Analysis
-
max time kernel
202s -
max time network
1439s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-12-2023 02:29
Behavioral task
behavioral1
Sample
c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe
Resource
win11-20231222-en
General
-
Target
c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe
-
Size
37KB
-
MD5
c921001283ef83c22480a86838160329
-
SHA1
015b62dc84aac30eadf2228fcc978d7a8adb2950
-
SHA256
c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce
-
SHA512
e7967f21f62261fc8fff068e284cebc15bbe2bd3fa02c6b9379c711313c7a1599bf5cb733a9d3342453e6dc16ace411c1cd3dfb6d1028ab4db681b70a70c79b7
-
SSDEEP
768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Extracted
redline
LiveTrafic
20.79.30.95:13856
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
777
195.20.16.103:20440
Signatures
-
Glupteba payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3820-198-0x0000000002FA0000-0x000000000388B000-memory.dmp family_glupteba behavioral1/memory/3820-215-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3820-367-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2508-475-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4968-635-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 28 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1540-111-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/1512-599-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Enumerates VirtualBox registry keys 2 TTPs 64 IoCs
Processes:
83C4.exe7539eowkm.exeexplorer.exeexplorer.exe7539eowkm.exeexplorer.exe7539eowkm.exeexplorer.exe7539eowkm.exe7539eowkm.exeexplorer.exe7539eowkm.exeexplorer.exeexplorer.exe7539eowkm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 83C4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 83C4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 83C4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 83C4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 83C4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse 7539eowkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 7539eowkm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 7539eowkm.exe -
Downloads MZ/PE file
-
Looks for VMWare services registry key. 1 TTPs 6 IoCs
Processes:
RegAsm.exensc23B3.tmp.exeMsBuild.exetuc4.tmpdatapumpcrt.exeBroomSetup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware nsc23B3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware MsBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware tuc4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware datapumpcrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware BroomSetup.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets file execution options in registry 2 TTPs 17 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe83C4.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "efshujp.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "mzcygzqm.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "msmrqnxz.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ihtf.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "fhjl.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "qpmjekobnu.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7539eowkm.exe\DisableExceptionChainValidation 83C4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "metdm.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "csgc.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7539eowkm.exe 83C4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe -
Checks BIOS information in registry 2 TTPs 7 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3120 -
Executes dropped EXE 29 IoCs
Processes:
F9C1.exe7539eowkm.exeInstallSetup8.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exe16F0.exeBroomSetup.exetuc4.exetoolspub2.exetuc4.tmpetopt.exensc23B3.tmp.exe31839b57a4f11171d6abc8bbc4451ee4.exedatapumpcrt.exedatapumpcrt.execsrss.exeinjector.exe83C4.exe8A0F.exeWindowsUpdater.exe7539eowkm.exewindefender.exewindefender.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe7539eowkm.exepid process 2196 F9C1.exe 3788 7539eowkm.exe 1516 InstallSetup8.exe 3592 toolspub2.exe 3820 31839b57a4f11171d6abc8bbc4451ee4.exe 2180 16F0.exe 3876 BroomSetup.exe 3640 tuc4.exe 4268 toolspub2.exe 2428 tuc4.tmp 2292 etopt.exe 4852 nsc23B3.tmp.exe 2508 31839b57a4f11171d6abc8bbc4451ee4.exe 1588 datapumpcrt.exe 4040 datapumpcrt.exe 4968 csrss.exe 4820 injector.exe 2548 83C4.exe 2232 8A0F.exe 2592 WindowsUpdater.exe 2868 7539eowkm.exe 3468 windefender.exe 2280 windefender.exe 3788 7539eowkm.exe 4124 7539eowkm.exe 3448 7539eowkm.exe 1176 7539eowkm.exe 4204 7539eowkm.exe 1080 7539eowkm.exe -
Loads dropped DLL 13 IoCs
Processes:
InstallSetup8.exetuc4.tmpetopt.exeF9C1.exeWindowsUpdater.exensc23B3.tmp.exepid process 1516 InstallSetup8.exe 2428 tuc4.tmp 2428 tuc4.tmp 2428 tuc4.tmp 1516 InstallSetup8.exe 2292 etopt.exe 2292 etopt.exe 1516 InstallSetup8.exe 2196 F9C1.exe 2592 WindowsUpdater.exe 2592 WindowsUpdater.exe 4852 nsc23B3.tmp.exe 4852 nsc23B3.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 11 IoCs
Processes:
etopt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\ShellSysMenu.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\ShellSysMenu.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\ShellSysMenu.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe -
Processes:
resource yara_rule C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 17 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeBroomSetup.exeexplorer.exeexplorer.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplorer.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" BroomSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\7539eowkm.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\7539eowkm.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
