Analysis
-
max time kernel
159s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 06:28
Static task
static1
Behavioral task
behavioral1
Sample
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe
Resource
win10v2004-20230703-en
General
-
Target
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe
-
Size
374KB
-
MD5
dc80d05184fe7f0757caefa3d0c96682
-
SHA1
ad89006d5c3938c544d3c6ee648f2fc25eeac556
-
SHA256
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
-
SHA512
ba9903e233f9ce70181597b741eeb16fcae0f318b67aff225b4ae37e67df73e30bc7dd8707081c9f6154ea9b05f7b8f840daec6d72efad4d780f6be94eba8071
-
SSDEEP
6144:eLw4/9ZyRhBb1Z4HAp+KcvsWxTrwc/ysETGdpxLt4cCt:es+yLBKAp+rnwcEAD54j
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\users\public\desktop\info.hta
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4976-139-0x0000000002440000-0x0000000002840000-memory.dmp family_rhadamanthys behavioral1/memory/4976-140-0x0000000002440000-0x0000000002840000-memory.dmp family_rhadamanthys behavioral1/memory/4976-141-0x0000000002440000-0x0000000002840000-memory.dmp family_rhadamanthys behavioral1/memory/4976-142-0x0000000002440000-0x0000000002840000-memory.dmp family_rhadamanthys behavioral1/memory/4976-154-0x0000000002440000-0x0000000002840000-memory.dmp family_rhadamanthys behavioral1/memory/4976-157-0x0000000002440000-0x0000000002840000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exedescription pid process target process PID 4976 created 768 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1688 bcdedit.exe 1868 bcdedit.exe 752 bcdedit.exe 3828 bcdedit.exe -
Renames multiple (475) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 268 wbadmin.exe 1236 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
81}9pBfy8T.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation 81}9pBfy8T.exe -
Drops startup file 3 IoCs
Processes:
81}9pBfy8T.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\81}9pBfy8T.exe 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 81}9pBfy8T.exe -
Executes dropped EXE 7 IoCs
Processes:
81}9pBfy8T.exePi)pp[Y.exe`s6.exe81}9pBfy8T.exe`s6.exeE0C6.exegwduwuipid process 1664 81}9pBfy8T.exe 3572 Pi)pp[Y.exe 2520 `s6.exe 5108 81}9pBfy8T.exe 2392 `s6.exe 544 E0C6.exe 3780 gwduwui -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
explorer.execertreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
81}9pBfy8T.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81}9pBfy8T = "C:\\Users\\Admin\\AppData\\Local\\81}9pBfy8T.exe" 81}9pBfy8T.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81}9pBfy8T = "C:\\Users\\Admin\\AppData\\Local\\81}9pBfy8T.exe" 81}9pBfy8T.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
81}9pBfy8T.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\Music\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\Documents\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\Videos\desktop.ini 81}9pBfy8T.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Program Files\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Links\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 81}9pBfy8T.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Music\desktop.ini 81}9pBfy8T.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 81}9pBfy8T.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 81}9pBfy8T.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
`s6.exedescription pid process target process PID 2520 set thread context of 2392 2520 `s6.exe `s6.exe -
Drops file in Program Files directory 64 IoCs
Processes:
81}9pBfy8T.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-lightunplated.png 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf 81}9pBfy8T.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar 81}9pBfy8T.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms 81}9pBfy8T.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\3DViewerProductDescription-universal.xml 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\swresample-3_ms.dll 81}9pBfy8T.exe File opened for modification C:\Program Files\UnblockUse.vst 81}9pBfy8T.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll 81}9pBfy8T.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\3DViewerProductDescription-universal.xml 81}9pBfy8T.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png 81}9pBfy8T.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo 81}9pBfy8T.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pe.dll.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat 81}9pBfy8T.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1 81}9pBfy8T.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-high.png 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak 81}9pBfy8T.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_as.dll 81}9pBfy8T.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui 81}9pBfy8T.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-black.png 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll 81}9pBfy8T.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lt.pak 81}9pBfy8T.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jdwp.dll 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-150.png 81}9pBfy8T.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg 81}9pBfy8T.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1 81}9pBfy8T.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor.Native.dll 81}9pBfy8T.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.id[3DFD8301-3483].[[email protected]].8base 81}9pBfy8T.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml 81}9pBfy8T.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4116 4976 WerFault.exe ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe 516 5108 WerFault.exe 81}9pBfy8T.exe 4588 544 WerFault.exe E0C6.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exe`s6.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI `s6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI `s6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI `s6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3484 vssadmin.exe 4968 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXE81}9pBfy8T.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings 81}9pBfy8T.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.execertreq.exe`s6.exe81}9pBfy8T.exeExplorer.EXEpid process 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe 388 certreq.exe 388 certreq.exe 388 certreq.exe 388 certreq.exe 2392 `s6.exe 2392 `s6.exe 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 1664 81}9pBfy8T.exe 1664 81}9pBfy8T.exe 768 Explorer.EXE 768 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 768 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
`s6.exeExplorer.EXEpid process 2392 `s6.exe 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE 768 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
81}9pBfy8T.exevssvc.exeExplorer.EXEWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1664 81}9pBfy8T.exe Token: SeBackupPrivilege 4576 vssvc.exe Token: SeRestorePrivilege 4576 vssvc.exe Token: SeAuditPrivilege 4576 vssvc.exe Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: 36 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: 36 2740 WMIC.exe Token: SeBackupPrivilege 3208 wbengine.exe Token: SeRestorePrivilege 3208 wbengine.exe Token: SeSecurityPrivilege 3208 wbengine.exe Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeShutdownPrivilege 768 Explorer.EXE Token: SeCreatePagefilePrivilege 768 Explorer.EXE Token: SeShutdownPrivilege 768 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe`s6.exe81}9pBfy8T.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 4976 wrote to memory of 388 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe certreq.exe PID 4976 wrote to memory of 388 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe certreq.exe PID 4976 wrote to memory of 388 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe certreq.exe PID 4976 wrote to memory of 388 4976 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe certreq.exe PID 2520 wrote to memory of 2392 2520 `s6.exe `s6.exe PID 2520 wrote to memory of 2392 2520 `s6.exe `s6.exe PID 2520 wrote to memory of 2392 2520 `s6.exe `s6.exe PID 2520 wrote to memory of 2392 2520 `s6.exe `s6.exe PID 2520 wrote to memory of 2392 2520 `s6.exe `s6.exe PID 2520 wrote to memory of 2392 2520 `s6.exe `s6.exe PID 1664 wrote to memory of 4148 1664 81}9pBfy8T.exe cmd.exe PID 1664 wrote to memory of 4148 1664 81}9pBfy8T.exe cmd.exe PID 1664 wrote to memory of 3884 1664 81}9pBfy8T.exe cmd.exe PID 1664 wrote to memory of 3884 1664 81}9pBfy8T.exe cmd.exe PID 3884 wrote to memory of 1052 3884 cmd.exe netsh.exe PID 3884 wrote to memory of 1052 3884 cmd.exe netsh.exe PID 4148 wrote to memory of 3484 4148 cmd.exe vssadmin.exe PID 4148 wrote to memory of 3484 4148 cmd.exe vssadmin.exe PID 3884 wrote to memory of 2936 3884 cmd.exe netsh.exe PID 3884 wrote to memory of 2936 3884 cmd.exe netsh.exe PID 4148 wrote to memory of 2740 4148 cmd.exe WMIC.exe PID 4148 wrote to memory of 2740 4148 cmd.exe WMIC.exe PID 4148 wrote to memory of 1688 4148 cmd.exe bcdedit.exe PID 4148 wrote to memory of 1688 4148 cmd.exe bcdedit.exe PID 4148 wrote to memory of 1868 4148 cmd.exe bcdedit.exe PID 4148 wrote to memory of 1868 4148 cmd.exe bcdedit.exe PID 4148 wrote to memory of 268 4148 cmd.exe wbadmin.exe PID 4148 wrote to memory of 268 4148 cmd.exe wbadmin.exe PID 768 wrote to memory of 544 768 Explorer.EXE E0C6.exe PID 768 wrote to memory of 544 768 Explorer.EXE E0C6.exe PID 768 wrote to memory of 544 768 Explorer.EXE E0C6.exe PID 768 wrote to memory of 1828 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1828 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1828 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1828 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3764 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3764 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3764 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1960 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1960 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1960 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 1960 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3796 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3796 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3796 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3796 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3368 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3368 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3368 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 3368 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 280 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 280 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 280 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 4272 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 4272 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 4272 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 4272 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 2388 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 2388 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 2388 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 872 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 872 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 872 768 Explorer.EXE explorer.exe PID 768 wrote to memory of 872 768 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe"C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 9442⤵
- Program crash
PID:4116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:388 -
C:\Users\Admin\AppData\Local\Temp\E0C6.exeC:\Users\Admin\AppData\Local\Temp\E0C6.exe2⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 4923⤵
- Program crash
PID:4588 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1828 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3764
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1960
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3796
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3368
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:280
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4272
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2388
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:872
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3216
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2720
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2784
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3892
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:316
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4976 -ip 49761⤵PID:5028
-
C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe"C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe"C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe"2⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1883⤵
- Program crash
PID:516 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:1052 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2936 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3484 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1688 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1868 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:268 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:2596
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:2500
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:2860
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:3856
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:184
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4968 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵PID:912
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:752 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3828 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1236
-
C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exe"C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exe"1⤵
- Executes dropped EXE
PID:3572
-
C:\Users\Admin\AppData\Local\Microsoft\`s6.exe"C:\Users\Admin\AppData\Local\Microsoft\`s6.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Microsoft\`s6.exe"C:\Users\Admin\AppData\Local\Microsoft\`s6.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2392
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1960
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5108 -ip 51081⤵PID:4224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 544 -ip 5441⤵PID:3920
-
C:\Users\Admin\AppData\Roaming\gwduwuiC:\Users\Admin\AppData\Roaming\gwduwui1⤵
- Executes dropped EXE
PID:3780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3DFD8301-3483].[[email protected]].8baseFilesize
3.2MB
MD5f9c856a9cdeb93156eabc214f407509a
SHA121efdfc52a971f8bc5f15eb7003b354104690aff
SHA25632ec73f74a4e35179c4f34f8bbeeb69932c88543023924991f27a1774652695d
SHA5122a6ac5ab8d28421fd60f2137d0ebd7574286094f74fff46d6376e3051fb773075de42edbfa8ca86b9754433131acc46c5354c3360bd9342d6e50dc0de86d1652
-
C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exeFilesize
183KB
MD5486417849d6c58436232f8b427e34bfe
SHA1f897bc1186540da5fa1a7a83a066fc1eb9319928
SHA2568113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
SHA5121c418391bf38906addfd5641c652712b39e85f6fac38a2591785bff365db98b7870a4b1c3ce775edd2a283c932a892ac25709733da1238c4deccc87653a4871b
-
C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exeFilesize
183KB
MD5486417849d6c58436232f8b427e34bfe
SHA1f897bc1186540da5fa1a7a83a066fc1eb9319928
SHA2568113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
SHA5121c418391bf38906addfd5641c652712b39e85f6fac38a2591785bff365db98b7870a4b1c3ce775edd2a283c932a892ac25709733da1238c4deccc87653a4871b
-
C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exeFilesize
183KB
MD5486417849d6c58436232f8b427e34bfe
SHA1f897bc1186540da5fa1a7a83a066fc1eb9319928
SHA2568113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
SHA5121c418391bf38906addfd5641c652712b39e85f6fac38a2591785bff365db98b7870a4b1c3ce775edd2a283c932a892ac25709733da1238c4deccc87653a4871b
-
C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exeFilesize
182KB
MD5b491e36144e3790aaa815cd7baa797d4
SHA15798399c5fd4f0f6dca5e1ad15fd54d0e5d8b18c
SHA25630fa8b928ee11aec28d392bd864a56e8e4a4da9690c14ed12a607ce2c6c983f1
SHA512c8c2be6c225d27e4a61c92d064cca72f8ccfbfe6851e49d9dd623bb4ff0a7c9726e3e13dbdfc7e6e60c8fad5da972355d7f7590f3e668d4210bb25176b0ca845
-
C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exeFilesize
182KB
MD5b491e36144e3790aaa815cd7baa797d4
SHA15798399c5fd4f0f6dca5e1ad15fd54d0e5d8b18c
SHA25630fa8b928ee11aec28d392bd864a56e8e4a4da9690c14ed12a607ce2c6c983f1
SHA512c8c2be6c225d27e4a61c92d064cca72f8ccfbfe6851e49d9dd623bb4ff0a7c9726e3e13dbdfc7e6e60c8fad5da972355d7f7590f3e668d4210bb25176b0ca845
