3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

Analysis

max time kernel
1800s
max time network
1587s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
29/03/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner100.exe
Size

2.7MB
MD5

eae2347aaed97da4f802c0b32689f4eb
SHA1

a7a83d1ff7ec22d74d8415b95b3d57f1323699ce
SHA256

3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4
SHA512

65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd
SSDEEP

49152:+Ev7yMxM0ZzUjqhWBkZFOj3nscD6gLRZdjM0PcuzQ3zAlkVKd:+EvWMxHUjqPPOjXsngLjdjBPz+3

Score

10^/10

evasion persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4424 created 3696	4424	svchost.exe	118

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
752	tiucgvijebnv.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	miner100.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 4140	1900	miner100.exe	98

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	DllHost.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4344	sc.exe
4608	sc.exe
1744	sc.exe
3412	sc.exe
4464	sc.exe
4348	sc.exe
3184	sc.exe
2076	sc.exe
1772	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 29 Mar 2024 02:08:15 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1711678094"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={079D5D8E-E2F9-42A1-ABA9-3A68207A6A6E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1900	miner100.exe
1404	powershell.exe
1404	powershell.exe
1404	powershell.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
4140	dialer.exe
4140	dialer.exe
1900	miner100.exe
1900	miner100.exe
1900	miner100.exe
752	tiucgvijebnv.exe
4140	dialer.exe
4140	dialer.exe
3360	powershell.exe
3360	powershell.exe
4140	dialer.exe
4140	dialer.exe
4424	svchost.exe
4424	svchost.exe
3360	powershell.exe
3360	powershell.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
3360	powershell.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
3360	powershell.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
3360	powershell.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe
4140	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeIncreaseQuotaPrivilege	1404	powershell.exe
Token: SeSecurityPrivilege	1404	powershell.exe
Token: SeTakeOwnershipPrivilege	1404	powershell.exe
Token: SeLoadDriverPrivilege	1404	powershell.exe
Token: SeSystemProfilePrivilege	1404	powershell.exe
Token: SeSystemtimePrivilege	1404	powershell.exe
Token: SeProfSingleProcessPrivilege	1404	powershell.exe
Token: SeIncBasePriorityPrivilege	1404	powershell.exe
Token: SeCreatePagefilePrivilege	1404	powershell.exe
Token: SeBackupPrivilege	1404	powershell.exe
Token: SeRestorePrivilege	1404	powershell.exe
Token: SeShutdownPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeSystemEnvironmentPrivilege	1404	powershell.exe
Token: SeRemoteShutdownPrivilege	1404	powershell.exe
Token: SeUndockPrivilege	1404	powershell.exe
Token: SeManageVolumePrivilege	1404	powershell.exe
Token: 33	1404	powershell.exe
Token: 34	1404	powershell.exe
Token: 35	1404	powershell.exe
Token: 36	1404	powershell.exe
Token: SeShutdownPrivilege	784	powercfg.exe
Token: SeCreatePagefilePrivilege	784	powercfg.exe
Token: SeDebugPrivilege	1900	miner100.exe
Token: SeShutdownPrivilege	2472	powercfg.exe
Token: SeCreatePagefilePrivilege	2472	powercfg.exe
Token: SeShutdownPrivilege	3692	powercfg.exe
Token: SeCreatePagefilePrivilege	3692	powercfg.exe
Token: SeShutdownPrivilege	2468	powercfg.exe
Token: SeCreatePagefilePrivilege	2468	powercfg.exe
Token: SeDebugPrivilege	4140	dialer.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeCreateGlobalPrivilege	1404	dwm.exe
Token: SeChangeNotifyPrivilege	1404	dwm.exe
Token: 33	1404	dwm.exe
Token: SeIncBasePriorityPrivilege	1404	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	3360	powershell.exe
Token: SeIncreaseQuotaPrivilege	3360	powershell.exe
Token: SeSecurityPrivilege	3360	powershell.exe
