Analysis
-
max time kernel
359s -
max time network
384s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 16:55
General
-
Target
sqlservr.exe.7z
-
Size
3.7MB
-
MD5
0923d82afd72038a03dda84170b793bb
-
SHA1
2ac02a4b0e0dc807e8e3328934d5007002b12514
-
SHA256
3f5c16db3f1a5bb724288688d15038da32f1b89cbd662fddc9def8b8da2a84c1
-
SHA512
515238347da2af77d82b4ac4be420d6c89b25dc836c3e13cdb02aee45380df374363bfd182aa84a26fac835ae7eb2241a4b2798b236b2e09721a7af55bcc1ff4
Score
10/10
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sqlservr.exe.7z1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sqlservr.exe.7z2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sqlservr.exe.7z"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69e4f50,0x7fef69e4f60,0x7fef69e4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2592 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2412 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3120 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3120 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fb2a890,0x13fb2a8a0,0x13fb2a8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:82⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\" -spe -an -ai#7zMap29374:102:7zEvent86653⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3336 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1948 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1948 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=iM17jGMavVyO7RyKwxScoj0Y+AYcicbD8lf/CmQD --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=93.269.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13fc59300,0x13fc59310,0x13fc593203⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2424_WXXHKSDMBRIFZYJI" --sandboxed-process-id=2 --init-done-notifier=488 --sandbox-mojo-pipe-token=8853588830996190658 --mojo-platform-channel-handle=456 --engine=23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2424_WXXHKSDMBRIFZYJI" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=3868922615516690115 --mojo-platform-channel-handle=6403⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,5149980122862851847,11378081426687345107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1796 /prefetch:82⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exe"C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp\sqlservr.exe"1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exesqlservr.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exesqlservr.exe _h2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2872_1789892516\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2872_1789892516\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={802270a9-3987-4b9e-96eb-8e0d63adbdcc} --system2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2872_1789892516\GoogleUpdateSetup.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2872_1789892516\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Google\Temp\GUMAF62.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUMAF62.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTk1MUUwQkUtNDMxNi00NzlBLUI5NTQtREQ2NDg0RTVDMkZFfSIgdXNlcmlkPSJ7NzI0MTFGMUMtMzgyRC00Q0ZELThFMjUtMEY5ODJEREE0QTIyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezlGMEY1NUQ4LTA5QkUtNDU4Ny1BNjlCLTlBRUY2OUJFQ0E3QX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMzA5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\Install\{30BE9CC2-6023-4B4D-87DD-C0CCCF2611F0}\GoogleUpdateSetup.exe"C:\Program Files (x86)\Google\Update\Install\{30BE9CC2-6023-4B4D-87DD-C0CCCF2611F0}\GoogleUpdateSetup.exe" /update /sessionid "{B0BEFF10-A093-4923-8DD1-D28321F50A62}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Google\Temp\GUM712.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUM712.tmp\GoogleUpdate.exe" /update /sessionid "{B0BEFF10-A093-4923-8DD1-D28321F50A62}"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjBCRUZGMTAtQTA5My00OTIzLThERDEtRDI4MzIxRjUwQTYyfSIgdXNlcmlkPSJ7NzI0MTFGMUMtMzgyRC00Q0ZELThFMjUtMEY5ODJEREE0QTIyfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QzAzODYxRjItMTI2OC00Mjk3LUI5OEQtMURFQUFGRkQ4MkJBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIwIiBzc2U0MT0iMCIgc3NlNDI9IjAiIGF2eD0iMCIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTExIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0OVIiIGluc3RhbGxhZ2U9IjI4IiBpbnN0YWxsZGF0ZT0iNTQ0NiIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjBCRUZGMTAtQTA5My00OTIzLThERDEtRDI4MzIxRjUwQTYyfSIgdXNlcmlkPSJ7NzI0MTFGMUMtMzgyRC00Q0ZELThFMjUtMEY5ODJEREE0QTIyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezU0RDNFMjFCLUQ4MkEtNDgxOC04OUFBLTIwQ0YyMUREMzE0Nn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjExMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMTIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDlSIiBpbnN0YWxsYWdlPSIyOCIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi91cGRhdGUyL2FkeG1vbWZ0cmtvaW9kazdhd3l2YTNtejZ1dGFfMS4zLjM2LjExMi9Hb29nbGVVcGRhdGVTZXR1cC5leGUiIGRvd25sb2FkZWQ9IjEzNDEyNzIiIHRvdGFsPSIxMzQxMjcyIiBkb3dubG9hZF90aW1lX21zPSIzNTQ1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M0MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSI4OS4wLjQzODkuMTE0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDlSIiBpbnN0YWxsYWdlPSIyOCIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjkiIGVycm9yY29kZT0iLTE2MDYyMTk3NDgiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ea8f00a3-f8dd-4b4a-9787-b28d0d2e6dd7.tmpMD5
5f50f9bb9570308810409ece15127ae8
SHA1c980d4a769b654951226fc22c7a7de7bec139189
SHA256e8ea9de18e45dcf1a276c1b8206ae3f30b826cf4f9df75791b6bb1efb51d7a79
SHA512d9bde9fdb4dd7f2f4df074b9277e725a3b8116bee5b5eeda4e1d9db98649fb9aac40b82284a4bc8b28f09d713371ab3bab537bb02f2beb2b9711529c2239c4b8
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
C:\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\??\pipe\crashpad_1756_EJPNLENAEUXOQWAUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
\Users\Admin\AppData\Local\Temp\sqlservr.exe\sqlservr.exeMD5
325d88ea2ee59fc0faec0cd4e6db494e
SHA163f2c5cbabd05e857c983741f4b9d71f7fbc6f69
SHA256eef7b9db43f331b41bfdc87fa0517fbd76981a9b9574fe2ee45bcc1ca390e616
SHA5126fdc79184bb209c1ec7e4a720fa6aed6a50a6dae2a6773d2c30c71be0eadbf2fb5dad6f906815a977a4081b239a06c4d087bcbb9b01a7aa8ffd8e4f0bb659cc2
-
memory/304-227-0x0000000000000000-mapping.dmp
-
memory/548-242-0x0000000000000000-mapping.dmp
-
memory/608-59-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/608-58-0x0000000000000000-mapping.dmp
-
memory/792-222-0x0000000000000000-mapping.dmp
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/964-240-0x0000000000000000-mapping.dmp
-
memory/1136-239-0x0000000000000000-mapping.dmp
-
memory/1164-55-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1216-246-0x0000000000000000-mapping.dmp
-
memory/1488-220-0x0000000000000000-mapping.dmp
-
memory/1540-244-0x0000000000000000-mapping.dmp
-
memory/1624-187-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmpFilesize
3.8MB
-
memory/1624-156-0x0000000000000000-mapping.dmp
-
memory/1652-225-0x0000000000000000-mapping.dmp
-
memory/1880-224-0x0000000000000000-mapping.dmp
-
memory/1916-250-0x0000000000C00000-0x0000000000C40000-memory.dmpFilesize
256KB
-
memory/1916-249-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/1916-219-0x0000000000000000-mapping.dmp
-
memory/1916-251-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/2080-192-0x0000000000000000-mapping.dmp
-
memory/2132-198-0x0000000000000000-mapping.dmp
-
memory/2200-200-0x0000000000000000-mapping.dmp
-
memory/2220-199-0x0000000000000000-mapping.dmp
-
memory/2224-154-0x000000013F1D0000-0x000000014052B000-memory.dmpFilesize
19.4MB
-
memory/2224-153-0x000000013F1D0000-0x000000014052B000-memory.dmpFilesize
19.4MB
-
memory/2224-152-0x000000013F1D0000-0x000000014052B000-memory.dmpFilesize
19.4MB
-
memory/2224-144-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmpFilesize
3.8MB
-
memory/2224-123-0x0000000000000000-mapping.dmp
-
memory/2264-101-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-119-0x000000013FB20000-0x0000000140E7B000-memory.dmpFilesize
19.4MB
-
memory/2264-121-0x0000000002090000-0x00000000020A4000-memory.dmpFilesize
80KB
-
memory/2264-91-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-92-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-94-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-96-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-98-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-99-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-100-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-102-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-104-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-103-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-106-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-93-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-95-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-97-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-105-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-107-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-109-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-111-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-108-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-110-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-120-0x000000013FB20000-0x0000000140E7B000-memory.dmpFilesize
19.4MB
-
memory/2264-115-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-116-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-114-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-113-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-117-0x000000013FB20000-0x0000000140E7B000-memory.dmpFilesize
19.4MB
-
memory/2264-112-0x00000000774E0000-0x00000000774F0000-memory.dmpFilesize
64KB
-
memory/2264-118-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmpFilesize
3.8MB
-
memory/2284-194-0x0000000000000000-mapping.dmp
-
memory/2324-196-0x0000000000000000-mapping.dmp
-
memory/2416-208-0x0000000000000000-mapping.dmp
-
memory/2424-207-0x0000000000000000-mapping.dmp
-
memory/2628-63-0x0000000000000000-mapping.dmp
-
memory/2696-61-0x0000000000000000-mapping.dmp
-
memory/2880-62-0x0000000000000000-mapping.dmp
-
memory/2888-245-0x0000000000000000-mapping.dmp
-
memory/2896-188-0x0000000000000000-mapping.dmp
-
memory/2952-201-0x0000000000000000-mapping.dmp
-
memory/2976-203-0x0000000000000000-mapping.dmp
-
memory/2976-206-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/3012-190-0x0000000000000000-mapping.dmp
-
memory/3052-247-0x0000000000000000-mapping.dmp