Analysis
-
max time kernel
295s -
max time network
276s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-12-2021 14:27
Static task
static1
Behavioral task
behavioral1
Sample
d3d0d747febe769eff3b01ddf5317fd1.exe
Resource
win7-en-20211208
General
-
Target
d3d0d747febe769eff3b01ddf5317fd1.exe
-
Size
5.3MB
-
MD5
d3d0d747febe769eff3b01ddf5317fd1
-
SHA1
c2c9444fe6215578de88ee1d9577d636388d16e3
-
SHA256
c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313
-
SHA512
8c53059e7bfa2e61ad23817083df408ef4be04719eb634e40c487aeb1d62db0ebb43b975c76a33b7ac02b9d8fe5b58d5743f853e5a20e8324e5a054a04b04894
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Extracted
danabot
2052
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
main
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 1448 created 1312 1448 WerFault.exe sdkwtddg.exe PID 2080 created 3804 2080 WerFault.exe RUNDLL32.EXE -
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 7 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 30 3424 WScript.exe 38 936 rundll32.exe 39 2152 RUNDLL32.EXE 44 2152 RUNDLL32.EXE 45 2152 RUNDLL32.EXE 46 2152 RUNDLL32.EXE 47 2152 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
napaea.exeoutwitvp.exesdkwtddg.exeDpEditor.exepid process 1924 napaea.exe 2596 outwitvp.exe 1312 sdkwtddg.exe 740 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
napaea.exeoutwitvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion napaea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion napaea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion outwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion outwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Drops startup file 1 IoCs
Processes:
DpEditor.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nssyncer.lnk DpEditor.exe -
Loads dropped DLL 5 IoCs
Processes:
d3d0d747febe769eff3b01ddf5317fd1.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 2692 d3d0d747febe769eff3b01ddf5317fd1.exe 936 rundll32.exe 2152 RUNDLL32.EXE 3804 RUNDLL32.EXE 3416 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe themida C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe themida C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe themida C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe themida behavioral2/memory/1924-123-0x0000000000AC0000-0x00000000011B6000-memory.dmp themida behavioral2/memory/1924-124-0x0000000000AC0000-0x00000000011B6000-memory.dmp themida behavioral2/memory/1924-125-0x0000000000AC0000-0x00000000011B6000-memory.dmp themida behavioral2/memory/1924-126-0x0000000000AC0000-0x00000000011B6000-memory.dmp themida behavioral2/memory/2596-128-0x0000000001330000-0x0000000001997000-memory.dmp themida behavioral2/memory/2596-129-0x0000000001330000-0x0000000001997000-memory.dmp themida behavioral2/memory/2596-130-0x0000000001330000-0x0000000001997000-memory.dmp themida behavioral2/memory/2596-131-0x0000000001330000-0x0000000001997000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/740-140-0x0000000001210000-0x0000000001906000-memory.dmp themida behavioral2/memory/740-141-0x0000000001210000-0x0000000001906000-memory.dmp themida behavioral2/memory/740-142-0x0000000001210000-0x0000000001906000-memory.dmp themida behavioral2/memory/740-143-0x0000000001210000-0x0000000001906000-memory.dmp themida -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DpEditor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NCH Sync Service = "C:\\Users\\Admin\\AppData\\Roaming\\NCH Software\\DrawPad\\DpEditor.exe" DpEditor.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
napaea.exeoutwitvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA napaea.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA outwitvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
napaea.exeoutwitvp.exeDpEditor.exepid process 1924 napaea.exe 2596 outwitvp.exe 740 DpEditor.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 3804 set thread context of 3840 3804 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