Token: SeTakeOwnershipPrivilege	3360	powershell.exe
Token: SeLoadDriverPrivilege	3360	powershell.exe
Token: SeSystemtimePrivilege	3360	powershell.exe
Token: SeBackupPrivilege	3360	powershell.exe
Token: SeRestorePrivilege	3360	powershell.exe
Token: SeShutdownPrivilege	3360	powershell.exe
Token: SeSystemEnvironmentPrivilege	3360	powershell.exe
Token: SeUndockPrivilege	3360	powershell.exe
Token: SeManageVolumePrivilege	3360	powershell.exe
Token: SeDebugPrivilege	4912	WerFault.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeAuditPrivilege	2544	svchost.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeAuditPrivilege	2544	svchost.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeAuditPrivilege	2544	svchost.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeShutdownPrivilege	3416	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 536	1484	cmd.exe	82
PID 1484 wrote to memory of 536	1484	cmd.exe	82
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 1900 wrote to memory of 4140	1900	miner100.exe	98
PID 4140 wrote to memory of 580	4140	dialer.exe	5
PID 4140 wrote to memory of 644	4140	dialer.exe	7
PID 644 wrote to memory of 2796	644	lsass.exe	48
PID 4140 wrote to memory of 740	4140	dialer.exe	10
PID 4140 wrote to memory of 908	4140	dialer.exe	13
PID 4140 wrote to memory of 1008	4140	dialer.exe	14
PID 4140 wrote to memory of 64	4140	dialer.exe	15
PID 644 wrote to memory of 2796	644	lsass.exe	48
PID 4140 wrote to memory of 508	4140	dialer.exe	16
PID 4140 wrote to memory of 696	4140	dialer.exe	17
PID 4140 wrote to memory of 932	4140	dialer.exe	18
PID 4140 wrote to memory of 1108	4140	dialer.exe	20
PID 4140 wrote to memory of 1120	4140	dialer.exe	21
PID 644 wrote to memory of 2796	644	lsass.exe	48
PID 4140 wrote to memory of 1216	4140	dialer.exe	22
PID 4140 wrote to memory of 1264	4140	dialer.exe	23
PID 4140 wrote to memory of 1272	4140	dialer.exe	24
PID 4140 wrote to memory of 1288	4140	dialer.exe	25
PID 4140 wrote to memory of 1384	4140	dialer.exe	26
PID 4140 wrote to memory of 1488	4140	dialer.exe	27
PID 4140 wrote to memory of 1532	4140	dialer.exe	28
PID 4140 wrote to memory of 1544	4140	dialer.exe	29
PID 4140 wrote to memory of 1592	4140	dialer.exe	30
PID 4140 wrote to memory of 1604	4140	dialer.exe	31
PID 4140 wrote to memory of 1696	4140	dialer.exe	32
PID 580 wrote to memory of 1404	580	winlogon.exe	113
PID 580 wrote to memory of 1404	580	winlogon.exe	113
PID 4140 wrote to memory of 1404	4140	dialer.exe	113
PID 644 wrote to memory of 2796	644	lsass.exe	48
PID 4140 wrote to memory of 1720	4140	dialer.exe	33
PID 4140 wrote to memory of 1828	4140	dialer.exe	34
PID 4140 wrote to memory of 1836	4140	dialer.exe	35
PID 4140 wrote to memory of 1916	4140	dialer.exe	36
PID 4140 wrote to memory of 1964	4140	dialer.exe	37
PID 644 wrote to memory of 2796	644	lsass.exe	48
PID 4140 wrote to memory of 1580	4140	dialer.exe	38
PID 4140 wrote to memory of 2080	4140	dialer.exe	39
PID 4140 wrote to memory of 2136	4140	dialer.exe	40
PID 4140 wrote to memory of 2420	4140	dialer.exe	41
PID 4140 wrote to memory of 2544	4140	dialer.exe	42
PID 4140 wrote to memory of 2568	4140	dialer.exe	43
PID 4140 wrote to memory of 2576	4140	dialer.exe	44
PID 4140 wrote to memory of 2584	4140	dialer.exe	45
PID 4140 wrote to memory of 2640	4140	dialer.exe	46
PID 4140 wrote to memory of 2768	4140	dialer.exe	47
PID 4140 wrote to memory of 2796	4140	dialer.exe	48
PID 4140 wrote to memory of 2804	4140	dialer.exe	49
PID 4140 wrote to memory of 2848	4140	dialer.exe	50
PID 4140 wrote to memory of 2872	4140	dialer.exe	51
PID 4140 wrote to memory of 2908	4140	dialer.exe	52
PID 4140 wrote to memory of 2844	4140	dialer.exe	53
PID 4140 wrote to memory of 3124	4140	dialer.exe	54
PID 4140 wrote to memory of 3416	4140	dialer.exe	55
PID 4140 wrote to memory of 3952	4140	dialer.exe	58
PID 4140 wrote to memory of 4104	4140	dialer.exe	60

