Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
EasyAnti-CheatAnalyzer.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
EasyAnti-CheatAnalyzer.exe
Resource
win10v2004-20240709-en
General
-
Target
EasyAnti-CheatAnalyzer.exe
-
Size
2.6MB
-
MD5
6f4697ceaa48de87c8463be064a41834
-
SHA1
129b599295e013389255c16126ae64afd42c9cb4
-
SHA256
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
-
SHA512
b9ff325866976ab0270224f3b512c45b8c5442fb58eff0b883fdf54babfa4845f95eb01d7c6f73d73e08fd59fd0c21d039bd75c318bb30e843c2bef861267c40
-
SSDEEP
49152:lQQovM4NUTzrWlUMtHE772hZD9gtGIOSzAYpk8xKFxNWMjZuW:lgM4NOYt0iK8IOScYpP8WcD
Malware Config
Extracted
xworm
main-although.gl.at.ply.gg:30970
article-coal.gl.at.ply.gg:27263
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
telegram
https://api.telegram.org/bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe family_xworm C:\Users\Admin\AppData\Local\Temp\svchost.exe family_xworm behavioral2/memory/4116-37-0x0000000000890000-0x00000000008A8000-memory.dmp family_xworm behavioral2/memory/872-36-0x00000000000A0000-0x00000000000BA000-memory.dmp family_xworm -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe dcrat C:\SurrogatewinDrivernetsvc\portproviderperf.exe dcrat behavioral2/memory/2548-144-0x0000000000E30000-0x00000000010E6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3780 powershell.exe 1572 powershell.exe 4340 powershell.exe 3536 powershell.exe 3320 powershell.exe 4652 powershell.exe 2952 powershell.exe 3632 powershell.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Runtime Broker.exesvchost.exeWindows Driver Foundation.exeWScript.exeEasyAnti-CheatAnalyzer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Windows Driver Foundation.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation EasyAnti-CheatAnalyzer.exe -
Drops startup file 4 IoCs
Processes:
Windows Driver Foundation.exesvchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Windows Driver Foundation.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Windows Driver Foundation.exe -
Executes dropped EXE 7 IoCs
Processes:
Runtime Broker.exeWindows Driver Foundation.exesvchost.exeportproviderperf.exesvchost.exesvchost.exesvchost.exepid process 3236 Runtime Broker.exe 4116 Windows Driver Foundation.exe 872 svchost.exe 2548 portproviderperf.exe 2160 svchost.exe 2872 svchost.exe 1544 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Runtime Broker.exeWScript.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4044 PING.EXE 2676 PING.EXE 232 PING.EXE 4348 PING.EXE 4624 PING.EXE 5032 PING.EXE 4524 PING.EXE 4364 PING.EXE 2620 PING.EXE 2408 PING.EXE 3936 PING.EXE 2924 PING.EXE 4620 PING.EXE 4524 PING.EXE 3308 PING.EXE 4980 PING.EXE 4380 PING.EXE 2880 PING.EXE 4124 PING.EXE 2536 PING.EXE 2788 PING.EXE 2676 PING.EXE 4396 PING.EXE 1000 PING.EXE 512 PING.EXE 4260 PING.EXE 1192 PING.EXE 4340 PING.EXE 1292 PING.EXE 3668 PING.EXE 3264 PING.EXE 968 PING.EXE 3964 PING.EXE 5088 PING.EXE 3544 PING.EXE 2348 PING.EXE 2592 PING.EXE 2472 PING.EXE 5116 PING.EXE 4172 PING.EXE 1948 PING.EXE 4252 PING.EXE 3684 PING.EXE 3632 PING.EXE 3280 PING.EXE 3936 PING.EXE 4396 PING.EXE 3504 PING.EXE 3024 PING.EXE 3504 PING.EXE 2336 PING.EXE 2616 PING.EXE 1352 PING.EXE 2856 PING.EXE 2364 PING.EXE 1232 PING.EXE 2876 PING.EXE 212 PING.EXE 1008 PING.EXE 4396 PING.EXE 2112 PING.EXE 3456 PING.EXE 5028 PING.EXE 3996 PING.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3416 timeout.exe -
Modifies registry class 1 IoCs