RegAsm.exe7539eowkm.exensc23B3.tmp.exe7539eowkm.exe7539eowkm.exe83C4.exetuc4.tmp7539eowkm.exe7539eowkm.exeBroomSetup.exedatapumpcrt.exe7539eowkm.exe7539eowkm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nsc23B3.tmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 83C4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tuc4.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BroomSetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA datapumpcrt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539eowkm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Maps connected drives based on registry 3 TTPs 12 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
BroomSetup.exeRegAsm.exensc23B3.tmp.exetuc4.tmpdatapumpcrt.exeMsBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 BroomSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum RegAsm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 nsc23B3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum tuc4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum datapumpcrt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 datapumpcrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum BroomSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum nsc23B3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum MsBuild.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsBuild.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 tuc4.tmp -
Drops file in System32 directory 7 IoCs
Processes:
schtasks.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log schtasks.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive schtasks.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
83C4.exeexplorer.exeBroomSetup.exeRegAsm.exensc23B3.tmp.exe7539eowkm.exeexplorer.exeMsBuild.exe7539eowkm.exeexplorer.exetuc4.tmpdatapumpcrt.exe7539eowkm.exeexplorer.exe7539eowkm.exeexplorer.exepid process 2548 83C4.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 3876 BroomSetup.exe 3876 BroomSetup.exe 3876 BroomSetup.exe 3876 BroomSetup.exe 1540 RegAsm.exe 1540 RegAsm.exe 1540 RegAsm.exe 1540 RegAsm.exe 4660 explorer.exe 4852 nsc23B3.tmp.exe 4852 nsc23B3.tmp.exe 4852 nsc23B3.tmp.exe 4852 nsc23B3.tmp.exe 2868 7539eowkm.exe 3196 explorer.exe 3196 explorer.exe 3196 explorer.exe 3196 explorer.exe 3196 explorer.exe 3196 explorer.exe 3196 explorer.exe 1512 MsBuild.exe 1512 MsBuild.exe 1512 MsBuild.exe 1512 MsBuild.exe 3788 7539eowkm.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2524 explorer.exe 2428 tuc4.tmp 2428 tuc4.tmp 2428 tuc4.tmp 2428 tuc4.tmp 4040 datapumpcrt.exe 4040 datapumpcrt.exe 4040 datapumpcrt.exe 4040 datapumpcrt.exe 4124 7539eowkm.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 3448 7539eowkm.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
toolspub2.exe16F0.exeF9C1.exedescription pid process target process PID 3592 set thread context of 4268 3592 toolspub2.exe toolspub2.exe PID 2180 set thread context of 1540 2180 16F0.exe RegAsm.exe PID 2196 set thread context of 1512 2196 F9C1.exe MsBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
31839b57a4f11171d6abc8bbc4451ee4.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 61 IoCs
Processes:
tuc4.tmpetopt.exedescription ioc process File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-PA9S5.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-IAGG3.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-PM51I.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-6S6S1.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-ONNAQ.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-LQ6VD.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-BITAM.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-6GOJG.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-460RH.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-QB6AC.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-2O6PF.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-9IMFD.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-JLCNT.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-77KNV.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-RNNDE.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\unins000.dat tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-K1U8F.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-G18AL.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-TU6OO.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-L9IKQ.tmp tuc4.tmp File opened for modification C:\Program Files (x86)\DataPumpCRT\unins000.dat tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-9MBCK.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-3V56T.tmp tuc4.tmp File created C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg etopt.exe File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MFUV6.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-AG73J.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-IOHNA.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-SL81N.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-EA8M9.tmp tuc4.tmp File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ShellSysMenu.dll etopt.exe File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-R652H.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-7S86F.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-531MH.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-PF1BV.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-8AL90.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\is-1KBE5.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-4Q00D.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-PFTSB.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\lessmsi\is-FC6DF.