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1008
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1404

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:64

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1120
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1532
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:1580

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2768

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2872

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
- C:\Users\Admin\AppData\Local\Temp\miner100.exe
  "C:\Users\Admin\AppData\Local\Temp\miner100.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4344
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1744
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3412
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4348
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4140
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:3184
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OPAGMGUY" binpath= "C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4464
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1772
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:2076
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2208

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4104 -s 956
  2⤵
  PID:1656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5112

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2332

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1992

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:1912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:1312
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1312 -s 904
  2⤵
  PID:4324

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4600

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3372

C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:752
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3360
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3696 -s 700
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77B1.tmp.csv

Filesize
33KB

MD5
8d9185f1ba1dfa4872ceea2433cfbb99

SHA1
9b773bdb3eb6e0eb2f951925a20e7a300025a225

SHA256
31de1c8c78d397f1a1104ad3d45eeba8ff86d6a3854bba56bfc10eef1fe22331

SHA512
bea278310ecdb76052d2c41368ab28cf4af23c134ae88c4fc781aa2e75e84441d953c308dc804ee4a64b0dfed740f15714ec48bb55e4b4f68845d53f42e2cb74

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER77B2.tmp.txt

Filesize
12KB

MD5
2897910a4d0d56f1e9dbd0e2a6d7eec2

SHA1
029723eece73634c0ec6f871c4b53342194649fd

SHA256
3f82869a6bc63b3e7dd8b842d5d2da2ed3ea185d236f0c4b03070ef018289ba6

SHA512
d6539f160f9c7331c11a58a1ca284fabd4a0486ffe99769826d55a36ea6ef1b320611c96948150d2716a8ed2e30265f118def360a974fd3f4742e5d5d48e0415

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4F8.tmp.txt

Filesize
12KB

MD5
2ba369d6dcd00eaea69f621d086ab2ff

SHA1
4e62dc7e6c725d5947eab9cf678881c731135c0d

SHA256
b98f3040de550fb707c87a1f97ea4fc603554b5cbb009ccfd0f32cb40f788596

SHA512
6a2a55e1226d3c753803298cd6feffe7518307d7b7dac94c2deec508e5b869cd1e8e7df41f0c3378b6ef30d3648e2b2e839f978db24e622da6c4393a69d25348

Download Submit
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe

Filesize
2.7MB

MD5
eae2347aaed97da4f802c0b32689f4eb

SHA1
a7a83d1ff7ec22d74d8415b95b3d57f1323699ce

SHA256
3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

SHA512
65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jti3d0c1.533.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
464c7d58db55df90c21cb4709b205b44

SHA1
283aa78eb41211e4d6e8e895003494b7a7fb93c5

SHA256
86d0953e901105320747312fcfbd1d79dc2ec96da83b98955d78c8ca80b72fa9

SHA512
34459817455245ad2049aab8f6fab2c1c15a690e9ceb6ba45b2b8906c7f78e72bec4b777e4f5259aef472196688cd0f9352134c46fb15efd7badd795287bc067

Download Submit
memory/64-89-0x000001B3F64D0000-0x000001B3F64FB000-memory.dmp

Filesize
172KB

Download
memory/64-95-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/64-100-0x000001B3F64D0000-0x000001B3F64FB000-memory.dmp

Filesize
172KB

Download
memory/508-105-0x00000152D23C0000-0x00000152D23EB000-memory.dmp

Filesize
172KB

Download
memory/508-98-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/508-93-0x00000152D23C0000-0x00000152D23EB000-memory.dmp

Filesize
172KB

Download
memory/580-70-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/580-69-0x0000017069EC0000-0x0000017069EEB000-memory.dmp

Filesize
172KB

Download
memory/580-66-0x0000017069E90000-0x0000017069EB4000-memory.dmp

Filesize
144KB

Download
memory/580-72-0x00007FFC4CE35000-0x00007FFC4CE36000-memory.dmp

Filesize
4KB

Download
memory/644-71-0x0000017AD13B0000-0x0000017AD13DB000-memory.dmp

Filesize
172KB

Download
memory/644-83-0x0000017AD13B0000-0x0000017AD13DB000-memory.dmp

Filesize
172KB

Download
memory/644-75-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/696-102-0x000001953F150000-0x000001953F17B000-memory.dmp