d3d0d747febe769eff3b01ddf5317fd1.exerundll32.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll d3d0d747febe769eff3b01ddf5317fd1.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll d3d0d747febe769eff3b01ddf5317fd1.exe File created C:\Program Files (x86)\foler\olader\acledit.dll d3d0d747febe769eff3b01ddf5317fd1.exe File created C:\PROGRA~3\Hzxrf.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1448 1312 WerFault.exe sdkwtddg.exe 2080 3804 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 49 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEoutwitvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 outwitvp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString outwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE -
Modifies registry class 1 IoCs
Processes:
outwitvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings outwitvp.exe -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\85937C1456C532E76A1E9560C51FC5A1B89609CC RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\85937C1456C532E76A1E9560C51FC5A1B89609CC\Blob = 03000000010000001400000085937c1456c532e76a1e9560c51fc5a1b89609cc20000000010000007a02000030820276308201dfa003020102020821c40b241a9171d0300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c7262616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139313232313134333135305a170d3233313232303134333135305a30613120301e06035504030c17446967694365727420476c7262616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c278cf629e6d9c9faa87f0e2d11074c70003744f158c786801ee9e9660953e968f544e5cafc4b90e2abf32bfe960f3a0f6c03088de15a2ca408e98d1e8a7c6ff87d46f991b643d4529e82a7ea58ea8733c56fa0818daa26847819f62bbf117284823f929b905eb1edeb7e15bc9c319f36935f195b2526f6a669ff8f097a74aa90203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c7262616c20526f6f74204732300d06092a864886f70d01010b05000381810065cbf0cd58674847b58ca627a6a3a9c156527e42c7e4bbb834810bf6f401bcd990b2f14eebfb3365492713cc19378ced5e399b51f68f54aabd89eabb647b7aefc22a7c483309c155c1585d4ef9a7afd39e1b8562efc7f458c3db828a06017f7d0e3b41a561ddd17299d9ced27cddf71d90325e59bdd87ca63be8e7f88f35648c RUNDLL32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 740 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
napaea.exeoutwitvp.exeDpEditor.exeWerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exepid process 1924 napaea.exe 1924 napaea.exe 2596 outwitvp.exe 2596 outwitvp.exe 740 DpEditor.exe 740 DpEditor.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 1448 WerFault.exe 2152 RUNDLL32.EXE 2152 RUNDLL32.EXE 2152 RUNDLL32.EXE 2152 RUNDLL32.EXE 2152 RUNDLL32.EXE 2152 RUNDLL32.EXE 3640 powershell.exe 3640 powershell.exe 3640 powershell.exe 3804 RUNDLL32.EXE 3804 RUNDLL32.EXE 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 428 powershell.exe 428 powershell.exe 428 powershell.exe 2152 RUNDLL32.EXE 2152 RUNDLL32.EXE 3168 powershell.exe 3168 powershell.exe 3168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 1448 WerFault.exe Token: SeBackupPrivilege 1448 WerFault.exe Token: SeDebugPrivilege 1448 WerFault.exe Token: SeDebugPrivilege 3640 powershell.exe Token: SeDebugPrivilege 2080 WerFault.exe Token: SeDebugPrivilege 2152 RUNDLL32.EXE Token: SeDebugPrivilege 428 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3840 rundll32.exe 2152 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