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-QM6LM.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-K11PE.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\is-VAVUA.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-J09IF.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-82NDN.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-2EI0U.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-4U1AC.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-C07VB.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-6F6H6.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-M8EN5.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-8IAK0.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-646SV.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-JMATV.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-HO47Q.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-59V7U.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-8RPII.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-EMUUR.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-7LF48.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\is-N9AR3.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-I1F6K.tmp tuc4.tmp File created C:\Program Files (x86)\DataPumpCRT\stuff\is-CKB0D.tmp tuc4.tmp File opened for modification C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe tuc4.tmp -
Drops file in Windows directory 4 IoCs
Processes:
31839b57a4f11171d6abc8bbc4451ee4.execsrss.exedescription ioc process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2512 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 13 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2368 4268 WerFault.exe toolspub2.exe 3856 2292 WerFault.exe etopt.exe 1372 4660 WerFault.exe explorer.exe 3596 3196 WerFault.exe explorer.exe 4816 1516 WerFault.exe InstallSetup8.exe 4724 3640 WerFault.exe tuc4.exe 1200 2524 WerFault.exe explorer.exe 1536 2028 WerFault.exe explorer.exe 2760 4088 WerFault.exe explorer.exe 4228 4244 WerFault.exe explorer.exe 3040 3196 WerFault.exe explorer.exe 4232 3900 WerFault.exe explorer.exe 432 4852 WerFault.exe nsc23B3.tmp.exe -
NSIS installer 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\etopt.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\etopt.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\etopt.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\etopt.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\8A0F.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\8A0F.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
toolspub2.exec7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe -
Checks processor information in registry 2 TTPs 32 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsc23B3.tmp.exe7539eowkm.exeexplorer.exeexplorer.exeexplorer.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe83C4.exe7539eowkm.exe7539eowkm.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe7539eowkm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsc23B3.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsc23B3.tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 83C4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 83C4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7539eowkm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3112 schtasks.exe 1388 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4704 timeout.exe -
Enumerates system info in registry 2 TTPs 14 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 28 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 7 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
windefender.exepowershell.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exeschtasks.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs schtasks.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople schtasks.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Modifies registry class 22 IoCs
Processes:
etopt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\ShellSysMenu.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D} etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}" etopt.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\ShellSysMenu.dll" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32 etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\ShellSysMenu.dll" etopt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D}\InProcServer32\ThreadingModel = "Apartment" etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D} etopt.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID etopt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D} etopt.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID\{1FFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D} etopt.exe Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\CLSID\{2EFAD8BC-BF84-7FA9-B5D7-5A61AB1D9C7D} etopt.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exepid process 4660 c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe 4660 c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 3120 -
Suspicious behavior: MapViewOfSection 27 IoCs
Processes:
c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exetoolspub2.exe83C4.exeexplorer.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe7539eowkm.exe7539eowkm.exepid process 4660 c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe 4268 toolspub2.exe 2548 83C4.exe 2548 83C4.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 4660 explorer.exe 2868 7539eowkm.exe 2868 7539eowkm.exe 3788 7539eowkm.exe 3788 7539eowkm.exe 4124 7539eowkm.exe 4124 7539eowkm.exe 3448 7539eowkm.exe 3448 7539eowkm.exe 1176 7539eowkm.exe 1176 7539eowkm.exe 4204 7539eowkm.exe 4204 7539eowkm.exe 1080 7539eowkm.exe 1080 7539eowkm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exe31839b57a4f11171d6abc8bbc4451ee4.exedescription pid process Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeDebugPrivilege 4512 powershell.exe Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeShutdownPrivilege 3120 Token: SeCreatePagefilePrivilege 3120 Token: SeDebugPrivilege 3820 31839b57a4f11171d6abc8bbc4451ee4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
tuc4.tmppid process 2428 tuc4.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 3876 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7539eowkm.exeInstallSetup8.exetoolspub2.exetuc4.exe16F0.exe31839b57a4f11171d6abc8bbc4451ee4.exetuc4.tmp31839b57a4f11171d6abc8bbc4451ee4.exedescription pid process target process PID 3120 wrote to memory of 2196 3120 F9C1.exe PID 3120 wrote to memory of 2196 3120 F9C1.exe PID 3120 wrote to memory of 2196 3120 F9C1.exe PID 3120 wrote to memory of 3788 3120 7539eowkm.exe PID 3120 wrote to memory of 3788 3120 7539eowkm.exe PID 3120 wrote to memory of 3788 3120 7539eowkm.exe PID 3788 wrote to memory of 1516 3788 7539eowkm.exe InstallSetup8.exe PID 3788 wrote to memory of 1516 3788 7539eowkm.exe InstallSetup8.exe PID 3788 wrote to memory of 1516 3788 7539eowkm.exe InstallSetup8.exe PID 3788 wrote to memory of 3592 3788 7539eowkm.exe toolspub2.exe PID 3788 wrote to memory of 3592 3788 7539eowkm.exe toolspub2.exe PID 3788 wrote to memory of 3592 3788 7539eowkm.exe toolspub2.exe PID 3788 wrote to memory of 3820 3788 7539eowkm.exe 31839b57a4f11171d6abc8bbc4451ee4.exe PID 3788 wrote to memory of 3820 3788 7539eowkm.exe 31839b57a4f11171d6abc8bbc4451ee4.exe PID 3788 wrote to memory of 3820 3788 7539eowkm.exe 31839b57a4f11171d6abc8bbc4451ee4.exe PID 3120 wrote to memory of 2180 3120 16F0.exe PID 3120 wrote to memory of 2180 3120 16F0.exe PID 3120 wrote to memory of 2180 3120 16F0.exe PID 1516 wrote to memory of 3876 1516 InstallSetup8.exe BroomSetup.exe PID 1516 wrote to memory of 3876 1516 InstallSetup8.exe BroomSetup.exe PID 1516 wrote to memory of 3876 1516 InstallSetup8.exe BroomSetup.exe PID 3788 wrote to memory of 3640 3788 7539eowkm.exe tuc4.exe PID 3788 wrote to memory of 3640 3788 7539eowkm.exe tuc4.exe PID 3788 wrote to memory of 3640 3788 7539eowkm.exe tuc4.exe PID 3592 wrote to memory of 4268 3592 toolspub2.exe toolspub2.exe PID 3592 wrote to memory of 4268 3592 toolspub2.exe toolspub2.exe PID 3592 wrote to memory of 4268 3592 toolspub2.exe toolspub2.exe PID 3592 wrote to memory of 4268 3592 toolspub2.exe toolspub2.exe PID 3592 wrote to memory of 4268 3592 toolspub2.exe toolspub2.exe PID 3592 wrote to memory of 4268 3592 toolspub2.exe toolspub2.exe PID 3640 wrote to memory of 2428 3640 tuc4.exe tuc4.tmp PID 3640 wrote to memory of 2428 3640 tuc4.exe tuc4.tmp PID 3640 wrote to memory of 2428 3640 tuc4.exe tuc4.tmp PID 3788 wrote to memory of 2292 3788 7539eowkm.exe etopt.exe PID 3788 wrote to memory of 2292 3788 7539eowkm.exe etopt.exe PID 3788 wrote to memory of 2292 3788 7539eowkm.exe etopt.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 2180 wrote to memory of 1540 2180 16F0.exe RegAsm.exe PID 1516 wrote to memory of 4852 1516 InstallSetup8.exe nsc23B3.tmp.exe PID 1516 wrote to memory of 4852 1516 InstallSetup8.exe nsc23B3.tmp.exe PID 1516 wrote to memory of 4852 1516 InstallSetup8.exe nsc23B3.tmp.exe PID 3820 wrote to memory of 4512 3820 31839b57a4f11171d6abc8bbc4451ee4.exe powershell.exe PID 3820 wrote to memory of 4512 3820 31839b57a4f11171d6abc8bbc4451ee4.exe powershell.exe PID 3820 wrote to memory of 4512 3820 31839b57a4f11171d6abc8bbc4451ee4.exe powershell.exe PID 2428 wrote to memory of 3788 2428 tuc4.tmp 7539eowkm.exe PID 2428 wrote to memory of 3788 2428 tuc4.tmp 7539eowkm.exe PID 2428 wrote to memory of 3788 2428 tuc4.tmp 7539eowkm.exe PID 3788 wrote to memory of 4548 3788 7539eowkm.exe net1.exe PID 3788 wrote to memory of 4548 3788 7539eowkm.exe net1.exe PID 3788 wrote to memory of 4548 3788 7539eowkm.exe net1.exe PID 2428 wrote to memory of 1588 2428 tuc4.tmp datapumpcrt.exe PID 2428 wrote to memory of 1588 2428 tuc4.tmp datapumpcrt.exe PID 2428 wrote to memory of 1588 2428 tuc4.tmp datapumpcrt.exe PID 2508 wrote to memory of 3112 2508 31839b57a4f11171d6abc8bbc4451ee4.exe schtasks.exe PID 2508 wrote to memory of 3112 2508 31839b57a4f11171d6abc8bbc4451ee4.exe schtasks.exe PID 2508 wrote to memory of 3112 2508 31839b57a4f11171d6abc8bbc4451ee4.exe schtasks.exe PID 2428 wrote to memory of 4040 2428 tuc4.tmp datapumpcrt.exe PID 2428 wrote to memory of 4040 2428 tuc4.tmp datapumpcrt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe"C:\Users\Admin\AppData\Local\Temp\c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F9C1.exeC:\Users\Admin\AppData\Local\Temp\F9C1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1365.exeC:\Users\Admin\AppData\Local\Temp\1365.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Drops file in System32 directory
- Creates scheduled task(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
-
C:\Users\Admin\AppData\Local\Temp\tuc4.exe"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-UGJFR.tmp\tuc4.tmp"C:\Users\Admin\AppData\Local\Temp\is-UGJFR.tmp\tuc4.tmp" /SL5="$6024E,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 234⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 235⤵
-
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s4⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 5323⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\etopt.exe"C:\Users\Admin\AppData\Local\Temp\etopt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 15803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 17003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 3642⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
- Looks for VMWare services registry key.
