwiz.exe
"C:\Windows\System32\Netplwiz.exe"
2⤵
PID:7508

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe"
2⤵
PID:7600

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\System32\NETSTAT.EXE"
2⤵
- Gathers network information
PID:7292

C:\Windows\SysWOW64\newdev.exe
"C:\Windows\System32\newdev.exe"
2⤵
PID:7396

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:7392

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\System32\nslookup.exe"
2⤵
PID:8040

C:\Windows\SysWOW64\ntprint.exe
"C:\Windows\System32\ntprint.exe"
2⤵
PID:8004

C:\Windows\SysWOW64\odbcad32.exe
"C:\Windows\System32\odbcad32.exe"
2⤵
PID:8084

C:\Windows\SysWOW64\odbcconf.exe
"C:\Windows\System32\odbcconf.exe"
2⤵
PID:8212

C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\System32\OneDriveSetup.exe"
2⤵
PID:8244

C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-2629973501-4017243118-3254762364-1000
3⤵
PID:8788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8788 -s 1352
4⤵
- Program crash
PID:9052

C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
3⤵
PID:8884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8884 -s 1516
4⤵
- Program crash
PID:9040

C:\Windows\SysWOW64\openfiles.exe
"C:\Windows\System32\openfiles.exe"
2⤵
PID:8280

C:\Windows\SysWOW64\OpenWith.exe
"C:\Windows\System32\OpenWith.exe"
2⤵
PID:8344

C:\Windows\SysWOW64\OposHost.exe
"C:\Windows\System32\OposHost.exe"
2⤵
PID:8376

C:\Windows\SysWOW64\PackagedCWALauncher.exe
"C:\Windows\System32\PackagedCWALauncher.exe"
2⤵
PID:8404

C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
"C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
2⤵
PID:8444

C:\Windows\SysWOW64\PATHPING.EXE
"C:\Windows\System32\PATHPING.EXE"
2⤵
PID:8472

C:\Windows\SysWOW64\pcaui.exe
"C:\Windows\System32\pcaui.exe"
2⤵
PID:8556

C:\Windows\SysWOW64\perfhost.exe
"C:\Windows\System32\perfhost.exe"
2⤵
PID:8572

C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe"
2⤵
PID:8652

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
3⤵
PID:8668

C:\Windows\SysWOW64\PickerHost.exe
"C:\Windows\System32\PickerHost.exe"
2⤵
PID:8732

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE"
2⤵
- Runs ping.exe
PID:8808

C:\Windows\SysWOW64\PkgMgr.exe
"C:\Windows\System32\PkgMgr.exe"
2⤵
PID:8912

C:\Windows\SysWOW64\poqexec.exe
"C:\Windows\System32\poqexec.exe"
2⤵
PID:9024

C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe"
2⤵
PID:9072

C:\Windows\SysWOW64\PresentationHost.exe
"C:\Windows\System32\PresentationHost.exe"
2⤵
PID:9120

C:\Windows\SysWOW64\prevhost.exe
"C:\Windows\System32\prevhost.exe"
2⤵
PID:9144

C:\Windows\SysWOW64\print.exe
"C:\Windows\System32\print.exe"
2⤵
PID:9184

C:\Windows\SysWOW64\printui.exe
"C:\Windows\System32\printui.exe"
2⤵
PID:660

C:\Windows\SysWOW64\proquota.exe
"C:\Windows\System32\proquota.exe"
2⤵
PID:4112

C:\Windows\SysWOW64\provlaunch.exe
"C:\Windows\System32\provlaunch.exe"
2⤵
PID:8304

C:\Windows\SysWOW64\psr.exe
"C:\Windows\System32\psr.exe"
2⤵
PID:8352

C:\Windows\system32\psr.exe
"C:\Windows\system32\psr.exe"
3⤵
PID:8456

C:\Windows\SysWOW64\quickassist.exe
"C:\Windows\System32\quickassist.exe"
2⤵
PID:7380

C:\Windows\SysWOW64\rasautou.exe
"C:\Windows\System32\rasautou.exe"
2⤵
PID:8500

C:\Windows\SysWOW64\rasdial.exe
"C:\Windows\System32\rasdial.exe"
2⤵
PID:8604

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\System32\raserver.exe"
2⤵
PID:6232

C:\Windows\SysWOW64\rasphone.exe
"C:\Windows\System32\rasphone.exe"
2⤵
PID:8856

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\System32\RdpSa.exe"
2⤵
PID:9148

C:\Windows\SysWOW64\RdpSaProxy.exe
"C:\Windows\System32\RdpSaProxy.exe"
2⤵
PID:8700

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\system32\RdpSa.exe"
3⤵
PID:8640

C:\Windows\SysWOW64\RdpSaUacHelper.exe
"C:\Windows\System32\RdpSaUacHelper.exe"
2⤵
PID:8708

C:\Windows\SysWOW64\rdrleakdiag.exe
"C:\Windows\System32\rdrleakdiag.exe"
2⤵
PID:8988

C:\Windows\SysWOW64\ReAgentc.exe
"C:\Windows\System32\ReAgentc.exe"
2⤵
PID:5148

C:\Windows\SysWOW64\recover.exe
"C:\Windows\System32\recover.exe"
2⤵
PID:7280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe"
2⤵
PID:8380

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
2⤵
- Runs regedit.exe
PID:8612

