Analysis
-
max time kernel
124s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 06:05
Static task
static1
Behavioral task
behavioral1
Sample
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe
Resource
win7v20210410
General
-
Target
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe
-
Size
23KB
-
MD5
09f2b5d6519152493e6e5de0dc3491c4
-
SHA1
2ac089761acab44a257648842595e5104fbeff4d
-
SHA256
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
-
SHA512
80ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1
Malware Config
Extracted
azorult
http://aka-mining.com/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft 15 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe Nirsoft behavioral1/memory/2416-175-0x0000000002550000-0x000000000319A000-memory.dmp Nirsoft -
Executes dropped EXE 6 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exeAdvancedRun.exeAdvancedRun.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exepid process 1060 AdvancedRun.exe 820 AdvancedRun.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 2212 AdvancedRun.exe 2276 AdvancedRun.exe 2988 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe -
Drops startup file 2 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Loads dropped DLL 25 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeAdvancedRun.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exeAdvancedRun.exec7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exepid process 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1060 AdvancedRun.exe 1060 AdvancedRun.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 2212 AdvancedRun.exe 2212 AdvancedRun.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\QmAyWAfgogMbxkGYgcBqylUnYqTrR = "C:\\Windows\\Cursors\\EnMRfEhjpWSzDjOeix\\svchost.exe" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\QmAyWAfgogMbxkGYgcBqylUnYqTrR = "C:\\Windows\\Cursors\\EnMRfEhjpWSzDjOeix\\svchost.exe" QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
Processes:
QmAyWAfgogMbxkGYgcBqylUnYqTrR.exec7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exepid process 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exedescription pid process target process PID 1040 set thread context of 2976 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe PID 960 set thread context of 2988 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe -
Drops file in Windows directory 1 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exedescription ioc process File created C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3048 1040 WerFault.exe c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2916 timeout.exe 2936 timeout.exe -
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exec7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeWerFault.exepowershell.exec7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exepowershell.exepowershell.exepid process 1060 AdvancedRun.exe 1060 AdvancedRun.exe 820 AdvancedRun.exe 820 AdvancedRun.exe 776 powershell.exe 1800 powershell.exe 1152 powershell.exe 1332 powershell.exe 112 powershell.exe 1344 powershell.exe 2212 AdvancedRun.exe 2212 AdvancedRun.exe 2276 AdvancedRun.exe 2276 AdvancedRun.exe 2344 powershell.exe 2376 powershell.exe 2416 powershell.exe 2576 powershell.exe 1332 powershell.exe 1800 powershell.exe 1152 powershell.exe 776 powershell.exe 2416 powershell.exe 2344 powershell.exe 112 powershell.exe 2576 powershell.exe 2376 powershell.exe 1344 powershell.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 904 powershell.exe 2976 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe 292 powershell.exe 904 powershell.exe 292 powershell.exe 2496 powershell.exe 2496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exeWerFault.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Token: SeDebugPrivilege 1060 AdvancedRun.exe Token: SeImpersonatePrivilege 1060 AdvancedRun.exe Token: SeDebugPrivilege 820 AdvancedRun.exe Token: SeImpersonatePrivilege 820 AdvancedRun.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1344 powershell.exe Token: SeDebugPrivilege 2212 AdvancedRun.exe Token: SeImpersonatePrivilege 2212 AdvancedRun.exe Token: SeDebugPrivilege 2276 AdvancedRun.exe Token: SeImpersonatePrivilege 2276 AdvancedRun.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe Token: SeDebugPrivilege 3048 WerFault.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 292 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeAdvancedRun.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exeAdvancedRun.exedescription pid process target process PID 1040 wrote to memory of 1060 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe AdvancedRun.exe PID 1040 wrote to memory of 1060 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe AdvancedRun.exe PID 1040 wrote to memory of 1060 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe AdvancedRun.exe PID 1040 wrote to memory of 1060 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe AdvancedRun.exe PID 1060 wrote to memory of 820 1060 AdvancedRun.exe AdvancedRun.exe PID 1060 wrote to memory of 820 1060 AdvancedRun.exe AdvancedRun.exe PID 1060 wrote to memory of 820 1060 AdvancedRun.exe AdvancedRun.exe PID 1060 wrote to memory of 820 1060 AdvancedRun.exe AdvancedRun.exe PID 1040 wrote to memory of 904 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 904 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 904 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 904 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1152 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1152 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1152 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1152 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 292 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 292 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 292 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 292 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1800 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1800 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1800 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1800 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 776 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 776 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 776 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 776 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 960 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe PID 1040 wrote to memory of 960 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe PID 1040 wrote to memory of 960 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe PID 1040 wrote to memory of 960 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe PID 1040 wrote to memory of 1332 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1332 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1332 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1332 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 112 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 112 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 112 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 112 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1344 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1344 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1344 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 1040 wrote to memory of 1344 1040 c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe powershell.exe PID 960 wrote to memory of 2212 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe AdvancedRun.exe PID 960 wrote to memory of 2212 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe AdvancedRun.exe PID 960 wrote to memory of 2212 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe AdvancedRun.exe PID 960 wrote to memory of 2212 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe AdvancedRun.exe PID 2212 wrote to memory of 2276 2212 AdvancedRun.exe AdvancedRun.exe PID 2212 wrote to memory of 2276 2212 AdvancedRun.exe AdvancedRun.exe PID 2212 wrote to memory of 2276 2212 AdvancedRun.exe AdvancedRun.exe PID 2212 wrote to memory of 2276 2212 AdvancedRun.exe AdvancedRun.exe PID 960 wrote to memory of 2344 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2344 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2344 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2344 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2376 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2376 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2376 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2376 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2416 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2416 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2416 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe PID 960 wrote to memory of 2416 960 QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe powershell.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exeQmAyWAfgogMbxkGYgcBqylUnYqTrR.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe"C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exe" /SpecialRun 4101d8 10603⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exe" /SpecialRun 4101d8 22124⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\EnMRfEhjpWSzDjOeix\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe"C:\Users\Admin\AppData\Local\Temp\c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 20602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_07f8cf9f-e6c6-4c2d-b9d0-3d057333548cMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248baMD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_678a0d17-06bd-4c6b-84b3-f086fff33e11MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295bMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eebMD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d4ee1e0e-e816-4099-92e9-c6febb140e06MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5e2e462-c1d2-4148-9666-493c621c8319MD5
354b8209f647a42e2ce36d8cf326cc92
SHA198c3117f797df69935f8b09fc9e95accfe3d8346
SHA256feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239
