Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 13:40
Static task
static1
Behavioral task
behavioral1
Sample
26336dc0ae102f2f33224e7a9287d2d9.exe
Resource
win7-en-20211014
General
-
Target
26336dc0ae102f2f33224e7a9287d2d9.exe
-
Size
6.2MB
-
MD5
26336dc0ae102f2f33224e7a9287d2d9
-
SHA1
69cbd25941b893bdc57737a4b3946a970ff3eaf4
-
SHA256
bae8a350275fcbd67c5e6290df472a19e59646a5203536d2e152003a91a4db5d
-
SHA512
a5feb183f86966cf4c8458da898385ac172678b28dafaf89a5bbe8cc92c171ca4251406bc7b42162195d167a0f97e293effce43447cdf918c441a46862c5afe3
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 824 created 1236 824 WerFault.exe rundll32.exe PID 996 created 2340 996 WerFault.exe RUNDLL32.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 10 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 34 1984 WScript.exe 36 1984 WScript.exe 38 1984 WScript.exe 40 1984 WScript.exe 44 1236 rundll32.exe 47 2232 RUNDLL32.EXE 49 2232 RUNDLL32.EXE 50 2232 RUNDLL32.EXE 51 2232 RUNDLL32.EXE 52 2232 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
foulervp.exegiliak.exeIntelRapid.exeweyvsbmj.exepid process 3432 foulervp.exe 3820 giliak.exe 912 IntelRapid.exe 996 weyvsbmj.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
foulervp.exeIntelRapid.exegiliak.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion foulervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion giliak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion giliak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion foulervp.exe -
Drops startup file 1 IoCs
Processes:
giliak.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk giliak.exe -
Loads dropped DLL 4 IoCs
Processes:
26336dc0ae102f2f33224e7a9287d2d9.exerundll32.exeRUNDLL32.EXERUNDLL32.EXEpid process 2016 26336dc0ae102f2f33224e7a9287d2d9.exe 1236 rundll32.exe 2232 RUNDLL32.EXE 2340 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe themida C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe themida C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe themida C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe themida behavioral2/memory/3820-122-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp themida behavioral2/memory/3820-123-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp themida behavioral2/memory/3820-124-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp themida behavioral2/memory/3432-125-0x0000000000C90000-0x0000000001353000-memory.dmp themida behavioral2/memory/3432-126-0x0000000000C90000-0x0000000001353000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/3432-130-0x0000000000C90000-0x0000000001353000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/3432-132-0x0000000000C90000-0x0000000001353000-memory.dmp themida behavioral2/memory/912-133-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp themida behavioral2/memory/912-134-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp themida behavioral2/memory/912-135-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp themida -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
giliak.exefoulervp.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA giliak.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA foulervp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
giliak.exefoulervp.exeIntelRapid.exepid process 3820 giliak.exe 3432 foulervp.exe 912 IntelRapid.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2340 set thread context of 1340 2340 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
26336dc0ae102f2f33224e7a9287d2d9.exerundll32.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 26336dc0ae102f2f33224e7a9287d2d9.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 26336dc0ae102f2f33224e7a9287d2d9.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 26336dc0ae102f2f33224e7a9287d2d9.exe File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 824 1236 WerFault.exe rundll32.exe 996 2340 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