Processes:
Runtime Broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Runtime Broker.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3416 PING.EXE 3936 PING.EXE 968 PING.EXE 5028 PING.EXE 2924 PING.EXE 4624 PING.EXE 3372 PING.EXE 3544 PING.EXE 2348 PING.EXE 2924 PING.EXE 4336 PING.EXE 1192 PING.EXE 968 PING.EXE 4664 PING.EXE 3280 PING.EXE 3936 PING.EXE 4620 PING.EXE 2880 PING.EXE 2336 PING.EXE 4572 PING.EXE 4044 PING.EXE 4252 PING.EXE 4348 PING.EXE 2616 PING.EXE 4524 PING.EXE 5116 PING.EXE 3936 PING.EXE 3640 PING.EXE 5012 PING.EXE 4524 PING.EXE 3156 PING.EXE 2620 PING.EXE 3684 PING.EXE 3964 PING.EXE 4364 PING.EXE 224 PING.EXE 4952 PING.EXE 4580 PING.EXE 5088 PING.EXE 2676 PING.EXE 4380 PING.EXE 2408 PING.EXE 2536 PING.EXE 1000 PING.EXE 2876 PING.EXE 3308 PING.EXE 916 PING.EXE 4952 PING.EXE 3632 PING.EXE 916 PING.EXE 1680 PING.EXE 3504 PING.EXE 4636 PING.EXE 2788 PING.EXE 5012 PING.EXE 2676 PING.EXE 2592 PING.EXE 2632 PING.EXE 3264 PING.EXE 2472 PING.EXE 4980 PING.EXE 4276 PING.EXE 1292 PING.EXE 3544 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepid process 2952 powershell.exe 2952 powershell.exe 4652 powershell.exe 4652 powershell.exe 4652 powershell.exe 2952 powershell.exe 3780 powershell.exe 3780 powershell.exe 3632 powershell.exe 3632 powershell.exe 3780 powershell.exe 3632 powershell.exe 1572 powershell.exe 1572 powershell.exe 4340 powershell.exe 4340 powershell.exe 1572 powershell.exe 4340 powershell.exe 3536 powershell.exe 3536 powershell.exe 3320 powershell.exe 3320 powershell.exe 3536 powershell.exe 3320 powershell.exe 872 svchost.exe 872 svchost.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Windows Driver Foundation.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeportproviderperf.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4116 Windows Driver Foundation.exe Token: SeDebugPrivilege 872 svchost.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 3780 powershell.exe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeDebugPrivilege 2548 portproviderperf.exe Token: SeDebugPrivilege 4116 Windows Driver Foundation.exe Token: SeDebugPrivilege 872 svchost.exe Token: SeDebugPrivilege 2160 svchost.exe Token: SeDebugPrivilege 2872 svchost.exe Token: SeDebugPrivilege 1544 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 872 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EasyAnti-CheatAnalyzer.execmd.exeRuntime Broker.exesvchost.exeWindows Driver Foundation.exeWScript.execmd.exedescription pid process target process PID 1356 wrote to memory of 4632 1356 EasyAnti-CheatAnalyzer.exe cmd.exe PID 1356 wrote to memory of 4632 1356 EasyAnti-CheatAnalyzer.exe cmd.exe PID 1356 wrote to memory of 3236 1356 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 1356 wrote to memory of 3236 1356 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 1356 wrote to memory of 3236 1356 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 1356 wrote to memory of 4116 1356 EasyAnti-CheatAnalyzer.exe Windows Driver Foundation.exe PID 1356 wrote to memory of 4116 1356 EasyAnti-CheatAnalyzer.exe Windows Driver Foundation.exe PID 1356 wrote to memory of 872 1356 EasyAnti-CheatAnalyzer.exe svchost.exe PID 1356 wrote to memory of 872 1356 EasyAnti-CheatAnalyzer.exe svchost.exe PID 4632 wrote to memory of 3416 4632 cmd.exe timeout.exe PID 4632 wrote to memory of 3416 4632 cmd.exe timeout.exe PID 3236 wrote to memory of 3020 3236 Runtime Broker.exe WScript.exe