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\nsc23B3.tmp.exeC:\Users\Admin\AppData\Local\Temp\nsc23B3.tmp.exe1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsc23B3.tmp.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 26042⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\16F0.exeC:\Users\Admin\AppData\Local\Temp\16F0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 10964⤵
- Program crash
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 11604⤵
- Program crash
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 11564⤵
- Program crash
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 11404⤵
- Program crash
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 11244⤵
- Program crash
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 10804⤵
- Program crash
-
C:\ProgramData\Java Updater\7539eowkm.exe/prstb2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 11564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4268 -ip 42681⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\83C4.exeC:\Users\Admin\AppData\Local\Temp\83C4.exe1⤵
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Enumerates VirtualBox registry keys
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 11523⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8A0F.exeC:\Users\Admin\AppData\Local\Temp\8A0F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4660 -ip 46601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3196 -ip 31961⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1516 -ip 15161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3640 -ip 36401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2524 -ip 25241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 2028 -ip 20281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4088 -ip 40881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4244 -ip 42441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3196 -ip 31961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3900 -ip 39001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4852 -ip 48521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\Java Updater\7539eowkm.exeFilesize
10KB
MD55c8c82f31f261e9e05e8fa9a44d5fa19
SHA12b9c33c451ee81e196c4ac657f3a3d3bbef85525
SHA2560a0fa1ac38835c90791f20132b99b658f4da67b56266c89e59c353a9ff3f0a4a
SHA512ef4da221ba6b3e3c0dc0096656777fcd6f00f228d1766358d5ade340c472acbf06c039c930970ceb2f847f4d39a3b69c682660bde2589f42102193ac2fa0cef7
-
C:\ProgramData\Java Updater\7539eowkm.exeFilesize
102KB
MD5e5c8c3ff8fbe24a9a9fa5d71a5de2acb
SHA138d4d8e39cae100bf942b66ef8127859ab1db3ee
SHA2566d1d42c02e745502dab8033cfc8c73dbbe30f1e27be3da8b13e00e69b73be377
SHA512868c37a0af0f084af3c348c271f326a0a040ee8a142a31af6cc5aded6842ae5ae13133e481edd676d2ff902f6bb9caba183ddbc432e79529c87110cddb4fc9be
-
C:\ProgramData\Java Updater\7539eowkm.exeFilesize
95KB
MD52a4b664cf0e0ee0ae5e530077912ad28
SHA1bccfda71ec134ea5e5a06eb983d35a3ed23cad05
SHA256e289a8080f39f6a883f01ffe08b1f8023478cb0795a4f76b2cab11f85f942b24
