Analysis
-
max time kernel
148s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-12-2020 13:17
Static task
static1
Behavioral task
behavioral1
Sample
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Resource
win10v20201028
General
-
Target
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
-
Size
117KB
-
MD5
f64ecdec4c84ac7ef0ca6c2ef4d94eea
-
SHA1
7c88af3c8a27402da1d67cfaa1a02555f1c7945d
-
SHA256
fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6
-
SHA512
87b8a1c6098a67a6a7f61e154deba8c16a5b421e5157183b40f808c23187ec46e046d7f4ac006d375fcf66000da7da588c9105f9acba5471604255d15c1ac8f7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq1010@tutanota.com
akzhq1010@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 4432 created 4204 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 created 4204 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 created 4204 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 created 4204 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1592 wbadmin.exe -
Loads dropped DLL 5 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exepid process 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe\"" f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 5 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription pid process target process PID 4768 set thread context of 4204 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 420 set thread context of 4596 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 2716 set thread context of 1468 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1492 set thread context of 4664 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 3960 set thread context of 3688 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-96_altform-unplated.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-US\doc_offline_getconnected.xml f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bq_16x11.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-250.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\mask_corners.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6365_48x48x32.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-200.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Save.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-80.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WideTile.scale-125.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1914_48x48x32.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-400.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\TurnByTurn.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\ui-strings.js f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-100.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Road.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\MedTile.scale-200.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_classic.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gy_60x42.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sr_16x11.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_1d.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-96.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-125.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256_altform-unplated.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\readme-warning.txt f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_TypeTextFields_White@1x.png f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 476 vssadmin.exe -
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exepid process 4204 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 4204 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exepid process 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 4432 svchost.exe Token: SeTcbPrivilege 4432 svchost.exe Token: SeBackupPrivilege 1108 vssvc.exe Token: SeRestorePrivilege 1108 vssvc.exe Token: SeAuditPrivilege 1108 vssvc.exe Token: SeBackupPrivilege 1764 wbengine.exe Token: SeRestorePrivilege 1764 wbengine.exe Token: SeSecurityPrivilege 1764 wbengine.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: 36 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: 36 1536 WMIC.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
f64ecdec4c84ac7ef0ca6c2ef4d94eea.exesvchost.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.execmd.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exef64ecdec4c84ac7ef0ca6c2ef4d94eea.exedescription pid process target process PID 4768 wrote to memory of 4204 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4768 wrote to memory of 4204 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4768 wrote to memory of 4204 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4768 wrote to memory of 4204 4768 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 420 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4204 wrote to memory of 500 4204 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe cmd.exe PID 4204 wrote to memory of 500 4204 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe cmd.exe PID 500 wrote to memory of 476 500 cmd.exe vssadmin.exe PID 500 wrote to memory of 476 500 cmd.exe vssadmin.exe PID 500 wrote to memory of 1592 500 cmd.exe wbadmin.exe PID 500 wrote to memory of 1592 500 cmd.exe wbadmin.exe PID 500 wrote to memory of 1536 500 cmd.exe WMIC.exe PID 500 wrote to memory of 1536 500 cmd.exe WMIC.exe PID 420 wrote to memory of 4596 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 420 wrote to memory of 4596 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 420 wrote to memory of 4596 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 420 wrote to memory of 4596 420 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 2716 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 2716 wrote to memory of 1468 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 2716 wrote to memory of 1468 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 2716 wrote to memory of 1468 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 2716 wrote to memory of 1468 2716 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 1492 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1492 wrote to memory of 4664 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1492 wrote to memory of 4664 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1492 wrote to memory of 4664 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 1492 wrote to memory of 4664 1492 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 4432 wrote to memory of 3960 4432 svchost.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 3960 wrote to memory of 3688 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 3960 wrote to memory of 3688 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 3960 wrote to memory of 3688 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe PID 3960 wrote to memory of 3688 3960 f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42043⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42044⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42043⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42044⤵
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42043⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42044⤵
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42043⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n42044⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\972313772MD5
18668c3a11b0458f86330e6063869484
SHA1701d1f5075dc9b124811c972a6e5d566988394be
SHA256a00de16ae3484951fb5cf4ee7f1893f950b9c91e559edd70d0f627235d4d8a12
SHA512d5ae285abc59758ec0bbb080aa796f32b0ffe59ee948355b54f45ecb5dc96080bc40e0cdd0095cad05903b53d6ec56dd4ac089ddc14f942632421c3363dcb92c
-
C:\Users\Admin\AppData\Roaming\972313772MD5
859c951aba3deba255695fef58e864be
SHA1829757627333e8ed44c5dc063d0ab697fda70632
SHA2569b93bd4db7e38a69b6aa8252a02754aefc89522f5cef8aafbb3f2e4c3678e58a
SHA5124ffc3866e94d60ed393950830aeaeae69cae8513713c7e6622744ac2587cbd9d786f24444eedc1f64cc227fd8fbb7e9b120a7c7fdd812f957c50110043d01a4a
-
C:\Users\Admin\AppData\Roaming\972313772MD5
6ee25b8b5f2e8d2f4ea697f02ae176d3
SHA1f5db8cb42ba4203f872e344188f8980eadc97c2a
SHA2563c51caf3a649f29be328c7874deaf968c7c12526d13348ee34d0d407c9dee882
SHA512b61d0dc176bb7041904958ad6a02297b57a3f675c4debd0753e4630be17c389cdf9793c3383db349b60e8b7cea88ac162a636e83ef2f60a9d2415697af25418e
-
C:\Users\Admin\AppData\Roaming\972313772MD5
18668c3a11b0458f86330e6063869484
SHA1701d1f5075dc9b124811c972a6e5d566988394be
SHA256a00de16ae3484951fb5cf4ee7f1893f950b9c91e559edd70d0f627235d4d8a12
SHA512d5ae285abc59758ec0bbb080aa796f32b0ffe59ee948355b54f45ecb5dc96080bc40e0cdd0095cad05903b53d6ec56dd4ac089ddc14f942632421c3363dcb92c
-
C:\Users\Admin\AppData\Roaming\972313772MD5
d65d072d34adb62471cf32a9e8bb66d9
SHA137e774cceabd8b3e49deb44b3489ea2a535a61ce
SHA256be4809dd4e26037fc1a74fd14eb928cdca9e95750308d62bdb58cb9b454dd441
SHA512644c17eda898b9b3ea5d5f7dde772168592fdf4e35e0b7d11c0191bb6c06f0e3f74bb3d86747fe91025e36b15fc9534c39252cd15dd133a648a250e21330ca85
-
C:\Users\Admin\AppData\Roaming\972313772MD5
18668c3a11b0458f86330e6063869484
SHA1701d1f5075dc9b124811c972a6e5d566988394be
SHA256a00de16ae3484951fb5cf4ee7f1893f950b9c91e559edd70d0f627235d4d8a12
SHA512d5ae285abc59758ec0bbb080aa796f32b0ffe59ee948355b54f45ecb5dc96080bc40e0cdd0095cad05903b53d6ec56dd4ac089ddc14f942632421c3363dcb92c
-
C:\Users\Admin\AppData\Roaming\972313772MD5
87fc34416e58c91a9060c75565d5d675
SHA1549c02ba5c3a623f0238099e4e7971f016ea655c
SHA256884be2517b7af0389be77d76817d74fed288df4f96d3fb8e147fd10df24dc8ce
SHA5125845845450eea15f5ea6612aff19cb5d403f2da1ff19f4d04164bb24f5b6938d71e72097db8c9ee801fd310518311c3a2ec2108466ce61e2043c6490f479ceb0
-
\Users\Admin\AppData\Local\Temp\nsj72BC.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsq7939.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsuF629.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsv555A.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsz774A.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/420-7-0x0000000000000000-mapping.dmp
-
memory/476-9-0x0000000000000000-mapping.dmp
-
memory/500-8-0x0000000000000000-mapping.dmp
-
memory/1468-24-0x00000000004059A0-mapping.dmp
-
memory/1492-27-0x0000000000000000-mapping.dmp
-
memory/1536-13-0x0000000000000000-mapping.dmp
-
memory/1592-10-0x0000000000000000-mapping.dmp
-
memory/2716-20-0x0000000000000000-mapping.dmp
-
memory/3688-40-0x00000000004059A0-mapping.dmp
-
memory/3960-35-0x0000000000000000-mapping.dmp
-
memory/4204-5-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4204-4-0x00000000004059A0-mapping.dmp
-
memory/4204-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4596-15-0x00000000004059A0-mapping.dmp
-
memory/4664-32-0x00000000004059A0-mapping.dmp