Malware Analysis Report

2024-10-19 02:31

Sample ID 220625-v41dsafge3
Target a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4
SHA256 a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4

Threat Level: Known bad

The file a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX Payload

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 17:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 17:33

Reported

2022-06-25 17:37

Platform

win7-20220414-en

Max time kernel

187s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"

Signatures

Detects PlugX Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 90b1f8d8ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 7006ceecca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 90381cc5ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 30aab8cbca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 90b1f8d8ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 10ff8ddfca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70e47ff3ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\46-32-53-fb-e4-95 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437} C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70ba52d2ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70332fe6ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70332fe6ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70ba52d2ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 7006ceecca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 106c42faca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 30aab8cbca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadNetworkName = "Network 2" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 90381cc5ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 106c42faca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70cbeebbca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 10ff8ddfca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70cbeebbca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70e47ff3ca88d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003600450030003600420039004500350035003300370042003900300037000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 948 wrote to memory of 468 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 468 wrote to memory of 1560 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\TEMP\AOFVPMJXVT.exe
PID 468 wrote to memory of 1560 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\TEMP\AOFVPMJXVT.exe
PID 468 wrote to memory of 1560 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\TEMP\AOFVPMJXVT.exe
PID 468 wrote to memory of 1560 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\TEMP\AOFVPMJXVT.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 468 wrote to memory of 1800 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe

"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe"

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe

"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\TEMP\AOFVPMJXVT.exe

"C:\Windows\TEMP\AOFVPMJXVT.exe" Intel(R) Capability Licensing Service Interface CPUMonitor

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 468

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp

Files

memory/1968-54-0x0000000075841000-0x0000000075843000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

memory/1552-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NetSeSS.Cfg

MD5 ed3af94dbae43395784af13bb362ef06
SHA1 82616c65c6b3453b7e12ccff8694897977710cfb
SHA256 b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621
SHA512 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

memory/1552-67-0x0000000000370000-0x00000000003A6000-memory.dmp

memory/1552-68-0x00000000007A0000-0x00000000007F1000-memory.dmp

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\NetSeSS.Cfg

MD5 ed3af94dbae43395784af13bb362ef06
SHA1 82616c65c6b3453b7e12ccff8694897977710cfb
SHA256 b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621
SHA512 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

memory/948-74-0x0000000000790000-0x00000000007E1000-memory.dmp

memory/468-75-0x0000000000100000-0x0000000000132000-memory.dmp

memory/468-77-0x0000000000000000-mapping.dmp

memory/468-79-0x0000000000310000-0x0000000000361000-memory.dmp

\Windows\Temp\AOFVPMJXVT.exe

MD5 6622918d92a44e67175f7aeb3fcb5a05
SHA1 0b226563fa229783bea7aa27e28f908967c729e6
SHA256 b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA512 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

\Windows\Temp\AOFVPMJXVT.exe

MD5 6622918d92a44e67175f7aeb3fcb5a05
SHA1 0b226563fa229783bea7aa27e28f908967c729e6
SHA256 b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA512 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

memory/1560-82-0x0000000000000000-mapping.dmp

C:\Windows\Temp\AOFVPMJXVT.exe

MD5 6622918d92a44e67175f7aeb3fcb5a05
SHA1 0b226563fa229783bea7aa27e28f908967c729e6
SHA256 b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA512 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

memory/1800-86-0x0000000000000000-mapping.dmp

memory/468-88-0x0000000000310000-0x0000000000361000-memory.dmp

memory/1800-89-0x0000000001E10000-0x0000000001E61000-memory.dmp

memory/1800-90-0x0000000001E10000-0x0000000001E61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 17:33

Reported

2022-06-25 17:37

Platform

win10v2004-20220414-en

Max time kernel

158s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"

Signatures

Detects PlugX Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30004300310037003900450031003900300032003800460034003400360042000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
N/A N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TEMP\AOFVPMJXVT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 4856 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 4856 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 724 wrote to memory of 5032 N/A C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe C:\Windows\SysWOW64\svchost.exe
PID 5032 wrote to memory of 4752 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\TEMP\AOFVPMJXVT.exe
PID 5032 wrote to memory of 4752 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\TEMP\AOFVPMJXVT.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 5032 wrote to memory of 100 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe

"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe"

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe

"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\TEMP\AOFVPMJXVT.exe

"C:\Windows\TEMP\AOFVPMJXVT.exe" Intel(R) Capability Licensing Service Interface CPUMonitor

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 5032

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 pop3.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 www.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp
US 8.8.8.8:53 ns.expert-caller.net udp

Files

memory/1668-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NetSeSS.Cfg

MD5 ed3af94dbae43395784af13bb362ef06
SHA1 82616c65c6b3453b7e12ccff8694897977710cfb
SHA256 b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621
SHA512 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

memory/1668-136-0x0000000000570000-0x00000000005A6000-memory.dmp

memory/1668-137-0x0000000000760000-0x00000000007B1000-memory.dmp

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe

MD5 64787351f8dd15fa642b37d2e3d023c8
SHA1 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2
SHA256 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0
SHA512 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\NetSeSS.Cfg

MD5 ed3af94dbae43395784af13bb362ef06
SHA1 82616c65c6b3453b7e12ccff8694897977710cfb
SHA256 b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621
SHA512 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll

MD5 9244fe82fddc1f4ccbda307df165fd71
SHA1 3d270662c1d29b686dc2c72bc947a71a211d7a0c
SHA256 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394
SHA512 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

memory/5032-143-0x0000000000000000-mapping.dmp

memory/724-144-0x0000000000C00000-0x0000000000C51000-memory.dmp

memory/4752-145-0x0000000000000000-mapping.dmp

C:\Windows\Temp\AOFVPMJXVT.exe

MD5 6622918d92a44e67175f7aeb3fcb5a05
SHA1 0b226563fa229783bea7aa27e28f908967c729e6
SHA256 b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA512 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

C:\Windows\TEMP\AOFVPMJXVT.exe

MD5 6622918d92a44e67175f7aeb3fcb5a05
SHA1 0b226563fa229783bea7aa27e28f908967c729e6
SHA256 b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA512 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

memory/5032-148-0x0000000000C00000-0x0000000000C51000-memory.dmp

memory/100-149-0x0000000000000000-mapping.dmp

memory/100-150-0x0000000002F10000-0x0000000002F61000-memory.dmp

memory/5032-151-0x0000000000C00000-0x0000000000C51000-memory.dmp

memory/100-152-0x0000000002F10000-0x0000000002F61000-memory.dmp