foulervp.exeRUNDLL32.EXERUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 foulervp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString foulervp.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Modifies registry class 1 IoCs
Processes:
foulervp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings foulervp.exe -
Processes:
WScript.exeRUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CCA5A76C31AE4AA766752DD408C1AA45F20A2AA8 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CCA5A76C31AE4AA766752DD408C1AA45F20A2AA8\Blob = 030000000100000014000000cca5a76c31ae4aa766752dd408c1aa45f20a2aa820000000010000009602000030820292308201fba0030201020208632abec3394c7f02300d06092a864886f70d01010b050030643136303406035504030c2d53716d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3139313032333133343134305a170d3233313032323133343134305a30643136303406035504030c2d53716d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c6b140f805a48411f487789f02a322263944336ca8fcb933253faabb25a4da0b4312b16889a6fb9db9fb02c872c3f6d52c0cbb4161bf2b924f71ee38bd551593bd4e16238788c959d9fd85cddd9735628c70ffbcbbd5d194a9b17fd98c564ad1932bacc74747ef57eb04d133c697d272cfd9303be6c9c189f1f537a4ae1bcd070203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53716d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b050003818100054a8cd799251b607cab8961b2701713c5471b37bec01ff34e280bbc923cc130773d69905282611e1a244161f29a7778556b7f16bd59c376b9627237ce2dde2b27868f2c1d70fccc896f71959fd7f47df7d6bd8f86023660b85793054e277a1e0583220cfb43fe3d7904199180f91b487ffca716d82f376ae9042bf6bc3cee0c RUNDLL32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 912 IntelRapid.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
foulervp.exeWerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exepid process 3432 foulervp.exe 3432 foulervp.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 824 WerFault.exe 2232 RUNDLL32.EXE 2232 RUNDLL32.EXE 2232 RUNDLL32.EXE 2232 RUNDLL32.EXE 2232 RUNDLL32.EXE 2232 RUNDLL32.EXE 2164 powershell.exe 2164 powershell.exe 2340 RUNDLL32.EXE 2340 RUNDLL32.EXE 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 2164 powershell.exe 2312 powershell.exe 2312 powershell.exe 2312 powershell.exe 2232 RUNDLL32.EXE 2232 RUNDLL32.EXE 1148 powershell.exe 1148 powershell.exe 1148 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 824 WerFault.exe Token: SeBackupPrivilege 824 WerFault.exe Token: SeDebugPrivilege 824 WerFault.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 996 WerFault.exe Token: SeDebugPrivilege 2232 RUNDLL32.EXE Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1340 rundll32.exe 2232 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
26336dc0ae102f2f33224e7a9287d2d9.exegiliak.exefoulervp.exeweyvsbmj.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 2016 wrote to memory of 3432 2016 26336dc0ae102f2f33224e7a9287d2d9.exe foulervp.exe PID 2016 wrote to memory of 3432 2016 26336dc0ae102f2f33224e7a9287d2d9.exe foulervp.exe PID 2016 wrote to memory of 3432 2016 26336dc0ae102f2f33224e7a9287d2d9.exe foulervp.exe PID 2016 wrote to memory of 3820 2016 26336dc0ae102f2f33224e7a9287d2d9.exe giliak.exe PID 2016 wrote to memory of 3820 2016 26336dc0ae102f2f33224e7a9287d2d9.exe giliak.exe PID 3820 wrote to memory of 912 3820 giliak.exe IntelRapid.exe PID 3820 wrote to memory of 912 3820 giliak.exe IntelRapid.exe PID 3432 wrote to memory of 996 3432 foulervp.exe weyvsbmj.exe PID 3432 wrote to memory of 996 3432 foulervp.exe weyvsbmj.exe PID 3432 wrote to memory of 996 3432 foulervp.exe