C:\Windows\SysWOW64\regedt32.exe
"C:\Windows\System32\regedt32.exe"
2⤵
PID:7348

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe"
3⤵
- Runs regedit.exe
PID:2992

C:\Windows\SysWOW64\regini.exe
"C:\Windows\System32\regini.exe"
2⤵
PID:3328

C:\Windows\SysWOW64\Register-CimProvider.exe
"C:\Windows\System32\Register-CimProvider.exe"
2⤵
PID:5340

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe"
2⤵
PID:8932

C:\Windows\SysWOW64\rekeywiz.exe
"C:\Windows\System32\rekeywiz.exe"
2⤵
PID:8424

C:\Windows\SysWOW64\relog.exe
"C:\Windows\System32\relog.exe"
2⤵
PID:8412

C:\Windows\SysWOW64\replace.exe
"C:\Windows\System32\replace.exe"
2⤵
PID:9156

C:\Windows\SysWOW64\resmon.exe
"C:\Windows\System32\resmon.exe"
2⤵
PID:8328

C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
3⤵
PID:9068

C:\Windows\system32\perfmon.exe
"C:\Windows\Sysnative\perfmon.exe" /res
4⤵
PID:7348

C:\Windows\SysWOW64\RMActivate.exe
"C:\Windows\System32\RMActivate.exe"
2⤵
PID:9088

C:\Windows\SysWOW64\RMActivate_isv.exe
"C:\Windows\System32\RMActivate_isv.exe"
2⤵
PID:1216

C:\Windows\SysWOW64\RMActivate_ssp.exe
"C:\Windows\System32\RMActivate_ssp.exe"
2⤵
PID:7256

C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
"C:\Windows\System32\RMActivate_ssp_isv.exe"
2⤵
PID:5036

C:\Windows\SysWOW64\RmClient.exe
"C:\Windows\System32\RmClient.exe"
2⤵
PID:5256

C:\Windows\SysWOW64\ROUTE.EXE
"C:\Windows\System32\ROUTE.EXE"
2⤵
PID:5768

C:\Windows\SysWOW64\rrinstaller.exe
"C:\Windows\System32\rrinstaller.exe"
2⤵
PID:6716

C:\Windows\SysWOW64\RpcPing.exe
"C:\Windows\System32\RpcPing.exe"
2⤵
PID:5232

C:\Windows\SysWOW64\runas.exe
"C:\Windows\System32\runas.exe"
2⤵
PID:9068

C:\Windows\SysWOW64\Robocopy.exe
"C:\Windows\System32\Robocopy.exe"
2⤵
PID:3316

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe"
2⤵
PID:1984

C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
"C:\Windows\System32\RunLegacyCPLElevated.exe"
2⤵
PID:5752

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\System32\runonce.exe"
2⤵
PID:2064

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe"
2⤵
- Launches sc.exe
PID:5924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe"
2⤵
PID:7148

C:\Windows\SysWOW64\sdbinst.exe
"C:\Windows\System32\sdbinst.exe"
2⤵
PID:6220

C:\Windows\SysWOW64\sdchange.exe
"C:\Windows\System32\sdchange.exe"
2⤵
PID:8268

C:\Windows\SysWOW64\sdiagnhost.exe
"C:\Windows\System32\sdiagnhost.exe"
2⤵
PID:1472

C:\Windows\SysWOW64\SearchFilterHost.exe
"C:\Windows\System32\SearchFilterHost.exe"
2⤵
PID:7104

C:\Windows\SysWOW64\SearchIndexer.exe
"C:\Windows\System32\SearchIndexer.exe"
2⤵
PID:3316

C:\Windows\SysWOW64\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe"
2⤵
PID:6668

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe"
2⤵
PID:1588

C:\Windows\SysWOW64\secinit.exe
"C:\Windows\System32\secinit.exe"
2⤵
PID:6844

C:\Windows\SysWOW64\sethc.exe
"C:\Windows\System32\sethc.exe"
2⤵
PID:5924

C:\Windows\SysWOW64\SettingSyncHost.exe
"C:\Windows\System32\SettingSyncHost.exe"
2⤵
PID:8584

C:\Windows\SysWOW64\setup16.exe
"C:\Windows\System32\setup16.exe"
2⤵
PID:6940

C:\Windows\SysWOW64\setupugc.exe
"C:\Windows\System32\setupugc.exe"
2⤵
PID:9020

C:\Windows\SysWOW64\setx.exe
"C:\Windows\System32\setx.exe"
2⤵
PID:6724

C:\Windows\SysWOW64\sfc.exe
"C:\Windows\System32\sfc.exe"
2⤵
PID:5796

C:\Windows\SysWOW64\shrpubw.exe
"C:\Windows\System32\shrpubw.exe"
2⤵
PID:3316

C:\Windows\SysWOW64\shutdown.exe
"C:\Windows\System32\shutdown.exe"
2⤵
PID:5900

C:\Windows\SysWOW64\SndVol.exe
"C:\Windows\System32\SndVol.exe"
2⤵
PID:2064

C:\Windows\SysWOW64\sort.exe
"C:\Windows\System32\sort.exe"
2⤵
PID:4444

C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
"C:\Windows\System32\SpatialAudioLicenseSrv.exe"
2⤵
PID:6700

C:\Windows\SysWOW64\srdelayed.exe
"C:\Windows\System32\srdelayed.exe"
2⤵
PID:1500

C:\Windows\SysWOW64\stordiag.exe
"C:\Windows\System32\stordiag.exe"
2⤵
PID:8264

C:\Windows\SysWOW64\SystemInfo.exe
"SystemInfo.exe"
3⤵
- Gathers system information
PID:3328

C:\Windows\SysWOW64\subst.exe
"C:\Windows\System32\subst.exe"
2⤵
PID:5392

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
PID:2488

C:\Windows\SysWOW64\sxstrace.exe
"C:\Windows\System32\sxstrace.exe"
2⤵
PID:368

C:\Windows\SysWOW64\SyncHost.exe
"C:\Windows\System32\SyncHost.exe"
2⤵
PID:6200

C:\Windows\SysWOW64\systeminfo.exe
"C:\Windows\System32\systeminfo.exe"
2⤵
- Gathers system information
PID:5124

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
"C:\Windows\System32\SystemPropertiesAdvanced.exe"
2⤵
PID:5312

C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
"C:\Windows\System32\SystemPropertiesComputerName.exe"
2⤵
PID:9260

C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
"C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
2⤵
PID:9276

C:\Windows\SysWOW64\SystemPropertiesHardware.exe
"C:\Windows\System32\SystemPropertiesHardware.exe"
2⤵
PID:9288

C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
"C:\Windows\System32\SystemPropertiesPerformance.exe"
2⤵
PID:9300

C:\Windows\SysWOW64\SystemPropertiesProtection.exe
"C:\Windows\System32\SystemPropertiesProtection.exe"
2⤵
PID:9312

C:\Windows\SysWOW64\SystemPropertiesRemote.exe
"C:\Windows\System32\SystemPropertiesRemote.exe"
2⤵
PID:9332

C:\Windows\SysWOW64\SystemUWPLauncher.exe
"C:\Windows\System32\SystemUWPLauncher.exe"
2⤵
PID:9344

C:\Windows\SysWOW64\systray.exe
"C:\Windows\System32\systray.exe"
2⤵
PID:9368

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9388

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
2⤵
PID:9436

C:\Windows\SysWOW64\tar.exe
"C:\Windows\System32\tar.exe"
2⤵
PID:9476

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe"
2⤵
- Kills process with taskkill
PID:9540

C:\Windows\SysWOW64\tasklist.exe
"C:\Windows\System32\tasklist.exe"
2⤵
- Enumerates processes with tasklist
PID:9572

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
2⤵
PID:9644

C:\Windows\SysWOW64\tcmsetup.exe
"C:\Windows\System32\tcmsetup.exe"
2⤵
PID:9680

C:\Windows\SysWOW64\TCPSVCS.EXE
"C:\Windows\System32\TCPSVCS.EXE"
2⤵
PID:9760

C:\Windows\SysWOW64\ThumbnailExtractionHost.exe
"C:\Windows\System32\ThumbnailExtractionHost.exe"
2⤵
PID:9812

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\System32\timeout.exe"
2⤵
- Delays execution with timeout.exe
PID:9912

C:\Windows\SysWOW64\TokenBrokerCookies.exe
"C:\Windows\System32\TokenBrokerCookies.exe"
2⤵
PID:9968

C:\Windows\SysWOW64\TpmInit.exe
"C:\Windows\System32\TpmInit.exe"
2⤵
PID:10004

C:\Windows\SysWOW64\TpmTool.exe
"C:\Windows\System32\TpmTool.exe"
2⤵
PID:10048

C:\Windows\SysWOW64\tracerpt.exe
"C:\Windows\System32\tracerpt.exe"
2⤵
PID:10120

C:\Windows\SysWOW64\TRACERT.EXE
"C:\Windows\System32\TRACERT.EXE"
2⤵
PID:10168

C:\Windows\SysWOW64\TSTheme.exe
"C:\Windows\System32\TSTheme.exe"
2⤵
PID:10224

C:\Windows\SysWOW64\TsWpfWrp.exe
"C:\Windows\System32\TsWpfWrp.exe"
2⤵
PID:9256

C:\Windows\SysWOW64\ttdinject.exe
"C:\Windows\System32\ttdinject.exe"
2⤵
PID:7820

C:\Windows\SysWOW64\tttracer.exe
"C:\Windows\System32\tttracer.exe"
2⤵
PID:7792

C:\Windows\SysWOW64\typeperf.exe
"C:\Windows\System32\typeperf.exe"
2⤵
PID:7104

C:\Windows\SysWOW64\tzutil.exe
"C:\Windows\System32\tzutil.exe"
2⤵
PID:6056

C:\Windows\SysWOW64\unlodctr.exe
"C:\Windows\System32\unlodctr.exe"
2⤵
PID:9344

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe"
2⤵
PID:9440

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /REENTRANT
3⤵
PID:9452

C:\Windows\SysWOW64\upnpcont.exe
"C:\Windows\System32\upnpcont.exe"
2⤵
PID:7852

C:\Windows\SysWOW64\user.exe
"C:\Windows\System32\user.exe"
2⤵
PID:9456

C:\Windows\SysWOW64\UserAccountBroker.exe
"C:\Windows\System32\UserAccountBroker.exe"
2⤵
PID:1256

C:\Windows\SysWOW64\UserAccountControlSettings.exe
"C:\Windows\System32\UserAccountControlSettings.exe"
2⤵
PID:7672