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[3DFD8301-3483].[[email protected]].8baseFilesize
92KB
MD5fdc410bdf0245e78f24fed86fb297eaa
SHA17fb5cc6968ccb5e7b641015c76bf6a2747568ea1
SHA256be05a48b3a2fbd7c1e4d5186c2293f116855e7c954ac77300a197ed6fb420401
SHA5120689bfc47e0abba9fef540c9e2d7646b86a608fc6f4eeaeb2dadece9c78c309089324f9c0d2c3ad1dfb94c670ab6028f7ca98f793e2b23763a773f6c645bf071
-
C:\Users\Admin\AppData\Local\Microsoft\`s6.exeFilesize
182KB
MD5d2550da62b0b2ce4b06c6e3572327c67
SHA172437d6c18d12360d873370d2407b9f28963a130
SHA256dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af
-
C:\Users\Admin\AppData\Local\Microsoft\`s6.exeFilesize
182KB
MD5d2550da62b0b2ce4b06c6e3572327c67
SHA172437d6c18d12360d873370d2407b9f28963a130
SHA256dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af
-
C:\Users\Admin\AppData\Local\Microsoft\`s6.exeFilesize
182KB
MD5d2550da62b0b2ce4b06c6e3572327c67
SHA172437d6c18d12360d873370d2407b9f28963a130
SHA256dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dllFilesize
5.5MB
MD5cfec6071de123e36263ad00288b2da8e
SHA19520d018eaad8be98bce1e4f5c84322fe583dfb9
SHA2565d70da1497ef34aeaa9c778747ead173b4e5295899ef20bb9e44f9e2cf64faf5
SHA5123c34bc50ef9782f8379175393f12cc840ad898fb6bc0e692dc4e87b1f280e48910b8647325530e96271355f80d3bd66c5fcea5882c63685a1dc40f89dbd74378
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exeFilesize
18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\D54\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\D54\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\SysWOW64\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\System32\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\System32\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\System32\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\E0C6.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\E0C6.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[3DFD8301-3483].[[email protected]].8baseFilesize
96KB
MD5afbd29ca08042a9f2ff16b72fc04d795
SHA1058f25e11cfc8e4e366c993d3477a4f597ac4735
SHA25612b678dc99db5e436b0a03cbf7682356c250f70ac2177d2c8a2727c443ad978b
SHA5123605fdd58ca8b7b20866d9274ae6e75df96d79e1f2d85378bc3fd5e342d37dbd23119132644f8a0ae51d2dfc328093dc0968d08b503e85bd17a8a69b0c7b44ff
-
C:\Users\Admin\AppData\Roaming\fdawcfsFilesize
438KB
MD5f7b6ab505472074505a534594b9e0924
SHA1d6ce27884fe0777901e31df5b4d4e3a355201a7a
SHA2569f6bb84a3d79a07c89668262bddb7c72e0f0fcf3807b1cb0dbf0d43fdd3b1b9d
SHA5126b8939431ff1d1211951b75d8ed3b21e99c236451405d2491d335e85c5c53689b57dab5c662680e7a28ac198ba209a0dfda646433b039d67fa369d28e218810f
-
C:\Users\Admin\AppData\Roaming\gwduwuiFilesize
182KB
MD5d2550da62b0b2ce4b06c6e3572327c67
SHA172437d6c18d12360d873370d2407b9f28963a130
SHA256dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af
-
C:\Users\Admin\AppData\Roaming\gwduwuiFilesize
182KB
MD5d2550da62b0b2ce4b06c6e3572327c67
SHA172437d6c18d12360d873370d2407b9f28963a130
SHA256dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD53182295181d0464de2cd79c885c6a425
SHA118e9616360364337abec0e952f2db393f240688c
SHA256327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0
-
C:\info.htaFilesize
5KB
MD53182295181d0464de2cd79c885c6a425
SHA118e9616360364337abec0e952f2db393f240688c
SHA256327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0
-
C:\info.htaFilesize
5KB
MD53182295181d0464de2cd79c885c6a425
SHA118e9616360364337abec0e952f2db393f240688c
SHA256327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0
-
C:\users\public\desktop\info.htaFilesize
5KB
MD53182295181d0464de2cd79c885c6a425
SHA118e9616360364337abec0e952f2db393f240688c
SHA256327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0
-
F:\info.htaFilesize
5KB
MD53182295181d0464de2cd79c885c6a425
SHA118e9616360364337abec0e952f2db393f240688c
SHA256327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0
-
memory/280-5044-0x0000000000D20000-0x0000000000D2F000-memory.dmpFilesize
60KB
-
memory/280-5043-0x0000000000D20000-0x0000000000D2F000-memory.dmpFilesize
60KB
-
memory/280-5042-0x0000000000D30000-0x0000000000D39000-memory.dmpFilesize
36KB
-
memory/388-171-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-177-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-176-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-175-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-174-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-190-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmpFilesize
2.0MB
-
memory/388-191-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmpFilesize
2.0MB
-
memory/388-173-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-172-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmpFilesize
2.0MB
-
memory/388-170-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-169-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-167-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-165-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-164-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-163-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-161-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-162-0x00007FF4565F0000-0x00007FF45671D000-memory.dmpFilesize
1.2MB
-
memory/388-160-0x0000029414A80000-0x0000029414A87000-memory.dmpFilesize
28KB
-
memory/388-159-0x00000294147E0000-0x00000294147E3000-memory.dmpFilesize
12KB
-
memory/388-144-0x00000294147E0000-0x00000294147E3000-memory.dmpFilesize
12KB
-
memory/768-2005-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2356-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-405-0x0000000002640000-0x0000000002656000-memory.dmpFilesize
88KB
-
memory/768-4265-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/768-3987-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/768-2829-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/768-2395-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2390-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-1912-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-1914-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-1939-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/768-1956-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-1913-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-1962-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2375-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2002-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2019-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2042-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2056-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2077-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2076-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2112-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/768-2114-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2225-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2168-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/768-2263-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2391-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/768-2234-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2157-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2306-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/768-2328-0x00000000008F0000-0x0000000000900000-memory.dmpFilesize
64KB
-
memory/1664-195-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/1664-2272-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/1664-197-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/1664-4328-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/1664-506-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1664-507-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/1664-196-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1828-4393-0x0000000001200000-0x000000000126B000-memory.dmpFilesize
428KB
-
memory/1828-4792-0x0000000001200000-0x000000000126B000-memory.dmpFilesize
428KB
-
memory/1828-4400-0x0000000001200000-0x000000000126B000-memory.dmpFilesize
428KB
-
memory/1828-4396-0x0000000001270000-0x00000000012E5000-memory.dmpFilesize
468KB
-
memory/1960-4605-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB
-
memory/1960-4622-0x0000000000F00000-0x0000000000F04000-memory.dmpFilesize
16KB
-
memory/1960-4625-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB
-
memory/2392-202-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2392-204-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2392-417-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2520-200-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2520-201-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/3368-5007-0x0000000001090000-0x000000000109B000-memory.dmpFilesize
44KB
-
memory/3368-5021-0x0000000001090000-0x000000000109B000-memory.dmpFilesize
44KB
-
memory/3368-5014-0x00000000010A0000-0x00000000010A7000-memory.dmpFilesize
28KB
-
memory/3572-193-0x0000000000600000-0x0000000000605000-memory.dmpFilesize
20KB
-
memory/3572-206-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/3572-192-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/3572-194-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/3764-4383-0x0000000001210000-0x000000000121C000-memory.dmpFilesize
48KB
-
memory/3764-4388-0x0000000001210000-0x000000000121C000-memory.dmpFilesize
48KB
-
memory/3764-4385-0x0000000001220000-0x0000000001227000-memory.dmpFilesize
28KB
-
memory/3796-4892-0x0000000000D10000-0x0000000000D1B000-memory.dmpFilesize
44KB
-
memory/3796-4891-0x0000000000D20000-0x0000000000D2A000-memory.dmpFilesize
40KB
-
memory/3796-4890-0x0000000000D10000-0x0000000000D1B000-memory.dmpFilesize
44KB
-
memory/4272-5328-0x0000000001240000-0x0000000001245000-memory.dmpFilesize
20KB
-
memory/4976-143-0x0000000000840000-0x0000000000940000-memory.dmpFilesize
1024KB
-
memory/4976-145-0x0000000002270000-0x00000000022E1000-memory.dmpFilesize
452KB
-
memory/4976-135-0x0000000002270000-0x00000000022E1000-memory.dmpFilesize
452KB
-
memory/4976-136-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4976-134-0x0000000000840000-0x0000000000940000-memory.dmpFilesize
1024KB
-
memory/4976-157-0x0000000002440000-0x0000000002840000-memory.dmpFilesize
4.0MB
-
memory/4976-156-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4976-153-0x0000000003300000-0x0000000003336000-memory.dmpFilesize
216KB
-
memory/4976-154-0x0000000002440000-0x0000000002840000-memory.dmpFilesize
4.0MB
-
memory/4976-152-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4976-146-0x0000000003300000-0x0000000003336000-memory.dmpFilesize
216KB
-
memory/4976-137-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4976-138-0x0000000002230000-0x0000000002237000-memory.dmpFilesize
28KB
-
memory/4976-142-0x0000000002440000-0x0000000002840000-memory.dmpFilesize
4.0MB
-
memory/4976-141-0x0000000002440000-0x0000000002840000-memory.dmpFilesize
4.0MB
-
memory/4976-140-0x0000000002440000-0x0000000002840000-memory.dmpFilesize
4.0MB
-
memory/4976-139-0x0000000002440000-0x0000000002840000-memory.dmpFilesize
4.0MB
-
memory/5108-1746-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/5108-1776-0x00000000020A0000-0x00000000020AF000-memory.dmpFilesize
60KB
-
memory/5108-1788-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/5108-2394-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB