Analysis
-
max time kernel
1233s -
max time network
1235s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-12-2022 23:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ewydrfdndsbrt.shop/index.php?key=116614230752
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
https://ewydrfdndsbrt.shop/index.php?key=116614230752
Resource
win10v2004-20220812-en
General
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OB1Q09Y\setup.msi.9x3oryt.partial purplefox_msi C:\Users\Admin\Desktop\setup.msi.70gko6t.partial purplefox_msi -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeMsiExec.exepid process 1836 MsiExec.exe 1836 MsiExec.exe 1836 MsiExec.exe 1836 MsiExec.exe 1748 MsiExec.exe 1748 MsiExec.exe 1748 MsiExec.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 916 takeown.exe 300 takeown.exe 1596 takeown.exe 1216 takeown.exe 1632 takeown.exe 2028 takeown.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\74635a.msi msiexec.exe File created C:\Windows\Installer\746356.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI64AD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D78.tmp msiexec.exe File opened for modification C:\Windows\Installer\746358.ipi msiexec.exe File created C:\Windows\dbcode86mk.log msiexec.exe File opened for modification C:\Windows\Installer\74635a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEE0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF13B.tmp msiexec.exe File opened for modification C:\Windows\Installer\746356.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI65D7.tmp msiexec.exe File created C:\Windows\Installer\746358.ipi msiexec.exe File created C:\Windows\.xml msiexec.exe File opened for modification C:\Windows\Installer\MSIF1A9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6664.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6971.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 892 sc.exe 1592 sc.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 900b4387ea10d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ba4661e910d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000006535365d469a9c0ee6b2e2dc3f3d73a597f9f6d479f4f2aced7f7261e962a9f5000000000e8000000002000020000000a02a5867d4e07f64d58b970e36de393b1f5fc6114d4b13e9ef05fb69a9b7051b900000007178f0f4452ffb2ae1de857ed11cb932959988dfb0dfdd56303f17517b4d04d52f9700aa103edec22960339f46332e08f16ded57dace7882697437a43616175fe184600f1140c1c62d529c73496e7547db4f2be1418b4eaa640926fb195be0f7a24af062484a5b171ac08cff33e557eb0e6492e74b3af7dca80a56fbb6d3d4dd039d0a2344ed630561c138ab98ed2a5240000000eab608d2465bff789683722873d159fb5dcab80fb79802efd7dccaa2ee939da57aa7c61475d6e84ec34c50a93a7c1e1101a77b08f3ef28cb2525fe71d619e223 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86312351-7CDC-11ED-8AA1-4ADA2A0CA6C6} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377917185" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000eb932a500d8050992ac16f1dbe1fa8b70dad469a2be7b0544125b94e8066ac5a000000000e8000000002000020000000504c899412cd95f1fd6e4be8c28f6fce7ca7c13b3e4a741a9f160493171b2b36200000002c8b99db48f1f6f2e98ccd985c74b1237f89ff9d19925fb761aed5b9ecdf8e13400000006f28dd3346791145ca60c4e3cf74240ba60b3d51763ade70a8ad5366d29fbcf52ebaad3611679d7e465d6fb019ae3c728fda7061d9a10508adae963b6387be76 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
netsh.exenetsh.exenetsh.exemsiexec.exepowershell.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10141c8fea10d901 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe -
Modifies registry class 48 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exepowershell.exepid process 1920 msiexec.exe 1920 msiexec.exe 1628 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 936 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exepowercfg.exepowershell.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1112 msiexec.exe Token: SeIncreaseQuotaPrivilege 1112 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeSecurityPrivilege 1920 msiexec.exe Token: SeCreateTokenPrivilege 1112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1112 msiexec.exe Token: SeLockMemoryPrivilege 1112 msiexec.exe Token: SeIncreaseQuotaPrivilege 1112 msiexec.exe Token: SeMachineAccountPrivilege 1112 msiexec.exe Token: SeTcbPrivilege 1112 msiexec.exe Token: SeSecurityPrivilege 1112 msiexec.exe Token: SeTakeOwnershipPrivilege 1112 msiexec.exe Token: SeLoadDriverPrivilege 1112 msiexec.exe Token: SeSystemProfilePrivilege 1112 msiexec.exe Token: SeSystemtimePrivilege 1112 msiexec.exe Token: SeProfSingleProcessPrivilege 1112 msiexec.exe Token: SeIncBasePriorityPrivilege 1112 msiexec.exe Token: SeCreatePagefilePrivilege 1112 msiexec.exe Token: SeCreatePermanentPrivilege 1112 msiexec.exe Token: SeBackupPrivilege 1112 msiexec.exe Token: SeRestorePrivilege 1112 msiexec.exe Token: SeShutdownPrivilege 1112 msiexec.exe Token: SeDebugPrivilege 1112 msiexec.exe Token: SeAuditPrivilege 1112 msiexec.exe Token: SeSystemEnvironmentPrivilege 1112 msiexec.exe Token: SeChangeNotifyPrivilege 1112 msiexec.exe Token: SeRemoteShutdownPrivilege 1112 msiexec.exe Token: SeUndockPrivilege 1112 msiexec.exe Token: SeSyncAgentPrivilege 1112 msiexec.exe Token: SeEnableDelegationPrivilege 1112 msiexec.exe Token: SeManageVolumePrivilege 1112 msiexec.exe Token: SeImpersonatePrivilege 1112 msiexec.exe Token: SeCreateGlobalPrivilege 1112 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeShutdownPrivilege 1744 powercfg.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeTakeOwnershipPrivilege 916 takeown.exe Token: SeTakeOwnershipPrivilege 300 takeown.exe Token: SeTakeOwnershipPrivilege 1596 takeown.exe Token: SeTakeOwnershipPrivilege 1216 takeown.exe Token: SeTakeOwnershipPrivilege 1632 takeown.exe Token: SeTakeOwnershipPrivilege 2028 takeown.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe Token: SeTakeOwnershipPrivilege 1920 msiexec.exe Token: SeShutdownPrivilege 1688 msiexec.exe Token: SeIncreaseQuotaPrivilege 1688 msiexec.exe Token: SeCreateTokenPrivilege 1688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1688 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
iexplore.exemsiexec.exemsiexec.exepid process 936 iexplore.exe 936 iexplore.exe 1112 msiexec.exe 1112 msiexec.exe 936 iexplore.exe 1688 msiexec.exe 1688 msiexec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 936 iexplore.exe 936 iexplore.exe 1652 IEXPLORE.EXE 1652 IEXPLORE.EXE 1652 IEXPLORE.EXE 1652 IEXPLORE.EXE 936 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exemsiexec.exeMsiExec.exedescription pid process target process PID 936 wrote to memory of 1652 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1652 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1652 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1652 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1112 936 iexplore.exe msiexec.exe PID 936 wrote to memory of 1112 936 iexplore.exe msiexec.exe PID 936 wrote to memory of 1112 936 iexplore.exe msiexec.exe PID 936 wrote to memory of 1112 936 iexplore.exe msiexec.exe PID 936 wrote to memory of 1112 936 iexplore.exe msiexec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1836 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1920 wrote to memory of 1840 1920 msiexec.exe MsiExec.exe PID 1840 wrote to memory of 1744 1840 MsiExec.exe powercfg.exe PID 1840 wrote to memory of 1744 1840 MsiExec.exe powercfg.exe PID 1840 wrote to memory of 1744 1840 MsiExec.exe powercfg.exe PID 1840 wrote to memory of 1744 1840 MsiExec.exe powercfg.exe PID 1840 wrote to memory of 1628 1840 MsiExec.exe powershell.exe PID 1840 wrote to memory of 1628 1840 MsiExec.exe powershell.exe PID 1840 wrote to memory of 1628 1840 MsiExec.exe powershell.exe PID 1840 wrote to memory of 1628 1840 MsiExec.exe powershell.exe PID 1840 wrote to memory of 1596 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1596 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1596 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1596 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 816 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 816 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 816 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 816 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 680 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 680 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 680 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 680 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1732 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1732 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1732 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1732 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 916 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 916 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 916 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 916 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1832 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1832 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1832 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1832 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1456 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1456 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1456 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1456 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1988 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1988 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1988 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1988 1840 MsiExec.exe netsh.exe PID 1840 wrote to memory of 1744 1840 MsiExec.exe netsh.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://ewydrfdndsbrt.shop/index.php?key=1166142307521⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OB1Q09Y\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 27007186DB5CD9E9A756B690470322C42⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BAC171C03138B2B0DCDF812D5EFEF1E9 M Global\MSI00002⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" stop wmiApSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled3⤵
- Launches sc.exe
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 57DCAE24916E0E4DFCC2DEA354ABCBA42⤵
- Loads dropped DLL
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b506b0d0b7d5bb05be39218f968c9f05
SHA1643ba1424efe7d4f44356b4a6eb97969d96c1359
SHA256873df7c15f470fca4bf0ad9f8c5fee83fc8aff99a17654be1a5a0f8682c6073e
SHA512d372aacbf87cd440fe09d40b0b8977758caec5956347f8247225b9e92192db98b88c375fd818afd086a1182cf29b9c4d72f0e6a3dd6e8ffbf54caada0bd976e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OB1Q09Y\setup.msi.9x3oryt.partialFilesize
2.6MB
MD5d91538e829a8e1feff26dcff206d789f
SHA16805d13d073a833281c59a4e45dd641e123e97d1
SHA256eb73b66feb56a939b7a6ecedfa899712321de9ad1314fa72eb8684d2e856d454
SHA512d96850daf1df68d3dc11020e3c5d6dc49cd7847f66125e4e58314e89a00f5a13e26944a744592e6fa24f17a0bf8261428d47770dc5479c6f747b4b86799f5bb1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ABQ2YISK.txtFilesize
608B
MD5ad7564ad1a37dc95a470e0cccde6445a
SHA15abdcae446b3dcfaad08f43844df5cb5ab8dd258
SHA256d04df3fa65fc66ff7f9168a97ab8c7a2a331d306e1f78e72913e0560b9d5c62e
SHA512add352b94a584cb632f3bb242d51022e8369474c87eb938f5027e2a8f921cc3e5658e6b9a020bba8af25e8da48a343d9a3b655ce4e9a2b43af590886ee5e74ac
-
C:\Users\Admin\Desktop\setup.msi.70gko6t.partialFilesize
2.6MB
MD5d91538e829a8e1feff26dcff206d789f
SHA16805d13d073a833281c59a4e45dd641e123e97d1
SHA256eb73b66feb56a939b7a6ecedfa899712321de9ad1314fa72eb8684d2e856d454
SHA512d96850daf1df68d3dc11020e3c5d6dc49cd7847f66125e4e58314e89a00f5a13e26944a744592e6fa24f17a0bf8261428d47770dc5479c6f747b4b86799f5bb1
-
C:\Windows\Installer\MSI64AD.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI65D7.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI6664.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSI6971.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIEE0F.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIF13B.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIF1A9.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Windows\Installer\MSI64AD.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI65D7.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI6664.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Windows\Installer\MSI6971.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSIEE0F.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSIF13B.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSIF1A9.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
memory/108-96-0x0000000000000000-mapping.dmp
-
memory/300-124-0x0000000000000000-mapping.dmp
-
memory/680-82-0x0000000000000000-mapping.dmp
-
memory/680-100-0x0000000000000000-mapping.dmp
-
memory/812-136-0x0000000000000000-mapping.dmp
-
memory/816-79-0x0000000000000000-mapping.dmp
-
memory/816-98-0x0000000000000000-mapping.dmp
-
memory/892-137-0x0000000000000000-mapping.dmp
-
memory/916-104-0x0000000000000000-mapping.dmp
-
memory/916-122-0x0000000000000000-mapping.dmp
-
memory/916-86-0x0000000000000000-mapping.dmp
-
memory/956-135-0x0000000000000000-mapping.dmp
-
memory/1112-59-0x000007FEFC201000-0x000007FEFC203000-memory.dmpFilesize
8KB
-
memory/1112-58-0x0000000000000000-mapping.dmp
-
memory/1140-129-0x0000000000000000-mapping.dmp
-
memory/1216-128-0x0000000000000000-mapping.dmp
-
memory/1456-116-0x0000000000000000-mapping.dmp
-
memory/1456-90-0x0000000000000000-mapping.dmp
-
memory/1460-112-0x0000000000000000-mapping.dmp
-
memory/1480-108-0x0000000000000000-mapping.dmp
-
memory/1532-125-0x0000000000000000-mapping.dmp
-
memory/1592-138-0x0000000000000000-mapping.dmp
-
memory/1596-110-0x0000000000000000-mapping.dmp
-
memory/1596-76-0x0000000000000000-mapping.dmp
-
memory/1596-126-0x0000000000000000-mapping.dmp
-
memory/1612-133-0x0000000000000000-mapping.dmp
-
memory/1628-139-0x0000000070D30000-0x00000000712DB000-memory.dmpFilesize
5.7MB
-
memory/1628-74-0x0000000000000000-mapping.dmp
-
memory/1628-80-0x0000000070D30000-0x00000000712DB000-memory.dmpFilesize
5.7MB
-
memory/1632-130-0x0000000000000000-mapping.dmp
-
memory/1712-127-0x0000000000000000-mapping.dmp
-
memory/1732-84-0x0000000000000000-mapping.dmp
-
memory/1732-102-0x0000000000000000-mapping.dmp
-
memory/1740-131-0x0000000000000000-mapping.dmp
-
memory/1744-120-0x0000000000000000-mapping.dmp
-
memory/1744-73-0x0000000000000000-mapping.dmp
-
memory/1744-94-0x0000000000000000-mapping.dmp
-
memory/1748-106-0x0000000000000000-mapping.dmp
-
memory/1748-142-0x0000000000000000-mapping.dmp
-
memory/1756-123-0x0000000000000000-mapping.dmp
-
memory/1832-114-0x0000000000000000-mapping.dmp
-
memory/1832-88-0x0000000000000000-mapping.dmp
-
memory/1836-62-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1836-61-0x0000000000000000-mapping.dmp
-
memory/1840-71-0x0000000000000000-mapping.dmp
-
memory/1988-118-0x0000000000000000-mapping.dmp
-
memory/1988-92-0x0000000000000000-mapping.dmp
-
memory/2028-132-0x0000000000000000-mapping.dmp
-
memory/2040-134-0x0000000000000000-mapping.dmp