SHA512420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4cMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
3b0233b3ac8e4bf0846262e407d9bada
SHA1b94b495a3cb787a5202d06a1ae351e15a03cecdb
SHA2561d6bec73c6709339719ee73c54ad6b342610ef086309f12cd1aa6e49e5842d62
SHA512af60c305485fe528caf6f185896d8266470c2de3d8041f8f34c82a5447365863d452027e38492cf5c16a932a2130d6756ac60513f61aa209ec91367f64f822e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
8573de52b4fd40e98df1762e096b22cb
SHA15cdcaf371b34e8d72d5026c11f0b0c7f86e5a375
SHA256ced8d4ac2c6775fdca05608cc24889a694be70f0ffc9958aa2942fef6a3917a7
SHA512340ed43949dc7cfdffe0cb346a933e605457d41e21b306336259960afec0ba71f388b6f54dc3eccabbbca734076ac5aa709b51a981a3231a6f27b0706e83a910
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
44415c5b0e78584ca28a2a178e6851ff
SHA191f4b0be22e55bc34e894df460478ba8b454a115
SHA2565d62619d7fe76587d73b1ed9e57722ddc40e783dca0631f40645d67e9aa23d8c
SHA512d56702a735d89f5bfd153069f758e6cec984104b84cdb219babd172224263adace3cc3ef2b1c7bec2f17802a4bf713d350d4540a0ba24fadee31960b7ccc6099
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
44415c5b0e78584ca28a2a178e6851ff
SHA191f4b0be22e55bc34e894df460478ba8b454a115
SHA2565d62619d7fe76587d73b1ed9e57722ddc40e783dca0631f40645d67e9aa23d8c
SHA512d56702a735d89f5bfd153069f758e6cec984104b84cdb219babd172224263adace3cc3ef2b1c7bec2f17802a4bf713d350d4540a0ba24fadee31960b7ccc6099
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
428b9603db3d01ff2499d09fbaf44272
SHA17c7fb5c20de9da85d31d064ff3187dff6ef2c2d6
SHA256f8b633d22ef346e3a7a9af6567dd79acbaa2b9830559db79cbfe857005ab7e21
SHA51284a6741c0428199be87b91df14e913ea454e32f0b814ff4f6838395c5b473f7c40d8efd4ade798417a66a6d14851936b5c5689dbb817d07707449a064ce84f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
fc61eced12dd7def15bd85aae3fc9f57
SHA1ff07b04a9d21ef8064d4510cb01c8fa1f54299bc
SHA25608378aeb07b417298a2562e06b63dd9fa2257edbe3050fcabf1e5d4fa8fd3f3e
SHA5127b8237e15ce9fc6dd2442db1997c13d0f65cd703fa197d77cf9258142830414c362f1c02455a703f371835778217739c0aff03d3635aacf73c23e1db1c56587c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
648d068494fcb1112ff235753258e9a9
SHA1eaeff50372c944fd8442561a70da9fe8f93acb33
SHA2568d76fd3bd159eb57e79c81fd6de546e46438bb2e617fad10b9bde1664fbdcc03
SHA51298e0445833b026b136c5bd6a8981bcbcef4c737232bd2d574ecadfbd04842a08cf65fafc1cca3e201aee157b25f2eb26d2621c304b1d3b93b0588fcb7eb7f713
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
1e5466d72708587b3914e665b2402410
SHA12b33bddf29db1fd5decbffc86bc064f03d8dc7d3
SHA256ada38e2cac97487aed7d646f5c3c8c1285276520aa8f2cb7e9a9d85c2bfdbb2d
SHA5129ab02989a9e9ac24ae301ea3da3af1f57e5db77790967821317a78025047c7cb51037c633359c45381f7355fb8204dcbce5c8f43e535ec753b93fcb8c0aef61b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
1df4288b36b984b43efc9fba1bb3c9c8
SHA148c3e86036f5ea02b058bea4ea7dfc0d3042d876
SHA25642b8a1d351ae7f4bc24bcda0332f3226cd080f199b7465846c3fbdd71ad82e1c
SHA512e7c608a560f3c397b7d218c877575e118dfd347638d52ac507fa8c086b81a4799ec6ff3ceddc1c01c826377ae3d1d0e9724c832c9df1feb467e4e3d385615224
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
9468c18fc0b2fd297b7e3401c4a9f527
SHA123d957970d497db520636e4c340bf554abbaafe5
SHA2563fb4dd455365af9f5b2135464c09fccf4a436dd76996f2bb600f947bfc9341df
SHA512d216a72fd2162fc10561e5acd4ad6fa9ad451e177b80079a15ec0d9df11a0ece32392a37fe17e9e1840bacbb75a82244b4fea312d56587504d8483880b685bfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
aee31bc4ecadca0774d268144d0ac675
SHA1490db5fde6387c4cfd9820d3dcc66c5a7549b4a3
SHA256d8309d68257c9f128d452fce80fa5c033444a367394bf375a8adc6787f0f7ad1
SHA512ea79fc0c19387b1c605900a4be61169073619d87c0f550851db3bcbd97e47de03507d6ee9cb558740169b90fd5a9320bc3c793911c366316cfae10a5dc6307ef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
056ebe798a49af115fed8f27f3203f08
SHA14de9cedbeb79e11acbd8a9b0e6468b1eca7024d7
SHA256a65a7ebce0ca7a3a2efa9c2a3d015169a7da13f90f8bb9c237f45c4cbf19ee9c
SHA512145ed7087c96c2e0075fbecd6edff9be711bf1f8b95f5cbe4e0ee96556d72e0ef4e3d8f1c6471ca8f91d32c96ae5442d87b9179680c37c6ef78f90f76a9054f8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
056ebe798a49af115fed8f27f3203f08
SHA14de9cedbeb79e11acbd8a9b0e6468b1eca7024d7
SHA256a65a7ebce0ca7a3a2efa9c2a3d015169a7da13f90f8bb9c237f45c4cbf19ee9c
SHA512145ed7087c96c2e0075fbecd6edff9be711bf1f8b95f5cbe4e0ee96556d72e0ef4e3d8f1c6471ca8f91d32c96ae5442d87b9179680c37c6ef78f90f76a9054f8
-
C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
a40f8c4d430ab2ad9570a3c716cbcab8
SHA1ac78f78aa261f1cde30fc4cc90be25d6a5bf3648
SHA2565e3c32c4a4f4a87dccffc75fd04f8f994194cc63d039397866d2403b209a284a
SHA5124959b02de7f5ec6649e9d08db17315331a65927cfa1d8738a0df8b72871453c92e14179c06961ee22644e2819245303633f74361c45cacfb3682335628c3c3df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exeMD5
09f2b5d6519152493e6e5de0dc3491c4
SHA12ac089761acab44a257648842595e5104fbeff4d
SHA256c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
SHA51280ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exeMD5
09f2b5d6519152493e6e5de0dc3491c4
SHA12ac089761acab44a257648842595e5104fbeff4d
SHA256c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
SHA51280ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exeMD5
09f2b5d6519152493e6e5de0dc3491c4
SHA12ac089761acab44a257648842595e5104fbeff4d
SHA256c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
SHA51280ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1
-
C:\Users\Admin\VkMDJmQEGbmsmiapZkoektMD5
5998fa3d51a22192d5dd02b5dc065d81
SHA12fea7f55f8646d8f153c64b10cf7e9cb34c4d08d
SHA2561c727c77c64e8ce224c5e49c3750437a96d324320979d96f95d56f89814656a4
SHA512f730efded25952f622dcb996c5cc4feff3d486ef22a9be08f33168817519ae81ca238892d726c61a9fdf3a54365929c9cc2bd728faa1fb224037723288cdcf94
-
\Users\Admin\AppData\Local\Temp\00306D40\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\bc51a6e3-7e96-40c7-a28d-6a9dd434bd80\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\eb3442cb-7908-498e-8698-f5d1432ad428\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QmAyWAfgogMbxkGYgcBqylUnYqTrR.exeMD5
09f2b5d6519152493e6e5de0dc3491c4
SHA12ac089761acab44a257648842595e5104fbeff4d
SHA256c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
SHA51280ddd54e72f9a941457c99dd91e2fe13151aa498ab9fcf80fa957cdfb5b0954e2002b56ba2f4885828c5de574aa437dbd73efccdd3232d707f8b581de3c592f1
-
memory/112-137-0x0000000004902000-0x0000000004903000-memory.dmpFilesize
4KB
-
memory/112-116-0x0000000000000000-mapping.dmp
-
memory/112-132-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/292-102-0x0000000002550000-0x000000000319A000-memory.dmpFilesize
12MB
-
memory/292-90-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/292-78-0x0000000000000000-mapping.dmp
-
memory/292-100-0x0000000002550000-0x000000000319A000-memory.dmpFilesize
12MB
-
memory/776-106-0x00000000049C2000-0x00000000049C3000-memory.dmpFilesize
4KB
-
memory/776-82-0x0000000000000000-mapping.dmp
-
memory/776-188-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/776-104-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/820-72-0x0000000000000000-mapping.dmp
-
memory/904-75-0x0000000000000000-mapping.dmp
-
memory/904-244-0x0000000004912000-0x0000000004913000-memory.dmpFilesize
4KB
-
memory/904-98-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/904-85-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/960-108-0x0000000000000000-mapping.dmp
-
memory/960-111-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/960-115-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1040-63-0x00000000009D0000-0x0000000000A54000-memory.dmpFilesize
528KB
-
memory/1040-60-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/1040-62-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/1060-66-0x0000000000000000-mapping.dmp
-
memory/1060-68-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1152-101-0x00000000048D2000-0x00000000048D3000-memory.dmpFilesize
4KB
-
memory/1152-99-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1152-76-0x0000000000000000-mapping.dmp
-
memory/1332-122-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/1332-148-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1332-113-0x0000000000000000-mapping.dmp
-
memory/1332-136-0x0000000004952000-0x0000000004953000-memory.dmpFilesize
4KB
-
memory/1344-118-0x0000000000000000-mapping.dmp
-
memory/1344-141-0x0000000000FB2000-0x0000000000FB3000-memory.dmpFilesize
4KB
-
memory/1344-140-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1800-103-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/1800-80-0x0000000000000000-mapping.dmp
-
memory/1800-105-0x00000000049A2000-0x00000000049A3000-memory.dmpFilesize
4KB
-
memory/1800-206-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/2212-135-0x0000000000000000-mapping.dmp
-
memory/2276-145-0x0000000000000000-mapping.dmp
-
memory/2344-170-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/2344-178-0x0000000004802000-0x0000000004803000-memory.dmpFilesize
4KB
-
memory/2344-154-0x0000000000000000-mapping.dmp
-
memory/2376-155-0x0000000000000000-mapping.dmp
-
memory/2376-179-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/2376-180-0x0000000004A32000-0x0000000004A33000-memory.dmpFilesize
4KB
-
memory/2416-157-0x0000000000000000-mapping.dmp
-
memory/2416-175-0x0000000002550000-0x000000000319A000-memory.dmpFilesize
12MB
-
memory/2496-246-0x0000000004922000-0x0000000004923000-memory.dmpFilesize
4KB
-
memory/2496-245-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/2496-162-0x0000000000000000-mapping.dmp
-
memory/2576-166-0x0000000000000000-mapping.dmp
-
memory/2576-187-0x0000000002550000-0x000000000319A000-memory.dmpFilesize
12MB
-
memory/2860-196-0x0000000000000000-mapping.dmp
-
memory/2872-197-0x0000000000000000-mapping.dmp
-
memory/2916-198-0x0000000000000000-mapping.dmp
-
memory/2936-199-0x0000000000000000-mapping.dmp
-
memory/2976-200-0x000000000041A684-mapping.dmp
-
memory/2976-203-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2988-201-0x000000000041A684-mapping.dmp
-
memory/3048-205-0x0000000000000000-mapping.dmp
-
memory/3048-243-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB