38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Size

92KB
MD5

f2e8f8fe0b4d4d734d5304fd6ef16d47
SHA1

c999b38f3c226716e161f8a6b2346d386a6c218b
SHA256

38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c
SHA512

a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6
SSDEEP

1536:cgRswP+BgWekSIyUpbjFyjxEyxFJ7wRqqt:SwGKWeXIxFIEyt7Ydt

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

Executes dropped EXE 26 IoCs

pid	Process
4304	rundll32.exe
5080	rundll32.exe
4008	rundll32.exe
2204	rundll32.exe
2212	rundll32.exe
3232	rundll32.exe
3768	rundll32.exe
1308	rundll32.exe
1432	rundll32.exe
3920	rundll32.exe
3444	rundll32.exe
3816	rundll32.exe
1312	rundll32.exe
4280	rundll32.exe
4024	rundll32.exe
3784	rundll32.exe
1904	rundll32.exe
4676	rundll32.exe
2276	rundll32.exe
1496	rundll32.exe
4140	rundll32.exe
2484	rundll32.exe
4376	rundll32.exe
2576	rundll32.exe
412	rundll32.exe
1976	rundll32.exe

Modifies Windows Firewall 1 TTPs 14 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2244	netsh.exe
3012	netsh.exe
3404	netsh.exe
3488	netsh.exe
3108	netsh.exe
2116	netsh.exe
3472	netsh.exe
1004	netsh.exe
4752	netsh.exe
4528	netsh.exe
4740	netsh.exe
4288	netsh.exe
4104	netsh.exe
3040	netsh.exe

Sets file execution options in registry 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuaucl"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuaucl"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll	rundll32.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5112-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5112-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5112-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5112-164-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4024-215-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4280-216-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3784-227-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1904-236-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1904-237-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1904-240-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4676-251-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2276-262-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1496-273-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4140-284-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2484-295-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4376-306-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2576-316-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/412-328-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1976-338-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	209.244.0.4
Destination IP	208.67.222.222
Destination IP	209.244.0.3
Destination IP	208.67.220.220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*MalwareBytes0 = "\"C:\\ProgramData\\MalwareBytes0\\wireshark.exe\""	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Firewall.cpl	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rstrui.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mmc.exe:Zone.Identifier	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
File opened for modification	C:\Windows\SysWOW64\FirewallAPI.dll	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	rundll32.exe
File created	C:\Windows\SysWOW64\FirewallAPI.dll:Zone.Identifier	rundll32.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 5080 set thread context of 4280	5080	rundll32.exe	97
PID 4304 set thread context of 4024	4304	rundll32.exe	100
PID 4008 set thread context of 3784	4008	rundll32.exe	103
PID 2204 set thread context of 1904	2204	rundll32.exe	106
PID 2212 set thread context of 4676	2212	rundll32.exe	113
PID 3232 set thread context of 2276	3232	rundll32.exe	118
PID 3768 set thread context of 1496	3768	rundll32.exe	121
PID 1308 set thread context of 4140	1308	rundll32.exe	124
PID 1432 set thread context of 2484	1432	rundll32.exe	127
PID 3920 set thread context of 4376	3920	rundll32.exe	130
PID 3444 set thread context of 2576	3444	rundll32.exe	133
PID 3816 set thread context of 412	3816	rundll32.exe	136
PID 1312 set thread context of 1976	1312	rundll32.exe	139

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3624	sc.exe
3644	sc.exe
4436	sc.exe
2148	sc.exe
4364	sc.exe
4700	sc.exe
3944	sc.exe
3660	sc.exe
1224	sc.exe
4164	sc.exe
4708	sc.exe
2984	sc.exe
3708	sc.exe
4476	sc.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Enumerates system info in registry 2 TTPs 28 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
Token: SeDebugPrivilege	4280	rundll32.exe
Token: SeDebugPrivilege	4024	rundll32.exe
Token: SeDebugPrivilege	3784	rundll32.exe
Token: SeDebugPrivilege	1904	rundll32.exe
Token: SeDebugPrivilege	4676	rundll32.exe
Token: SeDebugPrivilege	2276	rundll32.exe
Token: SeDebugPrivilege	1496	rundll32.exe
Token: SeDebugPrivilege	4140	rundll32.exe
Token: SeDebugPrivilege	2484	rundll32.exe
Token: SeDebugPrivilege	4376	rundll32.exe
Token: SeDebugPrivilege	2576	rundll32.exe
Token: SeDebugPrivilege	412	rundll32.exe
Token: SeDebugPrivilege	1976	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
4304	rundll32.exe
5080	rundll32.exe
4008	rundll32.exe
2204	rundll32.exe
2212	rundll32.exe
3232	rundll32.exe
3768	rundll32.exe
1308	rundll32.exe
1432	rundll32.exe
3920	rundll32.exe
3444	rundll32.exe
3816	rundll32.exe
1312	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 4796 wrote to memory of 5112	4796	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	80
PID 5112 wrote to memory of 1224	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	81
PID 5112 wrote to memory of 1224	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	81
PID 5112 wrote to memory of 1224	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	81
PID 5112 wrote to memory of 4288	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	82
PID 5112 wrote to memory of 4288	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	82
PID 5112 wrote to memory of 4288	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	82
PID 5112 wrote to memory of 4304	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	83
PID 5112 wrote to memory of 4304	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	83
PID 5112 wrote to memory of 4304	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	83
PID 5112 wrote to memory of 5080	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	84
PID 5112 wrote to memory of 5080	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	84
PID 5112 wrote to memory of 5080	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	84
PID 5112 wrote to memory of 4008	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	85
PID 5112 wrote to memory of 4008	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	85
PID 5112 wrote to memory of 4008	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	85
PID 5112 wrote to memory of 2204	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	86
PID 5112 wrote to memory of 2204	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	86
PID 5112 wrote to memory of 2204	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	86
PID 5112 wrote to memory of 2212	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	87
PID 5112 wrote to memory of 2212	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	87
PID 5112 wrote to memory of 2212	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	87
PID 5112 wrote to memory of 3232	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	88
PID 5112 wrote to memory of 3232	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	88
PID 5112 wrote to memory of 3232	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	88
PID 5112 wrote to memory of 3768	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	89
PID 5112 wrote to memory of 3768	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	89
PID 5112 wrote to memory of 3768	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	89
PID 5112 wrote to memory of 1308	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	90
PID 5112 wrote to memory of 1308	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	90
PID 5112 wrote to memory of 1308	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	90
PID 5112 wrote to memory of 1432	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	91
PID 5112 wrote to memory of 1432	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	91
PID 5112 wrote to memory of 1432	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	91
PID 5112 wrote to memory of 3920	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	92
PID 5112 wrote to memory of 3920	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	92
PID 5112 wrote to memory of 3920	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	92
PID 5112 wrote to memory of 3444	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	94
PID 5112 wrote to memory of 3444	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	94
PID 5112 wrote to memory of 3444	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	94
PID 5112 wrote to memory of 3816	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	95
PID 5112 wrote to memory of 3816	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	95
PID 5112 wrote to memory of 3816	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	95
PID 5112 wrote to memory of 1312	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	96
PID 5112 wrote to memory of 1312	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	96
PID 5112 wrote to memory of 1312	5112	38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe	96
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 5080 wrote to memory of 4280	5080	rundll32.exe	97
PID 4280 wrote to memory of 2148	4280	rundll32.exe	98
PID 4280 wrote to memory of 2148	4280	rundll32.exe	98
PID 4280 wrote to memory of 2148	4280	rundll32.exe	98

C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
"C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
  "C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\sc.exe
    sc.exe config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1224
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe firewall set opmode mode=disable profile=all
    3⤵
    - Modifies Windows Firewall
    PID:4288
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4304
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4024
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4164
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:3488
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:2148
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:4104
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4008
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3784
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:3708
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:3040
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:2204
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1904
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4476
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:1004
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:2212
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4676
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:2984
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:2244
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3232
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2276
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4700
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:3108
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3768
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1496
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4708
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:3012
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1308
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4140
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4364
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:4752
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1432
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2484
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:3944
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:3404
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3920
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4376
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:3624
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:4528
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3444
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2576
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:3644
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:2116
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3816
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:412
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:3660
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:4740
- - C:\ProgramData\MalwareBytes0\rundll32.exe
    C:\ProgramData\MalwareBytes0\rundll32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1312
  - - C:\ProgramData\MalwareBytes0\rundll32.exe
      C:\ProgramData\MalwareBytes0\rundll32.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Sets file execution options in registry
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1976
    - - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4436
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall set opmode mode=disable profile=all
        5⤵
        Modifies Windows Firewall
        
        PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
C:\ProgramData\MalwareBytes0\rundll32.exe

Filesize
92KB

MD5
f2e8f8fe0b4d4d734d5304fd6ef16d47

SHA1
c999b38f3c226716e161f8a6b2346d386a6c218b

SHA256
38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

SHA512
a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

Download Submit
memory/412-328-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-274-0x0000000000785000-0x000000000078A000-memory.dmp

Filesize
20KB

Download
memory/1308-275-0x0000000000785000-0x000000000078A000-memory.dmp

Filesize
20KB

Download
memory/1432-286-0x0000000000565000-0x000000000056A000-memory.dmp

Filesize
20KB

Download
memory/1432-285-0x0000000000565000-0x000000000056A000-memory.dmp

Filesize
20KB

Download
memory/1496-273-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1904-236-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1904-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1904-237-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1976-338-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2204-229-0x0000000000675000-0x000000000067A000-memory.dmp

Filesize
20KB

Download
memory/2204-228-0x0000000000675000-0x000000000067A000-memory.dmp

Filesize
20KB

Download
memory/2212-241-0x00000000007A5000-0x00000000007AA000-memory.dmp

Filesize
20KB

Download
memory/2212-242-0x00000000007A5000-0x00000000007AA000-memory.dmp

Filesize
20KB

Download
memory/2276-262-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2484-295-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2576-316-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3232-253-0x00000000005D5000-0x00000000005DA000-memory.dmp

Filesize
20KB

Download
memory/3232-252-0x00000000005D5000-0x00000000005DA000-memory.dmp

Filesize
20KB

Download
memory/3444-307-0x0000000000565000-0x000000000056A000-memory.dmp

Filesize
20KB

Download
memory/3768-263-0x0000000000725000-0x000000000072A000-memory.dmp

Filesize
20KB

Download
memory/3768-264-0x0000000000725000-0x000000000072A000-memory.dmp

Filesize
20KB

Download
memory/3784-227-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3920-297-0x00000000006D5000-0x00000000006DA000-memory.dmp

Filesize
20KB

Download
memory/3920-296-0x00000000006D5000-0x00000000006DA000-memory.dmp

Filesize
20KB

Download
memory/4008-218-0x0000000000505000-0x000000000050A000-memory.dmp

Filesize
20KB

Download
memory/4008-217-0x0000000000505000-0x000000000050A000-memory.dmp

Filesize
20KB

Download
memory/4024-215-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4140-284-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4280-216-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4376-306-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4676-251-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4796-134-0x0000000000626000-0x000000000062B000-memory.dmp

Filesize
20KB

Download
memory/5080-198-0x00000000005F5000-0x00000000005FA000-memory.dmp

Filesize
20KB

Download
memory/5080-193-0x00000000005F5000-0x00000000005FA000-memory.dmp

Filesize
20KB

Download
memory/5112-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5112-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5112-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5112-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5112-164-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download