weyvsbmj.exe PID 3432 wrote to memory of 3168 3432 foulervp.exe WScript.exe PID 3432 wrote to memory of 3168 3432 foulervp.exe WScript.exe PID 3432 wrote to memory of 3168 3432 foulervp.exe WScript.exe PID 996 wrote to memory of 1236 996 weyvsbmj.exe rundll32.exe PID 996 wrote to memory of 1236 996 weyvsbmj.exe rundll32.exe PID 996 wrote to memory of 1236 996 weyvsbmj.exe rundll32.exe PID 3432 wrote to memory of 1984 3432 foulervp.exe WScript.exe PID 3432 wrote to memory of 1984 3432 foulervp.exe WScript.exe PID 3432 wrote to memory of 1984 3432 foulervp.exe WScript.exe PID 1236 wrote to memory of 2232 1236 rundll32.exe RUNDLL32.EXE PID 1236 wrote to memory of 2232 1236 rundll32.exe RUNDLL32.EXE PID 1236 wrote to memory of 2232 1236 rundll32.exe RUNDLL32.EXE PID 2232 wrote to memory of 2164 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 2164 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 2164 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 2340 2232 RUNDLL32.EXE RUNDLL32.EXE PID 2232 wrote to memory of 2340 2232 RUNDLL32.EXE RUNDLL32.EXE PID 2232 wrote to memory of 2340 2232 RUNDLL32.EXE RUNDLL32.EXE PID 2340 wrote to memory of 1340 2340 RUNDLL32.EXE rundll32.exe PID 2340 wrote to memory of 1340 2340 RUNDLL32.EXE rundll32.exe PID 2340 wrote to memory of 1340 2340 RUNDLL32.EXE rundll32.exe PID 1340 wrote to memory of 1316 1340 rundll32.exe ctfmon.exe PID 1340 wrote to memory of 1316 1340 rundll32.exe ctfmon.exe PID 2232 wrote to memory of 2312 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 2312 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 2312 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 1148 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 1148 2232 RUNDLL32.EXE powershell.exe PID 2232 wrote to memory of 1148 2232 RUNDLL32.EXE powershell.exe PID 1148 wrote to memory of 2920 1148 powershell.exe nslookup.exe PID 1148 wrote to memory of 2920 1148 powershell.exe nslookup.exe PID 1148 wrote to memory of 2920 1148 powershell.exe nslookup.exe PID 2232 wrote to memory of 1124 2232 RUNDLL32.EXE schtasks.exe PID 2232 wrote to memory of 1124 2232 RUNDLL32.EXE schtasks.exe PID 2232 wrote to memory of 1124 2232 RUNDLL32.EXE schtasks.exe PID 2232 wrote to memory of 3040 2232 RUNDLL32.EXE schtasks.exe PID 2232 wrote to memory of 3040 2232 RUNDLL32.EXE schtasks.exe PID 2232 wrote to memory of 3040 2232 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\26336dc0ae102f2f33224e7a9287d2d9.exe"C:\Users\Admin\AppData\Local\Temp\26336dc0ae102f2f33224e7a9287d2d9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe"C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe"C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL,s C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL,bxFeeGM=5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL,QAk2NUQ=6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 196387⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\ctfmon.exectfmon.exe8⤵PID:1316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 8247⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF4EB.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp837.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost7⤵PID:2920
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask6⤵PID:1124
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask6⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 8325⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jylwqal.vbs"3⤵PID:3168
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jnfqesgpeby.vbs"3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe"C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
2def7e89943100cf26d70ef373b1260e
SHA1d90f028ae9ac9f8edc26445639752acbcacc70e7