d3d0d747febe769eff3b01ddf5317fd1.exeoutwitvp.exenapaea.exesdkwtddg.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 2692 wrote to memory of 1924 2692 d3d0d747febe769eff3b01ddf5317fd1.exe napaea.exe PID 2692 wrote to memory of 1924 2692 d3d0d747febe769eff3b01ddf5317fd1.exe napaea.exe PID 2692 wrote to memory of 1924 2692 d3d0d747febe769eff3b01ddf5317fd1.exe napaea.exe PID 2692 wrote to memory of 2596 2692 d3d0d747febe769eff3b01ddf5317fd1.exe outwitvp.exe PID 2692 wrote to memory of 2596 2692 d3d0d747febe769eff3b01ddf5317fd1.exe outwitvp.exe PID 2692 wrote to memory of 2596 2692 d3d0d747febe769eff3b01ddf5317fd1.exe outwitvp.exe PID 2596 wrote to memory of 1312 2596 outwitvp.exe sdkwtddg.exe PID 2596 wrote to memory of 1312 2596 outwitvp.exe sdkwtddg.exe PID 2596 wrote to memory of 1312 2596 outwitvp.exe sdkwtddg.exe PID 2596 wrote to memory of 1944 2596 outwitvp.exe WScript.exe PID 2596 wrote to memory of 1944 2596 outwitvp.exe WScript.exe PID 2596 wrote to memory of 1944 2596 outwitvp.exe WScript.exe PID 1924 wrote to memory of 740 1924 napaea.exe DpEditor.exe PID 1924 wrote to memory of 740 1924 napaea.exe DpEditor.exe PID 1924 wrote to memory of 740 1924 napaea.exe DpEditor.exe PID 2596 wrote to memory of 3424 2596 outwitvp.exe WScript.exe PID 2596 wrote to memory of 3424 2596 outwitvp.exe WScript.exe PID 2596 wrote to memory of 3424 2596 outwitvp.exe WScript.exe PID 1312 wrote to memory of 936 1312 sdkwtddg.exe rundll32.exe PID 1312 wrote to memory of 936 1312 sdkwtddg.exe rundll32.exe PID 1312 wrote to memory of 936 1312 sdkwtddg.exe rundll32.exe PID 936 wrote to memory of 2152 936 rundll32.exe RUNDLL32.EXE PID 936 wrote to memory of 2152 936 rundll32.exe RUNDLL32.EXE PID 936 wrote to memory of 2152 936 rundll32.exe RUNDLL32.EXE PID 2152 wrote to memory of 3640 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 3640 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 3640 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 3804 2152 RUNDLL32.EXE RUNDLL32.EXE PID 2152 wrote to memory of 3804 2152 RUNDLL32.EXE RUNDLL32.EXE PID 2152 wrote to memory of 3804 2152 RUNDLL32.EXE RUNDLL32.EXE PID 3804 wrote to memory of 3840 3804 RUNDLL32.EXE rundll32.exe PID 3804 wrote to memory of 3840 3804 RUNDLL32.EXE rundll32.exe PID 3804 wrote to memory of 3840 3804 RUNDLL32.EXE rundll32.exe PID 2152 wrote to memory of 3416 2152 RUNDLL32.EXE RUNDLL32.EXE PID 2152 wrote to memory of 3416 2152 RUNDLL32.EXE RUNDLL32.EXE PID 2152 wrote to memory of 3416 2152 RUNDLL32.EXE RUNDLL32.EXE PID 3840 wrote to memory of 3152 3840 rundll32.exe ctfmon.exe PID 3840 wrote to memory of 3152 3840 rundll32.exe ctfmon.exe PID 2152 wrote to memory of 428 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 428 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 428 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 3168 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 3168 2152 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 3168 2152 RUNDLL32.EXE powershell.exe PID 3168 wrote to memory of 864 3168 powershell.exe nslookup.exe PID 3168 wrote to memory of 864 3168 powershell.exe nslookup.exe PID 3168 wrote to memory of 864 3168 powershell.exe nslookup.exe PID 2152 wrote to memory of 3660 2152 RUNDLL32.EXE schtasks.exe PID 2152 wrote to memory of 3660 2152 RUNDLL32.EXE schtasks.exe PID 2152 wrote to memory of 3660 2152 RUNDLL32.EXE schtasks.exe PID 2152 wrote to memory of 1504 2152 RUNDLL32.EXE schtasks.exe PID 2152 wrote to memory of 1504 2152 RUNDLL32.EXE schtasks.exe PID 2152 wrote to memory of 1504 2152 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3d0d747febe769eff3b01ddf5317fd1.exe"C:\Users\Admin\AppData\Local\Temp\d3d0d747febe769eff3b01ddf5317fd1.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe"C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL,s C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL,DQEMQmhHUg==5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL,KBEWWFNtcQ==6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 275717⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 7767⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC4E4.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp198D.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 5764⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nxodlua.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\djbtnpxyje.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Hzxrf.tmpMD5
39070cc4669f0ee906b40edfe9218912
SHA1c793849506cb1ff00fb6cb2e82889f86f39be0d4
SHA256c197d6464af02ea75a481c6eb309aab6409ff1cba3505b077e0f785b7594b1bb
SHA512e98e5b079770713ffdec033a121d7df64e3e31b2c8f9356ce700d03e3ad5fe288d94c5ef9ad33b8a08e99bd2e127467fda7d09831d294f8757b93a72d84562e7
-
C:\PROGRA~3\Hzxrf.tmpMD5
098da3eb2479e1110ff8b6a77447f0c7
SHA179e0a6044ddac5044c269850b92473b2fec84df1
SHA2562c145e554e3ea3a621eae2fb19c91ea8fbb580c7b8ca991f73eb99602c12b9c9
SHA512fe223fe977a64f07a572f8023587a23a8502b897ace9253c0e7cb9c437ca20d031a82487c26ad76b57ac52466a574d50d15463444fc8b1293c171fb1d16d8a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
88e4c7df81b9505ac1f26d2fc5133b80
SHA14252d2185bc7fc688ec3eec396a0039252515426
SHA2564fc10c18153dc86c325b1cd3146c09a90057548e8c0f177941c8dc446c7a3cbe
SHA5127ddfed5eff4d004563bcd301dfa1c1e0d9fceb3ce1f0d7a15d6a936f9d59660e4463ca34ea9f1533ee536429c068b1e439f6f0ccf33ad526a56915e223b47f5c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0f8c5ec2bc6789e30b2697c7fe487a8f
SHA1473b50d935f68bc401f1809b670d1bdb4dd6c986
SHA2568db9186afed8a752a7b9a116b2dae679373c06a35ef7fb8cde5ca653b7733310
SHA5124c22c93ce4db8639cbc24f77339fff0a7d573578d270a710d7adda92b6f869b8da53b918c64215df1a5154eae3457e215101699745bc09f5fda827382dced24d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dc75f5eed878c7903efbbf5fdfa1ce55
SHA1ee18c7b8a7c93581982b55f4d9e8d82917ce0fc6
SHA25620e3420ac418352cdac8b6c95e89a7cb4eb9fb2b24e24973a9266aae22afe608
SHA5128be43398a803c6ac14e779220effc400ac0fe4b96a5f2d66948f178fd0ae559303113aca8e1aa81fa2d42faf1058ba51490c2c9144d4f2787f45cef2086b7746
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLLMD5
7101221de9839b5dd1344643ab8e54c0
SHA17d7a32330e01ac07f462a2aae0a25e73935a99df
SHA2560f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9
SHA512a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16
-
C:\Users\Admin\AppData\Local\Temp\djbtnpxyje.vbsMD5
6141260687282373ed239b6a1c52c569
SHA158c7d712bfec9af3f584f56648d7d085d0376de2
SHA256f93d1677185edd17199ebe94c62629df4be2cf80486a14dbd72190297a2f630c
SHA51264a818804d2ef6219555fe4a9dcffaf50e91dc38c75b37fb59621fc38ff5b07c7c0a0339bfe42e14e4becfe429e22a5e78fd8f818508e574adb228239af9e22a
-
C:\Users\Admin\AppData\Local\Temp\nxodlua.vbsMD5
39e73cd63cd1e36170c4e4924b32c0b8
SHA1d1d80b4bfed26eba83140bff4cf6faf8d5d04975
SHA256652a7f226c88a9b532411adb12b893630e5dd4588f156450af0fff6188fdd5ba
SHA512a3c94fed527da337748faaf489fc4d489cff9db967520acbae34b534ec913895255c08eeb93ff1aaa8c4eaaad772c38988dab5d84679bc9b52aa9def0d2a0402
-
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exeMD5
af36c20219a8f5fa58d205a9e5db1cc1
SHA117356b91dd8292bddea7300c3a9fc1a98fccd11f
SHA2563276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA512443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
-
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exeMD5
af36c20219a8f5fa58d205a9e5db1cc1
SHA117356b91dd8292bddea7300c3a9fc1a98fccd11f
SHA2563276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA512443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
-
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exeMD5
9baf6cadcbff7a3b885e589d411f8e8a
SHA135af631df140d421c0e0d012cbb3a63198e02b9b
SHA256c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b
SHA51272548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3
-
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exeMD5
9baf6cadcbff7a3b885e589d411f8e8a
SHA135af631df140d421c0e0d012cbb3a63198e02b9b
SHA256c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b
SHA51272548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3
-
C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exeMD5
9bc77053fcddc327ccaa4dc042d75f59
SHA15d758c777e95d552ed2df0d689fd770023867661
SHA25683d28c6d02718741f6282c3c9a83c89d1013f8d174d6cb58631c3c9de2c8770d
SHA5125e34ddff62702576a8a7a4c9c58e3097eda9cdd664ecc00a6208ff2abe7e3d31380251573d321a41cc36b4c4efd6468affdda8222318ff39b68ff41d49f6963a
-
C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exeMD5
9bc77053fcddc327ccaa4dc042d75f59
SHA15d758c777e95d552ed2df0d689fd770023867661
SHA25683d28c6d02718741f6282c3c9a83c89d1013f8d174d6cb58631c3c9de2c8770d
SHA5125e34ddff62702576a8a7a4c9c58e3097eda9cdd664ecc00a6208ff2abe7e3d31380251573d321a41cc36b4c4efd6468affdda8222318ff39b68ff41d49f6963a
-
C:\Users\Admin\AppData\Local\Temp\tmp198D.tmp.ps1MD5
b94f865e14384f0e2eb9e62247208fe5
SHA1f31c6fd0f43b19f585484615bbfaa7d563edf676
SHA256b512bd1fad5879018a439a898ae59a2b7261f82a1250da7c42601f94791e6eaa
SHA51200f637404c80a083113360c5a858c9285b5a33cb8f993410293344ccc62036ecebfff4ebe83b26fda3ea14795360fc3f9c6a159a7e0a450a27b84f396328a8d1
-
C:\Users\Admin\AppData\Local\Temp\tmp198E.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpC4E4.tmp.ps1MD5
9f5af7637fa0d82b7b231f9e0c7de7a0
SHA1c2e4ed559cf4b2d6d6a179c45766ccd9a9fc3ba6
SHA256cdc653c1b0f5027e55c4c53c86db3e3af807f5b607168a10bf83a392a9ba9ad2
SHA512c1f928de1479c44595ca125557702bf0f7d38944465a228b1f6a1ced81fa6388b026d2fe66407701a767f714dfb9e6102de6d2496d3eea410fc33cb2d275fab6
-
C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af36c20219a8f5fa58d205a9e5db1cc1
SHA117356b91dd8292bddea7300c3a9fc1a98fccd11f
SHA2563276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA512443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af36c20219a8f5fa58d205a9e5db1cc1
SHA117356b91dd8292bddea7300c3a9fc1a98fccd11f
SHA2563276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA512443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLLMD5
7101221de9839b5dd1344643ab8e54c0
SHA17d7a32330e01ac07f462a2aae0a25e73935a99df
SHA2560f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9
SHA512a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16
-
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLLMD5
7101221de9839b5dd1344643ab8e54c0
SHA17d7a32330e01ac07f462a2aae0a25e73935a99df
SHA2560f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9
SHA512a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16
-
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLLMD5
7101221de9839b5dd1344643ab8e54c0
SHA17d7a32330e01ac07f462a2aae0a25e73935a99df
SHA2560f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9
SHA512a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16
-
\Users\Admin\AppData\Local\Temp\nsa1049.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/428-253-0x0000000007032000-0x0000000007033000-memory.dmpFilesize
4KB
-
memory/428-338-0x0000000007033000-0x0000000007034000-memory.dmpFilesize
4KB
-
memory/428-223-0x0000000000000000-mapping.dmp
-
memory/428-251-0x0000000007030000-0x0000000007031000-memory.dmpFilesize
4KB
-
memory/740-141-0x0000000001210000-0x0000000001906000-memory.dmpFilesize
7.0MB
-
memory/740-140-0x0000000001210000-0x0000000001906000-memory.dmpFilesize
7.0MB
-
memory/740-137-0x0000000000000000-mapping.dmp
-
memory/740-143-0x0000000001210000-0x0000000001906000-memory.dmpFilesize
7.0MB
-
memory/740-142-0x0000000001210000-0x0000000001906000-memory.dmpFilesize
7.0MB
-
memory/740-144-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/864-487-0x0000000000000000-mapping.dmp
-
memory/936-152-0x0000000000000000-mapping.dmp
-
memory/936-155-0x0000000005011000-0x0000000005FF5000-memory.dmpFilesize
15.9MB
-
memory/936-156-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/1312-146-0x0000000002450000-0x00000000025F5000-memory.dmpFilesize
1.6MB
-
memory/1312-147-0x0000000000400000-0x0000000000654000-memory.dmpFilesize
2.3MB
-
memory/1312-132-0x0000000000000000-mapping.dmp
-
memory/1312-145-0x00000000022B2000-0x0000000002440000-memory.dmpFilesize
1.6MB
-
memory/1504-492-0x0000000000000000-mapping.dmp
-
memory/1924-124-0x0000000000AC0000-0x00000000011B6000-memory.dmpFilesize
7.0MB
-
memory/1924-125-0x0000000000AC0000-0x00000000011B6000-memory.dmpFilesize
7.0MB
-
memory/1924-116-0x0000000000000000-mapping.dmp
-
memory/1924-122-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/1924-123-0x0000000000AC0000-0x00000000011B6000-memory.dmpFilesize
7.0MB
-
memory/1924-126-0x0000000000AC0000-0x00000000011B6000-memory.dmpFilesize
7.0MB
-
memory/1944-135-0x0000000000000000-mapping.dmp
-
memory/2152-160-0x0000000005161000-0x0000000006145000-memory.dmpFilesize
15.9MB
-
memory/2152-161-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/2152-157-0x0000000000000000-mapping.dmp
-
memory/2596-131-0x0000000001330000-0x0000000001997000-memory.dmpFilesize
6.4MB
-
memory/2596-127-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/2596-128-0x0000000001330000-0x0000000001997000-memory.dmpFilesize
6.4MB
-
memory/2596-129-0x0000000001330000-0x0000000001997000-memory.dmpFilesize
6.4MB
-
memory/2596-119-0x0000000000000000-mapping.dmp
-
memory/2596-130-0x0000000001330000-0x0000000001997000-memory.dmpFilesize
6.4MB
-
memory/3152-203-0x0000000000000000-mapping.dmp
-
memory/3168-490-0x0000000004A23000-0x0000000004A24000-memory.dmpFilesize
4KB
-
memory/3168-470-0x0000000004A22000-0x0000000004A23000-memory.dmpFilesize
4KB
-
memory/3168-468-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/3168-461-0x0000000000000000-mapping.dmp
-
memory/3416-200-0x0000000000000000-mapping.dmp
-
memory/3424-148-0x0000000000000000-mapping.dmp
-
memory/3640-210-0x0000000009730000-0x0000000009763000-memory.dmpFilesize
204KB
-
memory/3640-174-0x00000000081D0000-0x00000000081D1000-memory.dmpFilesize
4KB
-
memory/3640-162-0x0000000000000000-mapping.dmp
-
memory/3640-165-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/3640-166-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/3640-167-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/3640-168-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/3640-170-0x0000000007102000-0x0000000007103000-memory.dmpFilesize
4KB
-
memory/3640-179-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/3640-177-0x0000000008940000-0x0000000008941000-memory.dmpFilesize
4KB
-
memory/3640-176-0x00000000088F0000-0x00000000088F1000-memory.dmpFilesize
4KB
-
memory/3640-169-0x0000000007100000-0x0000000007101000-memory.dmpFilesize
4KB
-
memory/3640-171-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/3640-209-0x000000007EE60000-0x000000007EE61000-memory.dmpFilesize
4KB
-
memory/3640-172-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/3640-217-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/3640-222-0x0000000009860000-0x0000000009861000-memory.dmpFilesize
4KB
-
memory/3640-175-0x0000000008560000-0x0000000008561000-memory.dmpFilesize
4KB
-
memory/3640-227-0x0000000007103000-0x0000000007104000-memory.dmpFilesize
4KB
-
memory/3640-173-0x0000000008160000-0x0000000008161000-memory.dmpFilesize
4KB
-
memory/3660-491-0x0000000000000000-mapping.dmp
-
memory/3804-163-0x0000000000000000-mapping.dmp
-
memory/3804-191-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/3804-184-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/3804-189-0x0000000006130000-0x0000000006270000-memory.dmpFilesize
1.2MB
-
memory/3804-192-0x0000000006130000-0x0000000006270000-memory.dmpFilesize
1.2MB
-
memory/3804-187-0x0000000006130000-0x0000000006270000-memory.dmpFilesize
1.2MB
-
memory/3804-181-0x0000000005081000-0x0000000006065000-memory.dmpFilesize
15.9MB
-
memory/3804-186-0x0000000006130000-0x0000000006270000-memory.dmpFilesize
1.2MB
-
memory/3804-190-0x0000000006130000-0x0000000006270000-memory.dmpFilesize
1.2MB
-
memory/3804-193-0x0000000006130000-0x0000000006270000-memory.dmpFilesize
1.2MB
-
memory/3804-185-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/3840-196-0x0000017F9CEF0000-0x0000017F9CEF2000-memory.dmpFilesize
8KB
-
memory/3840-194-0x00007FF7E23E5FD0-mapping.dmp
-
memory/3840-207-0x0000017F9D220000-0x0000017F9D3D2000-memory.dmpFilesize
1.7MB
-
memory/3840-197-0x0000017F9CEF0000-0x0000017F9CEF2000-memory.dmpFilesize
8KB
-
memory/3840-206-0x0000000000D70000-0x0000000000F10000-memory.dmpFilesize
1.6MB