Filesize
172KB

Download
memory/696-117-0x000001953F150000-0x000001953F17B000-memory.dmp

Filesize
172KB

Download
memory/696-106-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/740-78-0x0000017BB1F70000-0x0000017BB1F9B000-memory.dmp

Filesize
172KB

Download
memory/740-80-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/740-88-0x0000017BB1F70000-0x0000017BB1F9B000-memory.dmp

Filesize
172KB

Download
memory/908-273-0x000001BBF82F0000-0x000001BBF831B000-memory.dmp

Filesize
172KB

Download
memory/908-87-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/908-84-0x000001BBF82F0000-0x000001BBF831B000-memory.dmp

Filesize
172KB

Download
memory/932-110-0x000002CF3E060000-0x000002CF3E08B000-memory.dmp

Filesize
172KB

Download
memory/932-107-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/932-101-0x000002CF3E060000-0x000002CF3E08B000-memory.dmp

Filesize
172KB

Download
memory/1008-81-0x00000223B4CC0000-0x00000223B4CEB000-memory.dmp

Filesize
172KB

Download
memory/1008-96-0x00007FFC4CE35000-0x00007FFC4CE36000-memory.dmp

Filesize
4KB

Download
memory/1008-92-0x00000223B4CC0000-0x00000223B4CEB000-memory.dmp

Filesize
172KB

Download
memory/1108-108-0x000002A8783D0000-0x000002A8783FB000-memory.dmp

Filesize
172KB

Download
memory/1108-122-0x000002A8783D0000-0x000002A8783FB000-memory.dmp

Filesize
172KB

Download
memory/1108-113-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/1120-127-0x000001A6F82C0000-0x000001A6F82EB000-memory.dmp

Filesize
172KB

Download
memory/1120-114-0x000001A6F82C0000-0x000001A6F82EB000-memory.dmp

Filesize
172KB

Download
memory/1120-119-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/1216-125-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/1216-138-0x00000172C4F40000-0x00000172C4F6B000-memory.dmp

Filesize
172KB

Download
memory/1216-121-0x00000172C4F40000-0x00000172C4F6B000-memory.dmp

Filesize
172KB

Download
memory/1264-126-0x0000023153390000-0x00000231533BB000-memory.dmp

Filesize
172KB

Download
memory/1264-144-0x0000023153390000-0x00000231533BB000-memory.dmp

Filesize
172KB

Download
memory/1264-131-0x00007FFC0CE20000-0x00007FFC0CE30000-memory.dmp

Filesize
64KB

Download
memory/1272-132-0x000002BC3B090000-0x000002BC3B0BB000-memory.dmp

Filesize
172KB

Download
memory/1272-147-0x000002BC3B090000-0x000002BC3B0BB000-memory.dmp

Filesize
172KB

Download
memory/1288-160-0x000002C2211F0000-0x000002C22121B000-memory.dmp

Filesize
172KB

Download
memory/1384-167-0x0000018C36D80000-0x0000018C36DAB000-memory.dmp

Filesize
172KB

Download
memory/1404-45-0x0000019789460000-0x0000019789470000-memory.dmp

Filesize
64KB

Download
memory/1404-50-0x00007FFC2FE20000-0x00007FFC3080C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-23-0x0000019789460000-0x0000019789470000-memory.dmp

Filesize
64KB

Download
memory/1404-216-0x00007FFC4CD90000-0x00007FFC4CF6B000-memory.dmp

Filesize
1.9MB

Download
memory/1404-5-0x00007FFC2FE20000-0x00007FFC3080C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-207-0x000002B5D8040000-0x000002B5D806B000-memory.dmp

Filesize
172KB

Download
memory/1404-4-0x00000197A1A30000-0x00000197A1A52000-memory.dmp

Filesize
136KB

Download
memory/1404-7-0x0000019789460000-0x0000019789470000-memory.dmp

Filesize
64KB

Download
memory/1404-6-0x0000019789460000-0x0000019789470000-memory.dmp

Filesize
64KB

Download
memory/1404-10-0x00000197A1BE0000-0x00000197A1C56000-memory.dmp

Filesize
472KB

Download
memory/1488-173-0x0000025BABED0000-0x0000025BABEFB000-memory.dmp

Filesize
172KB

Download
memory/1532-178-0x00000215742A0000-0x00000215742CB000-memory.dmp

Filesize
172KB

Download
memory/1544-185-0x0000020DD7CD0000-0x0000020DD7CFB000-memory.dmp

Filesize
172KB

Download
memory/1580-289-0x0000021A75630000-0x0000021A7565B000-memory.dmp

Filesize
172KB

Download
memory/1592-190-0x0000026445850000-0x000002644587B000-memory.dmp

Filesize
172KB

Download
memory/1604-278-0x0000015BFE160000-0x0000015BFE18B000-memory.dmp

Filesize
172KB

Download
memory/1696-197-0x0000012450CD0000-0x0000012450CFB000-memory.dmp

Filesize
172KB

Download
memory/1720-202-0x0000019255920000-0x000001925594B000-memory.dmp

Filesize
172KB

Download
memory/1828-211-0x00000206510D0000-0x00000206510FB000-memory.dmp

Filesize
172KB

Download
memory/1836-221-0x00000203CC210000-0x00000203CC23B000-memory.dmp

Filesize
172KB

Download
memory/1916-226-0x000001A2D94C0000-0x000001A2D94EB000-memory.dmp

Filesize
172KB

Download
memory/1964-230-0x0000015700800000-0x000001570082B000-memory.dmp

Filesize
172KB

Download
memory/2080-234-0x00000000012E0000-0x000000000130B000-memory.dmp

Filesize
172KB

Download
memory/2136-237-0x000002533A6D0000-0x000002533A6FB000-memory.dmp

Filesize
172KB

Download
memory/2420-242-0x000001A268AE0000-0x000001A268B0B000-memory.dmp

Filesize
172KB

Download
memory/2544-294-0x00000210034B0000-0x00000210034DB000-memory.dmp

Filesize
172KB

Download
memory/2568-299-0x000002A964530000-0x000002A96455B000-memory.dmp

Filesize
172KB

Download
memory/2576-247-0x000001BFA9840000-0x000001BFA986B000-memory.dmp

Filesize
172KB

Download
memory/2584-253-0x000001FC2F7A0000-0x000001FC2F7CB000-memory.dmp

Filesize
172KB

Download
memory/2640-259-0x0000020F58C30000-0x0000020F58C5B000-memory.dmp

Filesize
172KB

Download
memory/2768-265-0x0000025F6D490000-0x0000025F6D4BB000-memory.dmp

Filesize
172KB

Download
memory/2796-269-0x0000025ABEED0000-0x0000025ABEEFB000-memory.dmp

Filesize
172KB

Download
memory/2804-305-0x0000028F07370000-0x0000028F0739B000-memory.dmp

Filesize
172KB

Download
memory/2824-336-0x00000185980F0000-0x000001859811B000-memory.dmp

Filesize
172KB

Download
memory/2872-309-0x00000255BAE80000-0x00000255BAEAB000-memory.dmp

Filesize
172KB

Download
memory/2908-312-0x0000014975630000-0x000001497565B000-memory.dmp

Filesize
172KB

Download
memory/3124-317-0x00000166FB900000-0x00000166FB92B000-memory.dmp

Filesize
172KB

Download
memory/3360-151-0x000001A7B4E20000-0x000001A7B4E30000-memory.dmp

Filesize
64KB

Download
memory/3360-283-0x000001A7B4E20000-0x000001A7B4E30000-memory.dmp

Filesize
64KB

Download
memory/3360-134-0x00007FFC2FE20000-0x00007FFC3080C000-memory.dmp

Filesize
9.9MB

Download
memory/3416-321-0x0000000002A50000-0x0000000002A7B000-memory.dmp

Filesize
172KB

Download
memory/3952-325-0x000002C89C560000-0x000002C89C58B000-memory.dmp

Filesize
172KB

Download
memory/4140-61-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4140-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4140-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4140-51-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4140-54-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4140-56-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4140-57-0x00007FFC4CD90000-0x00007FFC4CF6B000-memory.dmp

Filesize
1.9MB

Download
memory/4140-59-0x00007FFC4B880000-0x00007FFC4B92E000-memory.dmp

Filesize
696KB

Download
memory/4720-332-0x0000024EC7B60000-0x0000024EC7B8B000-memory.dmp

Filesize
172KB

Download
memory/4920-341-0x00000155E5F90000-0x00000155E5FBB000-memory.dmp

Filesize
172KB

Download
memory/4984-328-0x000001AAD8260000-0x000001AAD828B000-memory.dmp

Filesize
172KB

Download