SHA256178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549
SHA512a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
e2f488ecf3adcb56caec78a8cbf47a7b
SHA15ffdf24f87b444614ca237fb9ae97f45c2ca25ed
SHA2560f432109c757831415786b0efde7a5ee8e7090bc1abc05c1c05bea7ad6735f80
SHA512e534a67be069fe8c6eadee0993b9ea0796e11e46d8cf061ceb6c1bcb2df6822d920f39dcc8e8b9a9fb8b2761883da38426a41c14c07d08a4e8b9f4a8b36ad576
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0d6b34901cd8055993f6fc2e8541b9ec
SHA1ff707cc9cd66be15aa35bd776158c6356d4287f5
SHA256cb81e9e1e4c680d6cd8789ee4efb5157e386b92adea2b2762a5ed57483e7735a
SHA512aa9ccbf6a0e3557fef9e0bdcd4dd4742c1838dbe01815b6b51386ec2b6af17f7551d4fba6bc75ef5161be4574fc77a557ea516334f4043881a4d38343be4694b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2a7af5105ec2f0e3ab5753f8699f2970
SHA155887bb79b91feef194afd9a9fa66f561bffcb3d
SHA256f9dba6784213f5645fbf64f0f59c20e69e423c8269efd6f3f12eaf730fa3fee2
SHA512deae222d23d70187a0fa76b47ba6900f7adf53b097ddf934d054094cf3024b20fbb850d5569023122c4f6e348b93f7ccd9e75d87f8ad6b56ab2286f506eb05cf
-
C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLLMD5
2917eef84c11dd5bbb2f8f6c66790230
SHA186c473469afcdffe307715a8fb40f6d05a520182
SHA256fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b
SHA512e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657
-
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exeMD5
0e20c0706d5ed977ca4c638ffdf5ad99
SHA1a226b30c4a30cb302ec5086a1e509bafca2ae42f
SHA256c65908600ea034bff5009fc2b5ce1cb137140d61bfcb9118a8e6b0dea61c0b7e
SHA5123b4a2a33210bef7188c3bfe3397e6b778df89ba32376fffffe97ed7408c87b2ef4c1a27e80b717d8034ba842d5767b71047fba571fc5b1aaf4bbcc4315a9689a
-
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exeMD5
0e20c0706d5ed977ca4c638ffdf5ad99
SHA1a226b30c4a30cb302ec5086a1e509bafca2ae42f
SHA256c65908600ea034bff5009fc2b5ce1cb137140d61bfcb9118a8e6b0dea61c0b7e
SHA5123b4a2a33210bef7188c3bfe3397e6b778df89ba32376fffffe97ed7408c87b2ef4c1a27e80b717d8034ba842d5767b71047fba571fc5b1aaf4bbcc4315a9689a
-
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exeMD5
25b502360214612a67db5f75f4b68b9e
SHA164852ba4d72da7e5b5750ce0b419e289325690f7
SHA256429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd
SHA512de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c
-
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exeMD5
25b502360214612a67db5f75f4b68b9e
SHA164852ba4d72da7e5b5750ce0b419e289325690f7
SHA256429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd
SHA512de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c
-
C:\Users\Admin\AppData\Local\Temp\jnfqesgpeby.vbsMD5
3216b6032d2fe0fb141d1070438487dd
SHA1917bd7f821d589b36353ca5081e6984d31ed69b8
SHA2569209cd6717ddf764ec239c7966283ce83233b66a319a3dfa0b21cd8ef0c7b2bf
SHA5120e53c8c9aa6f1c47fbd767ea12f2f934e2083cc3761696a21c13f811a62b1b8d9474eaa13607a11509102836a3c641242ee19792dbbaec92296e8643d167daff
-
C:\Users\Admin\AppData\Local\Temp\jylwqal.vbsMD5
6fd0360f33237a6d06a683578d4ad396
SHA12ca4498ea1c6cf7fd5efba23103d41d8b19df2f7
SHA2561d0d429f89e8a236839e26380b9abb323bb48094a49f70788f77940712add25a
SHA5121ee729c63202a20affe1335ef7f755e10ab460acd4f6d019fc95f1da495c7bab612d3429144c1dab29c51ff7218b3db7df94169afea32123cb250d1083a0fa26
-
C:\Users\Admin\AppData\Local\Temp\tmp837.tmp.ps1MD5
803d783400c1afe89806320dc2a9247a
SHA18425ada439fb44638a929c42974039d981dea272
SHA2568456f35c74e59e66575b88f3ef2218b44e78755b0e0402c94573bcca56049efc
SHA51267fe5a490232afff81eb928ffd06f8e6ff3bfbb6f074f1711fbb80648b788323ed96d4dc00fadc86d161b4a31f4b6ea1677f23dbbfdc11b30a4626163a9bdb9a
-
C:\Users\Admin\AppData\Local\Temp\tmp838.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpF4EB.tmp.ps1MD5
5950e344c3b465ccf2997bc0a2d97064
SHA15c4cdf862026ce50b004a5ec86b7443e571c2e9f
SHA25601cca3dc4b2db4934f19adf297620beb1815f487589081908fc1b7e900b0fda3
SHA51217c1fbf4a0e01dedd63fecfb84ed498c2ef7622c0d957bccc05c37685f47e291404c25ad0ab5239f7d2164c0009d899d4909905c7ef4208827b1dbce790efb49
-
C:\Users\Admin\AppData\Local\Temp\tmpF4EC.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exeMD5
763dcd16d2e57a9f1d8994d48d51fed4
SHA199b9f91a5b094e682f5c0ceb2086503ab439d9ac
SHA25629393136e15f865547a490bc40afe42e35f761602bebb920883330206435919b
SHA5126c26a168f8a8be912eacd095097d0f68c609b1eb227cd5f9acfb4b6e26841c6ee325431a1a706bd8366d6c498ab8af22f547b4cbf09e2c9ed062177c1055aeb6
-
C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exeMD5
763dcd16d2e57a9f1d8994d48d51fed4
SHA199b9f91a5b094e682f5c0ceb2086503ab439d9ac
SHA25629393136e15f865547a490bc40afe42e35f761602bebb920883330206435919b
SHA5126c26a168f8a8be912eacd095097d0f68c609b1eb227cd5f9acfb4b6e26841c6ee325431a1a706bd8366d6c498ab8af22f547b4cbf09e2c9ed062177c1055aeb6
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
25b502360214612a67db5f75f4b68b9e
SHA164852ba4d72da7e5b5750ce0b419e289325690f7
SHA256429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd
SHA512de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
25b502360214612a67db5f75f4b68b9e
SHA164852ba4d72da7e5b5750ce0b419e289325690f7
SHA256429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd
SHA512de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c
-
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLLMD5
2917eef84c11dd5bbb2f8f6c66790230
SHA186c473469afcdffe307715a8fb40f6d05a520182
SHA256fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b
SHA512e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657
-
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLLMD5
2917eef84c11dd5bbb2f8f6c66790230
SHA186c473469afcdffe307715a8fb40f6d05a520182
SHA256fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b
SHA512e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657
-
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLLMD5
2917eef84c11dd5bbb2f8f6c66790230
SHA186c473469afcdffe307715a8fb40f6d05a520182
SHA256fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b
SHA512e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657
-
\Users\Admin\AppData\Local\Temp\nsf9E26.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/912-127-0x0000000000000000-mapping.dmp
-
memory/912-135-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmpFilesize
9.5MB
-
memory/912-134-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmpFilesize
9.5MB
-
memory/912-133-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmpFilesize
9.5MB
-
memory/996-136-0x0000000000000000-mapping.dmp
-
memory/996-144-0x0000000004DB0000-0x0000000004EB9000-memory.dmpFilesize
1.0MB
-
memory/996-145-0x0000000000400000-0x0000000002FF2000-memory.dmpFilesize
43.9MB
-
memory/996-139-0x0000000004BB5000-0x0000000004CA7000-memory.dmpFilesize
968KB
-
memory/1124-474-0x0000000000000000-mapping.dmp
-
memory/1148-426-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1148-481-0x0000000004CE3000-0x0000000004CE4000-memory.dmpFilesize
4KB
-
memory/1148-428-0x0000000004CE2000-0x0000000004CE3000-memory.dmpFilesize
4KB
-
memory/1148-357-0x0000000000000000-mapping.dmp
-
memory/1236-150-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1236-149-0x0000000005051000-0x0000000006035000-memory.dmpFilesize
15.9MB
-
memory/1236-142-0x0000000000000000-mapping.dmp
-
memory/1316-187-0x0000000000000000-mapping.dmp
-
memory/1340-190-0x000001D8F45E0000-0x000001D8F4792000-memory.dmpFilesize
1.7MB
-
memory/1340-189-0x00000000002A0000-0x0000000000440000-memory.dmpFilesize
1.6MB
-
memory/1340-183-0x00007FF64A2E5FD0-mapping.dmp
-
memory/1340-186-0x000001D8F4420000-0x000001D8F4422000-memory.dmpFilesize
8KB
-