C:\Windows\SysWOW64\userinit.exe
"C:\Windows\System32\userinit.exe"
2⤵
PID:9184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
3⤵
PID:9640

C:\Windows\SysWOW64\Utilman.exe
"C:\Windows\System32\Utilman.exe"
2⤵
PID:7252

C:\Windows\SysWOW64\verclsid.exe
"C:\Windows\System32\verclsid.exe"
2⤵
PID:9548

C:\Windows\SysWOW64\verifiergui.exe
"C:\Windows\System32\verifiergui.exe"
2⤵
PID:8228

C:\Windows\SysWOW64\w32tm.exe
"C:\Windows\System32\w32tm.exe"
2⤵
PID:9860

C:\Windows\system32\w32tm.exe
"C:\Windows\System32\w32tm.exe"
3⤵
PID:4396

C:\Windows\SysWOW64\waitfor.exe
"C:\Windows\System32\waitfor.exe"
2⤵
PID:9112

C:\Windows\SysWOW64\wecutil.exe
"C:\Windows\System32\wecutil.exe"
2⤵
PID:9936

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\System32\WerFault.exe"
2⤵
PID:9068

C:\Windows\SysWOW64\WerFaultSecure.exe
"C:\Windows\System32\WerFaultSecure.exe"
2⤵
PID:9508

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\System32\wermgr.exe"
2⤵
PID:9304

C:\Windows\SysWOW64\wevtutil.exe
"C:\Windows\System32\wevtutil.exe"
2⤵
PID:10120

C:\Windows\SysWOW64\wextract.exe
"C:\Windows\System32\wextract.exe"
2⤵
PID:7788

C:\Windows\SysWOW64\where.exe
"C:\Windows\System32\where.exe"
2⤵
PID:8444

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\System32\whoami.exe"
2⤵
PID:9372

C:\Windows\SysWOW64\wiaacmgr.exe
"C:\Windows\System32\wiaacmgr.exe"
2⤵
PID:9064

C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe
"C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"
2⤵
PID:9400

C:\Windows\SysWOW64\Windows.WARP.JITService.exe
"C:\Windows\System32\Windows.WARP.JITService.exe"
2⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 252
3⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\winrs.exe
"C:\Windows\System32\winrs.exe"
2⤵
PID:6264

C:\Windows\SysWOW64\winrshost.exe
"C:\Windows\System32\winrshost.exe"
2⤵
PID:5788

C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe
"C:\Windows\System32\WinRTNetMUAHostServer.exe"
2⤵
PID:220

C:\Windows\SysWOW64\winver.exe
"C:\Windows\System32\winver.exe"
2⤵
PID:9464

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\System32\wlanext.exe"
2⤵
PID:9628

C:\Windows\SysWOW64\wowreg32.exe
"C:\Windows\System32\wowreg32.exe"
2⤵
PID:5424

C:\Windows\SysWOW64\WPDShextAutoplay.exe
"C:\Windows\System32\WPDShextAutoplay.exe"
2⤵
PID:6864

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
2⤵
PID:9512

C:\Windows\SysWOW64\wscadminui.exe
"C:\Windows\System32\wscadminui.exe"
2⤵
PID:7220

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe"
2⤵
PID:5732

C:\Windows\SysWOW64\WSManHTTPConfig.exe
"C:\Windows\System32\WSManHTTPConfig.exe"
2⤵
PID:9504

C:\Windows\SysWOW64\wsmprovhost.exe
"C:\Windows\System32\wsmprovhost.exe"
2⤵
PID:6084

C:\Windows\SysWOW64\wusa.exe
"C:\Windows\System32\wusa.exe"
2⤵
PID:8812

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\System32\WWAHost.exe"
2⤵
PID:8552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8552 -s 396
3⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\xcopy.exe
"C:\Windows\System32\xcopy.exe"
2⤵
PID:6308

C:\Windows\SysWOW64\xwizard.exe
"C:\Windows\System32\xwizard.exe"
2⤵
PID:5236

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
"C:\Windows\System32\agentactivationruntimestarter.exe"
2⤵
PID:8440

C:\Windows\SysWOW64\appidtel.exe
"C:\Windows\System32\appidtel.exe"
2⤵
PID:6984

C:\Windows\SysWOW64\ARP.EXE
"C:\Windows\System32\ARP.EXE"
2⤵
PID:7320

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
2⤵
PID:9188

C:\Windows\SysWOW64\AtBroker.exe
"C:\Windows\System32\AtBroker.exe"
2⤵
PID:8184

C:\Windows\SysWOW64\Magnify.exe
"C:\Windows\System32\Magnify.exe"
3⤵
PID:4192

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe"
2⤵
- Views/modifies file attributes
PID:7200

C:\Windows\SysWOW64\auditpol.exe
"C:\Windows\System32\auditpol.exe"
2⤵
PID:5244

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\System32\autochk.exe"
2⤵
PID:7888

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\System32\autoconv.exe"
2⤵
PID:7196

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\System32\autofmt.exe"
2⤵
PID:4080

C:\Windows\SysWOW64\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
2⤵
PID:5608

C:\Windows\SysWOW64\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
2⤵
PID:7192

C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe"
2⤵
PID:2200

C:\Windows\SysWOW64\bootcfg.exe
"C:\Windows\System32\bootcfg.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\bthudtask.exe
"C:\Windows\System32\bthudtask.exe"
2⤵
PID:9352

C:\Windows\SysWOW64\ByteCodeGenerator.exe
"C:\Windows\System32\ByteCodeGenerator.exe"
2⤵
PID:7540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x314
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv PrqYN6PHZ0yRmeaP8tIpqA.0
1⤵
PID:1984

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4780

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv AkrxcWm950SFagM+Ydu1Fw.0
1⤵
PID:372

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:2164

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4400

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv nXhKFwYsJUKTZnlyZDG3mA.0
1⤵
PID:616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:2740

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv KbZcKTB9Skm0anLfo3iQgQ.0
1⤵
PID:4396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:2356

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5980

C:\Windows\system32\dashost.exe
dashost.exe {bd3917cb-1059-446e-88f9a70e20e05da9}
2⤵
PID:6124

C:\Windows\system32\dashost.exe
dashost.exe {dd2b440e-b254-480d-99af7099d0ba6a6d}
2⤵
PID:5484

C:\Windows\system32\dashost.exe
dashost.exe {22322a66-5078-4cb5-a94e0c452688ddc1}
2⤵
PID:5192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6112

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6088

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:5172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6192

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:8000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8788 -ip 8788
1⤵
PID:8996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 8884 -ip 8884
1⤵
PID:9004

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv NiuWikgTYka4aRqzmGyRwQ.0
1⤵
PID:1876

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:368

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}
1⤵
PID:2272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23}
1⤵
PID:1876

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:4240

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:9912

C:\Windows\SysWOW64\wiaacmgr.exe
C:\Windows\SysWOW64\wiaacmgr.exe -Embedding
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5292 -ip 5292
1⤵
PID:9460

C:\Windows\System32\wiawow64.exe
C:\Windows\System32\wiawow64.exe -Embedding
1⤵
PID:7104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8552 -ip 8552
1⤵
PID:9284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\35a80618e2358ce101f96d353da343a7_e32e1c79-b88e-4709-94fb-81034ca3398e
Filesize
108B

MD5
4dee43f44aecf77a05c0c45b59274742

SHA1
0d90cbb0aea45b26819f11cc59cd35152529f366

SHA256
0612c457754d21960e7f89b2d1130ac44c129223e163ed7631568b8c1ec015d1

SHA512
0e0bfb0d574cae5adf0aa6079622e815e65840e788f1ad44bf3c3e63c8a937c41f1f771d540467275f51d25c900403de188d21c23209b991a838321ee5eccda6

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\35a80618e2358ce101f96d353da343a7_e32e1c79-b88e-4709-94fb-81034ca3398e
Filesize
2KB

MD5
406f219cbb31acea79cf12acdcbce7f3

SHA1
f3f420450ba4ca4548b3fe7d281f9135251f867b

SHA256
fcf758f0ac7fe20110b732e2da770407d48efe935e14804cd7f947fb6d3a215a

SHA512
d505a174b9963787179101d064e95d45163b37e3b343d53ae2ce63059757b24cb80da903ad612093fac24b71e8008b458c72693f869a303bd88b88271634d1d7

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-2629973501-4017243118-3254762364-1000\CERT-Machine-2048.drm
Filesize
28KB

MD5
ceb4a7953c96b96b766ca5b8214c0e2f

SHA1
f866d5b0f2072c9af22715705776dcf4ad99abaf

SHA256
2b861447d8358671110e9ec78261b7f0d8eeab2748eac0e970a7f380ba1db6e7

SHA512
07e6c0ef36e8ca89e773f5aa84d81ab4bec8afcf7a564dc81bb1b48865629bb38960531466f90ee10541f9344eeb5694af8b417a194e3c0707cdfc72a4430e88

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-2629973501-4017243118-3254762364-1000\CERT-Machine.drm
Filesize
25KB

MD5
e5ef6de0f32be43ffa580cf8ffc8b5b0

SHA1
22e124093e6d94af02f143d1c67d3ae38b82e651

SHA256
14e7b46e3efd9b287e4f4cf3120f5a51c5b7d0114a754e9e25435783f5383ffa

SHA512
ff57fc0b944a77a1865cee3604c50356b075986a5b171647c5d09b824e947fe9e1baf1557f70a3f4dc6121a6975c1b8f8f9a046475e8c7bb91327b36e77e1942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine-2048.drm
Filesize
29KB

MD5
4d63306c12276cff49e8046f929831ec

SHA1
fee432e14a9010c1f160664c68985571fb03b0b4

SHA256
4b1f54f8cd057cd43091e0b9860cce1acc60f9570270aeb4798623e542ba92e6

SHA512
7998c703ad384b7f8d85fadbfb2f8e8f5b98fcf54baff7199b69757643a158d7714d3a42e105ef3a0591c0d75e438f447137cac865c982c6be33d3e0afb0561d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm
Filesize
25KB

MD5
192747bd609db6f36dc2d1c290033f1d

SHA1
626c67ca7a483b0ddf75309e3274d2ac540c1ed1

SHA256
586ff7ec16c4fffc527d375e0de09a751752d02908dabf95742356c03c313b55

SHA512
3a94f2b83eb7a79ef62ce836d8121d9481b08957913aab8e34590440c71e3cf694f1b037fccac041021e682c8b077e2e2e765d9cea541d6f7e41eb54adaa2efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Resmon.ResmonCfg
Filesize
17B

MD5
407aab8c27cf7081eece071c90a65b83

SHA1
d9ec9f9d3768fb1c3646284d77f519f74ee6b8cc

SHA256
568269850dbb3f5f52e0e38e3c0b29be06c70c58fe425b39746f5ccefdd668a4

SHA512
88a35933e87dbdd298577bdb33afb1f878dc68f43e7916c4102e893fe04812a9522ed66755df03105fd199fdc3c6bd197051c22b2ea2765d0adba5c375ddd35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
4678bb6db4cfc949ca8ee979bed3e029

SHA1
12ce7063f533515411200ac15c5047ce49763a4f

SHA256
52b016a56a72503ee4f98a025a0f63ee530d9a08bd4c33ce08348bba622d4e44

SHA512
0246e7d63c9e856836b20c457dc751f985e6fa7d61649d92cc8c20aecfa46d32b7300db54b8d71eeae1d1a0f9948a341cc3cd0d69731d1f8784c87d5875faf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
7bde0cda52cfbf344ff4cad253ef528d

SHA1
0d941e692ef6c48405b5374267bfe6d79b8ea1f8

SHA256
cf0ee8927c582d6c50d3c5329b35912074720f4f4b998ba9a05ce2de2ae09f89

SHA512
184c48da33587998b46daa3bc15fa1bec6b117f8a6527a0360ef5d3c56ad0851f143456e98e90ce80d00b487cd1362513fcd2434590b6428e0e3b42bf608f024

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
1KB

MD5
33bebbcd52505f7bf5e5d6c08e70c8ab

SHA1
62863898dcfd38d636054904707c4103fadaff22

SHA256
0c8f510411a5eb1e0c3d86ac074d48e97eb0e2c477c0c4e138b02d9f47e63c53

SHA512
f5c26330c79ae9c7b56ba4784763af2cc22d8c52975387db3bc3fe9404d7beb443a7f9234cfe6bb5d3385cc98639872b33fa7c5de0e00a61672611d4f35cf7aa

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
2KB

MD5
c7b3d4829b51219e8460dc54497cbfd8

SHA1
03b9966d1b0ca27ec07364dc51be2bd6d3033dd4

SHA256
16530e00d418d3711e95eed8b43c60b16f2f624ff7cf62795988a0c0797f8507

SHA512
7a401bf080a532f08a24bb61334e9f7f68de275ba725a9fd9535375d4bcdcb864379776baba02a2c0f3fa17b5307672ed5f5b6580ad3a54bc19a0b1d80c6028b

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
12KB

MD5
3ac08afe8abbde958fcfad1caf3de02c

SHA1
a290906b788ba1fb04d1966c270fe35f5bfe6826

SHA256
479d50da5e30fb5048e8136033401f867ce4fe1765c091de91a28b96b9b4f626

SHA512
55ac6e5f7cd9acb16ad455cd4f1d7836abdc2e17f54d948f07c173576e3dedfb002c168c7826ff7beccf36e1aa82c7f90fe36f6979cd9a0bdb78851289aad191

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
14KB

MD5
5a47b9e817cfd694f954310a60e8de83

SHA1
2b6bf602a54eada332c657ac7ec9dea0555834fa

SHA256
13b570413ab96fec0387ac18a1482c9fbd16fb94cc68898153b658136d5a6a29

SHA512
4b50b9e8e75daaf84cba4ccf92bf990266c94370b25ea43ac203d26595ebeb60f82855621e2d54301e500786050c114b84e62ff0f2c001794bc487e3389a07f4

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
16KB

MD5
e66f527c6a56d4544b1c8526dd42e5f3

SHA1
454b473313a24fd989422c848d58c7a3e6a7f018

SHA256
b634039ebaa812a84b53272af407f07a2ce34f90952d4f09e9f28b916bfe6db3

SHA512
7daa9cce24912a828a1a1bd40ab2acd6b382eae505319ab6db91f7d464bbf014735527f04df2847116b313dc953d457163fdbc389f86a1932940d10f45e1c7de

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
19KB

MD5
152a0842e48f6c9f41c0356872ce0300

SHA1
5a2e570be632da720f17beade96fa813c9d4ba1a

SHA256
fd74916ac3ccd5fb6c87d0579f1cd6f993b51e7a467421c3b5121bd214d59b66

SHA512
3f971ccddc3a6b02bf57b82f2dbd684fd28660a53c4cd4bb1f8b236c1e6ab870a6ca52d1f5255883a10ace183dcc8fbb5a7cdefe0010616274255324ed8b5d79

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
14KB

MD5
d6424f3ebeee348e813b8768004856bf

SHA1
fc2f99ef0031e585b45ffc4af76a9ad033e56b41

SHA256
525ed351a8fb2d4141f3ac93c8ef3882e886de9eb602c4763a30d006de2851c0

SHA512
6309f0d312f1d739dc7a446bf42e113df8daed08309ff4c24386ae8f7bb0ee7f0de978023c1ab86bbc54d8e4fd5186be8444821b2a249f0deab02fcd009103da

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
15KB

MD5
c6f48158e182d8ee32fd2543245d9fb2

SHA1
fbe6c887644f8788dd9ecbabd9ee77d5314c85ed

SHA256
7f222cb7aefd12d4aefea8f6e3e180ec4750935877442e4dd7bfcac45d256187

SHA512
8d2eff5a2214e3f0120b65ea56ae1fb737713dd302b769d6234e9d23c51453bae99bd69d2d2e8dfa367ba2e5a3c7e28dbcd4cc87e832e1f1ddfd94746561df7f

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
17KB

MD5
4c4b269d5813f33bdffe11b8897a7ee9

SHA1
bed92e6fae4033aa6a665153eff2c09346bf49db

SHA256
83bb9db121e516a2ce1e4e8bb49eb274a12bd4cb0b421b1ab6edd4978e500644

SHA512
91d79720fad12645712a6fec91c5ceffbba71ed8f265c338dfc19fcc349e0debc5affc0b6295ef9d89bc50451ed6336c148968a10a9595c4299fbd7c5e7c2dda

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
19KB

MD5
397ef4e295ae103cf69bacdfda731bb4

SHA1
6c863b76b28c44139c5e38a99cf85ba80712e6c6

SHA256
db75e422f6b4c2995f144a657931308b5f9c619455a06bc4f50ca9055b58a9ad

SHA512
3b0b25af0a4566871e601a9e2bb38827c3f6191d20291632cf82f37e29e5e232de8d6db3a54043e5c361777f4dc5e84ecb18dd30f3af0d711c298089b2218f6a

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
47KB

MD5
6a4d333ac014c293fa413c6185363a3e

SHA1
ef86be3dc74005384c8ce59b4bb3f9d92c7e233d

SHA256
5e927792597dd5532814c4e2a4c10947e060c8f8019c726204e195db52a00c24

SHA512
b71d0a0960cd48d443045a8300daf8631b6f3480b3aff83ba6d1b726449be3198f7a4af0dd914771bd9a3bb84754e1f0070dc3749084445e40c1e0c7affccc29

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
47KB

MD5
966aabe847bcbe567d9a0fd86fe7630f

SHA1
63d2a70322a52bf0bd2a4bf0542c530c7baec088

SHA256
7e1e102afacfe51fcf0450074be793ffe3fb1e9d41b0c043f2da5b47f1e6f6a6

SHA512
1150813f5efadae39e04578b257dd340236e5058e12b76c40db68c289203c2379208399ec778a6c81b0ead5f7ae0d611a81993c18bd443edce2982a3c4171442

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
47KB

MD5
b804fd31b75e408364ec337ae9a47999

SHA1
d1059a0fe62e15484d8cd0e13b0c2c87b9dc0bd6

SHA256
38811b3b908d04bd72b647d60e325768408cd79fa2fe7a8f9ef3244499f7e283

SHA512
29a70c55666c9bb5cbc2682e3a2670541d1c431553a818ac7a3bb7bcbf75d2e1371eea526d91732e008167dad51e5c1d7deed9dda72c34038772d359a2806c18

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
48KB

MD5
4cb9e9769d14ffb3b21a9a4d5e0856c8

SHA1
aa51ed2a1a3351382fe09eb68437bf2b890d0eac

SHA256
327d1d0a950eec524dd58a69d4e4846580659bbe00c024df1bca2f0cd6fc1493

SHA512
f3a26801ae124ff9f4ee0fb419d148d8dcc0d54fcd04aed0c20a68e40ffa7f6e4664de71ef05c1b2559018ed0289e672a306a3ac9fc472035b71fbf40015e658

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
533B

MD5
de0ddd1c0ae5acf38ecbbe6225f9d551

SHA1
be3527a23d37418be7a2430cc97291771e27a65f

SHA256
e29d3cbc5a87e5aa1d98a7b25cfaff96a17a04e0547edd2e77acbda679729339

SHA512
85400434480bbceb3ed6a96f8123c0ffeb059556dc2b3ac2f180acb89fd8308a9ba7479589ddbd6bcfba0c6e4374043cc63e4226510c256f59ef2a79aea7b558

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
813B

MD5
faac18ea7c2c5eeceff102ee35adc894

SHA1
06b6ba086c4e909dca9876c0077915c0ac713061

SHA256
4e4bec99ef1b5c167f35cbe93cb949fe23d8afce03fbc76786c2533b14cce339

SHA512
cd9da53975458c91a21911e8a80cdcdfb39b2256bd54bd0611af1944d55520a99e9f47ced742fbe134aa24f84c05d72c28d882ca4efca2b5e6b98f0f00f40b5c

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
1KB

MD5
92a6ceb1c8150be8625c34674e097bac

SHA1
34c0ce79bef242376aba6127743b3ecd46516ebb

SHA256
8feeffacb573b43e98148966ee3b5dda655f7dbea6df7a531294b14750e03f34

SHA512
27bd8ba2d8dd46758d6ef169ae1a0ef6cb1972c3adf294d5286d9f54d75295dd82fb97b564dcf2d5761dfb757b735d3b1155e6d4a5c5bea66b4ad0c9d812cc83

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
1KB

MD5
251e6eef795f2e4e3456e26c751b63ca

SHA1
925a15c90b5b6552e67e6de0bdc7ac7aa8e95c2b

SHA256
4d8af7f5db212d59a4471d58d1861fc825d2de8c071fb8c606f7ca3f5b597fbc

SHA512
fbab714a79b9fc0a6bfe19db7100f67a99b25aa88056b499d3cfdf3d3cd248ca50fe7a9267fa50db87ed5ad8abaace475426a0b4422958c244ec91c704838e45

Download Submit
\??\pipe\crashpad_796_SSDUYGYYMCHBIADI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/260-172-0x0000000000000000-mapping.dmp

Download
memory/380-165-0x0000000000000000-mapping.dmp

Download
memory/624-177-0x0000000000000000-mapping.dmp

Download
memory/648-154-0x0000000000000000-mapping.dmp

Download
memory/752-196-0x0000000000000000-mapping.dmp

Download
memory/848-149-0x0000000000000000-mapping.dmp

Download
memory/848-163-0x0000000000000000-mapping.dmp

Download
memory/1108-171-0x0000000000000000-mapping.dmp

Download
memory/1108-139-0x0000000000000000-mapping.dmp

Download
memory/1216-249-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-257-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-261-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-255-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-234-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-235-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-233-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1216-238-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1404-168-0x0000000000000000-mapping.dmp

Download
memory/1816-174-0x0000000000000000-mapping.dmp

Download
memory/1840-179-0x0000000000000000-mapping.dmp

Download
memory/2000-138-0x0000000000000000-mapping.dmp

Download
memory/2204-152-0x0000000000000000-mapping.dmp

Download
memory/2488-150-0x0000000000000000-mapping.dmp

Download
memory/2556-134-0x0000000000000000-mapping.dmp

Download
memory/2856-140-0x0000000000000000-mapping.dmp

Download
memory/2908-157-0x0000000000000000-mapping.dmp

Download
memory/3040-143-0x0000000000000000-mapping.dmp

Download
memory/3196-160-0x0000000000000000-mapping.dmp

Download
memory/3196-145-0x0000000000000000-mapping.dmp

Download
memory/3200-155-0x0000000000000000-mapping.dmp

Download
memory/3344-142-0x0000000000000000-mapping.dmp

Download
memory/3344-158-0x0000000000000000-mapping.dmp

Download
memory/3412-159-0x0000000000000000-mapping.dmp

Download
memory/3560-146-0x0000000000000000-mapping.dmp

Download
memory/3576-141-0x0000000000000000-mapping.dmp

Download
memory/3652-176-0x0000000000000000-mapping.dmp

Download
memory/3820-153-0x0000000000000000-mapping.dmp

Download
memory/3972-178-0x0000000000000000-mapping.dmp

Download
memory/4124-151-0x0000000000000000-mapping.dmp

Download
memory/4216-147-0x0000000000000000-mapping.dmp

Download
memory/4240-169-0x0000000000000000-mapping.dmp

Download
memory/4304-132-0x0000000000000000-mapping.dmp

Download
memory/4312-148-0x0000000000000000-mapping.dmp

Download
memory/4336-144-0x0000000000000000-mapping.dmp

Download
memory/4340-156-0x0000000000000000-mapping.dmp

Download
memory/4544-175-0x0000000000000000-mapping.dmp

Download
memory/4644-167-0x0000000000000000-mapping.dmp

Download
memory/4684-164-0x0000000000000000-mapping.dmp

Download
memory/4696-161-0x0000000000000000-mapping.dmp

Download
memory/5000-170-0x0000000000000000-mapping.dmp

Download
memory/5036-162-0x0000000000000000-mapping.dmp

Download
memory/5036-245-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5036-260-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5036-241-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5036-262-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5036-240-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5036-247-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5036-252-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/5044-173-0x0000000000000000-mapping.dmp

Download
memory/5100-166-0x0000000000000000-mapping.dmp

Download
memory/5100-198-0x0000000000000000-mapping.dmp

Download
memory/5108-133-0x0000000000000000-mapping.dmp

Download
memory/5148-180-0x0000000000000000-mapping.dmp

Download
memory/5184-194-0x0000000000000000-mapping.dmp

Download
memory/5192-197-0x0000000000000000-mapping.dmp

Download
memory/5224-181-0x0000000000000000-mapping.dmp

Download
memory/5272-182-0x0000000000000000-mapping.dmp

Download
memory/5368-183-0x0000000000000000-mapping.dmp

Download
memory/5460-184-0x0000000000000000-mapping.dmp

Download
memory/5484-195-0x0000000000000000-mapping.dmp

Download
memory/5560-185-0x0000000000000000-mapping.dmp

Download
memory/5652-186-0x0000000000000000-mapping.dmp

Download
memory/5676-187-0x0000000000000000-mapping.dmp

Download
memory/5676-217-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/5676-193-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/5760-188-0x0000000000000000-mapping.dmp

Download
memory/5852-189-0x0000000000000000-mapping.dmp

Download
memory/5932-190-0x0000000000000000-mapping.dmp

Download
memory/6008-191-0x0000000000000000-mapping.dmp

Download
memory/6124-192-0x0000000000000000-mapping.dmp

Download
memory/6172-201-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/6208-199-0x0000000000000000-mapping.dmp

Download
memory/6644-218-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/6644-219-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/7256-246-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-253-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-236-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-250-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-248-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-239-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-242-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/7256-237-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/8264-278-0x00000208D0340000-0x00000208D0362000-memory.dmp

Filesize
136KB

Download
memory/8264-279-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/8264-280-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/8264-283-0x00007FFDEC5F0000-0x00007FFDED0B1000-memory.dmp

Filesize
10.8MB

Download
memory/9088-271-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-274-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-277-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-276-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-270-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-267-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-269-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9088-268-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/9120-232-0x0000000035620000-0x0000000035630000-memory.dmp

Filesize
64KB

Download