PID 3236 wrote to memory of 3020 3236 Runtime Broker.exe WScript.exe PID 3236 wrote to memory of 3020 3236 Runtime Broker.exe WScript.exe PID 4632 wrote to memory of 1500 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 1500 4632 cmd.exe PING.EXE PID 872 wrote to memory of 4652 872 svchost.exe powershell.exe PID 872 wrote to memory of 4652 872 svchost.exe powershell.exe PID 4116 wrote to memory of 2952 4116 Windows Driver Foundation.exe powershell.exe PID 4116 wrote to memory of 2952 4116 Windows Driver Foundation.exe powershell.exe PID 4116 wrote to memory of 3780 4116 Windows Driver Foundation.exe powershell.exe PID 4116 wrote to memory of 3780 4116 Windows Driver Foundation.exe powershell.exe PID 872 wrote to memory of 3632 872 svchost.exe powershell.exe PID 872 wrote to memory of 3632 872 svchost.exe powershell.exe PID 4632 wrote to memory of 212 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 212 4632 cmd.exe PING.EXE PID 3020 wrote to memory of 3512 3020 WScript.exe cmd.exe PID 3020 wrote to memory of 3512 3020 WScript.exe cmd.exe PID 3020 wrote to memory of 3512 3020 WScript.exe cmd.exe PID 4116 wrote to memory of 1572 4116 Windows Driver Foundation.exe powershell.exe PID 4116 wrote to memory of 1572 4116 Windows Driver Foundation.exe powershell.exe PID 872 wrote to memory of 4340 872 svchost.exe powershell.exe PID 872 wrote to memory of 4340 872 svchost.exe powershell.exe PID 4116 wrote to memory of 3536 4116 Windows Driver Foundation.exe powershell.exe PID 4116 wrote to memory of 3536 4116 Windows Driver Foundation.exe powershell.exe PID 872 wrote to memory of 3320 872 svchost.exe powershell.exe PID 872 wrote to memory of 3320 872 svchost.exe powershell.exe PID 4632 wrote to memory of 3936 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 3936 4632 cmd.exe PING.EXE PID 3512 wrote to memory of 2548 3512 cmd.exe portproviderperf.exe PID 3512 wrote to memory of 2548 3512 cmd.exe portproviderperf.exe PID 4632 wrote to memory of 4620 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4620 4632 cmd.exe PING.EXE PID 872 wrote to memory of 2732 872 svchost.exe schtasks.exe PID 872 wrote to memory of 2732 872 svchost.exe schtasks.exe PID 3512 wrote to memory of 1636 3512 cmd.exe reg.exe PID 3512 wrote to memory of 1636 3512 cmd.exe reg.exe PID 3512 wrote to memory of 1636 3512 cmd.exe reg.exe PID 4632 wrote to memory of 772 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 772 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 2472 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 2472 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4524 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4524 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4252 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4252 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 3416 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 3416 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 5116 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 5116 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4952 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 4952 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 968 4632 cmd.exe PING.EXE PID 4632 wrote to memory of 968 4632 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe"C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\gA0MRjUus87.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\SurrogatewinDrivernetsvc\portproviderperf.exe"C:\SurrogatewinDrivernetsvc\portproviderperf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Foundation.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbeFilesize
212B
MD5bdae1284d1499c147434adaab8e15667
SHA1b4ac30b9c6f0542067dffccee0794d4ea546b583
SHA25626d933d81e56ceacb4cced22c680c22f4c12d2b4ce3a489303fc2aec67632f88
SHA5123b86e7ba47b3b6041fe7e5aa9a7ffc3a0049ade5cbd6b3b58668c70c08513382373ef5c2432628a421076aade3de953af34423a80e6041cb110b248bb6ef31e3
-
C:\SurrogatewinDrivernetsvc\gA0MRjUus87.batFilesize
162B
MD5e01ef91219b266b14d1ae415d30256d5
SHA1cad006a2efee48fcad1166e7ce3bc118ff139808
SHA256db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2
SHA5127826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b
-
C:\SurrogatewinDrivernetsvc\portproviderperf.exeFilesize
2.7MB
MD551cbb36089b836f1cfe94e1ee88e344d
SHA166cfd5986f79d85be3d2424ac53d6e0b484f2791
SHA2569e81ddf406a5afea06ef9d412ee55c58d39a609ea7c5464378a5b5ab96670998
SHA51239ad09295cc6171646d508cb81503e17dac4bda780f482a09a72b3cf80b2a37ab6e097c298970d3bac41a6b20514481fac1eb53b71d27a9e89769074dfc8d52b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.batFilesize
659B
MD52d4e81e15ccf4579be60dc575f28ec72
SHA10312d732322ad6e0b3ea68462ba1ef4b24a3ddcb
SHA256082f209b74dbcb68202df3759e716dcf7efe546dd267e472190ffcf0fbcfdaa7
SHA51293e3861cd244f94baa80dc06448eb70e426d835dc0657ef5ce2501f85fe80b0dece67b87b2fe883cdb0640937e653c57859a9fe730d8386a6ccd2f699386e124
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
3.0MB
MD5e752ea010d6bb2c6afebe6d1f915feda
SHA1a5737dfc7b7d6fa6509f3a0e79544b170d9476e2
SHA25618e279bca944d2ba87ff29c8df967e27621db9e4a6a4914fe635e5b7e4d305d4
SHA51201a203da6717e1b164c2f7002252bb08df6dcc8ed40e5d1f97cacf1b9371568a6a2b2b1ff4635f263854cd993cbc28d1177fd558565881c065cf595c05e6e866
-
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exeFilesize
69KB
MD599088d7d8b409b4039b02295e64a686f
SHA1f58dad3090854f8ab5cc3de89d6cdaeb151883d4
SHA256a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7
SHA512a485b749f096a63bcc733b848317ceca918ee46516bcf17593c8358303a80aa0fb15c99b444fbeac02f79ac69c165e8a2fbb614265a56d99b5c098bd48d388b7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqb4jwbr.a4v.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
77KB
MD584f35bb606e5d8049b4c7d57d4a9148a
SHA1385862c81fb695799b7cdd5199a212f8de2e1cb7
SHA2566e3c920e6115f3b386883ef1d439eec2691923504b42d863bc43de929435f627
SHA512dee62c8a3b5fadaec1ba91757de1bf78ce9caf4d9e9c5a4226997f15fb3e3387ce5e3bc2ff019a361b3a5b30b9e03246cfbccdf10f586f068d111988445e999d
-
memory/872-36-0x00000000000A0000-0x00000000000BA000-memory.dmpFilesize
104KB
-
memory/1356-0-0x00007FFC558D3000-0x00007FFC558D5000-memory.dmpFilesize
8KB
-
memory/1356-38-0x00007FFC558D0000-0x00007FFC56391000-memory.dmpFilesize
10.8MB
-
memory/1356-10-0x00007FFC558D0000-0x00007FFC56391000-memory.dmpFilesize
10.8MB
-
memory/1356-1-0x0000000000350000-0x00000000005EA000-memory.dmpFilesize
2.6MB
-
memory/2548-145-0x0000000001900000-0x000000000190E000-memory.dmpFilesize
56KB
-
memory/2548-144-0x0000000000E30000-0x00000000010E6000-memory.dmpFilesize
2.7MB
-
memory/2952-59-0x00000244A6C30000-0x00000244A6C52000-memory.dmpFilesize
136KB
-
memory/4116-41-0x00007FFC558D0000-0x00007FFC56391000-memory.dmpFilesize
10.8MB
-
memory/4116-158-0x00007FFC558D0000-0x00007FFC56391000-memory.dmpFilesize
10.8MB
-
memory/4116-37-0x0000000000890000-0x00000000008A8000-memory.dmpFilesize
96KB