memory/1340-185-0x000001D8F4420000-0x000001D8F4422000-memory.dmpFilesize
8KB
-
memory/1984-147-0x0000000000000000-mapping.dmp
-
memory/2164-165-0x0000000004D22000-0x0000000004D23000-memory.dmpFilesize
4KB
-
memory/2164-157-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/2164-164-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/2164-159-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/2164-188-0x0000000008810000-0x0000000008811000-memory.dmpFilesize
4KB
-
memory/2164-168-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/2164-167-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/2164-169-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/2164-170-0x00000000081A0000-0x00000000081A1000-memory.dmpFilesize
4KB
-
memory/2164-273-0x0000000004D23000-0x0000000004D24000-memory.dmpFilesize
4KB
-
memory/2164-272-0x000000007F3E0000-0x000000007F3E1000-memory.dmpFilesize
4KB
-
memory/2164-156-0x0000000000000000-mapping.dmp
-
memory/2164-215-0x0000000009760000-0x0000000009793000-memory.dmpFilesize
204KB
-
memory/2164-162-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/2164-177-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/2164-158-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/2164-179-0x0000000008680000-0x0000000008681000-memory.dmpFilesize
4KB
-
memory/2164-196-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/2232-151-0x0000000000000000-mapping.dmp
-
memory/2232-155-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2232-154-0x0000000004E61000-0x0000000005E45000-memory.dmpFilesize
15.9MB
-
memory/2312-203-0x0000000006FF2000-0x0000000006FF3000-memory.dmpFilesize
4KB
-
memory/2312-202-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/2312-208-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/2312-193-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/2312-214-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/2312-331-0x0000000006FF3000-0x0000000006FF4000-memory.dmpFilesize
4KB
-
memory/2312-191-0x0000000000000000-mapping.dmp
-
memory/2312-192-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/2340-176-0x0000000006030000-0x0000000006170000-memory.dmpFilesize
1.2MB
-
memory/2340-166-0x0000000004F81000-0x0000000005F65000-memory.dmpFilesize
15.9MB
-
memory/2340-182-0x0000000006030000-0x0000000006170000-memory.dmpFilesize
1.2MB
-
memory/2340-181-0x0000000006030000-0x0000000006170000-memory.dmpFilesize
1.2MB
-
memory/2340-180-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/2340-178-0x0000000006030000-0x0000000006170000-memory.dmpFilesize
1.2MB
-
memory/2340-174-0x0000000006030000-0x0000000006170000-memory.dmpFilesize
1.2MB
-
memory/2340-173-0x0000000006030000-0x0000000006170000-memory.dmpFilesize
1.2MB
-
memory/2340-172-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2340-171-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2340-160-0x0000000000000000-mapping.dmp
-
memory/2920-471-0x0000000000000000-mapping.dmp
-
memory/3040-482-0x0000000000000000-mapping.dmp
-
memory/3168-140-0x0000000000000000-mapping.dmp
-
memory/3432-116-0x0000000000000000-mapping.dmp
-
memory/3432-132-0x0000000000C90000-0x0000000001353000-memory.dmpFilesize
6.8MB
-
memory/3432-130-0x0000000000C90000-0x0000000001353000-memory.dmpFilesize
6.8MB
-
memory/3432-131-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/3432-126-0x0000000000C90000-0x0000000001353000-memory.dmpFilesize
6.8MB
-
memory/3432-125-0x0000000000C90000-0x0000000001353000-memory.dmpFilesize
6.8MB
-
memory/3820-124-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmpFilesize
9.5MB
-
memory/3820-119-0x0000000000000000-mapping.dmp
-
memory/3820-122-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmpFilesize
9.5MB
-
memory/3820-123-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmpFilesize
9.5MB