SHA512ea4edf4080b72c7822541da278fa25c7e82e0b4af598a8ed31f3088c84d8f5f4368d9e27cc7f02eed53344b68099c1305146263cf6892e091c3c78719312700e
-
C:\ProgramData\Java Updater\7539eowkm.exeFilesize
12KB
MD585f05753d66d7c31e435cd08bcda18e3
SHA19c08e9b054d5eb761d7c66345392831831ad4c94
SHA2569f716b7f5bd339eb7498e5748ebc8671dc4950a1474925e7f28a1abf51ba384a
SHA5120e575fa0a73b5087b2c95cfbd06ba559354370365b072eb0490324cc9c7d67684018a9e00953f07946309e3306493527e91775fe368162d693470344ff8d9a01
-
C:\ProgramData\Java Updater\7539eowkm.exeFilesize
33KB
MD513fdda2a6bb32a11a844a810d54a7dce
SHA17e67f74549958279bf7a18dc6a91ede046f6fd0a
SHA256145567974cf5a006b329bb5fe202fddc4f5a527abdf2d63f6297be69b8f34d73
SHA512ca0b83f4260c336c09dfb2aec1c2c30350c64cac162942722890f2f0729535654ef17ef7f9e03e2507454cecffc874f2b6b7c6f8c28e865e80c50a8847e84b4a
-
C:\ProgramData\mozglue.dllFilesize
52KB
MD5c01508bcec093a97622464e2265ed984
SHA1d3b18dd536ccd307527db001da32751d4e12ddec
SHA256c38f4b28aa0ce4adb3ab2f9d7ae25655db52e8d58cb6e19a851e8a72e3778803
SHA5123d2b7f33e256113d31630b305cdb448d338b1bc151b4ebe4b78b58ad49b62dc195763078f900588caa433eb3a488872d144f19b57aa1ffe12f66f99de8959126
-
C:\ProgramData\mozglue.dllFilesize
21KB
MD51b9c7b7487fbbf7e0119dc35c3e8bce3
SHA1870344759dab7aeb6439c88befb86f219b502f97
SHA256e4de6e2e48ec85eac5a0b7e99c0ed13b2d7a55280c3f20bada9a5b97b7cd1902
SHA5122786a21132931c9c6ed08ab2d3eb420478487d320467db16b247bfc02eb96dcb33d874d38b729f1f81c32ae8e5b6e1d7a111e924d6089eeae842c7350ed99179
-
C:\ProgramData\nss3.dllFilesize
32KB
MD5045776485948e1b9e71d6da9459dc6a6
SHA1d8f4bb8706420663f6ef54dcf99d9346e4f871cd
SHA2567677d1c47cb3b02f80974f6b183b1c207776a8dbca14c206226a8c764745b572
SHA512c342af34f811dde56c2fc844f09078a12b42cb65cae2b9b842cc8553b2ad04fe10f09749d3924bbf90c4e7141f1ad5a17ae6e266572c0bcf770e97cfc3e5333f
-
C:\Users\Admin\AppData\Local\Temp\1365.exeFilesize
41KB
MD5c3e74beb24104c5bb3d16762d31893e7
SHA15d9c08eded52f991b71ae8360bbc0ddf286c71b7
SHA256c32c046fea86fd60d6b07f0b5cb495c0faa90e7544ea72d5a0183f7dcb9ef9f0
SHA51255b63020eb4b1615d1bffc7b4297d937d440f439d516955ed8eda1f8d0d9fe3fb19c793fabc2b358dbf10e6dcfd6b965b62aeeae39c980d6901f82f4d43732d4
-
C:\Users\Admin\AppData\Local\Temp\1365.exeFilesize
34KB
MD58c06da207491f8093dffc5bb7d912751
SHA1d56c1faa10e29e1bbd116a80b1fb5dd39d01e8fb
SHA256f93e4e51bcce459b197dfce44af18318fdf9aafa6e3b9e4606a785b2e2825d9f
SHA512f431938cc24c1708b29a3612f22de9d53205732d631295c834e4a39ef6e0b699fd570aa57435cd258e13873e39ac027174c9aec6ff66967599e7d9320bfcf95f
-
C:\Users\Admin\AppData\Local\Temp\16F0.exeFilesize
88KB
MD5b84557f5dc9226eb428139257803727a
SHA184a072892efd04f831e55ae1c9be2288efb4a65a
SHA2560a461e517eb9a5e75086db167f5877756092c13973c5bfbc03cdd513c6e1f553
SHA5129768d1e64de60e98ecef87dc99331c0aba46c225c2687ccfe5cac5d9ca29bf06dbc4a69894fb054e07cb8b1352495d2001fca0c2336e9ee647bbf76005fc0ff6
-
C:\Users\Admin\AppData\Local\Temp\16F0.exeFilesize
17KB
MD5ef24c8b60173ccb55daed4aedfa86856
SHA1a23d94eae8c58ae64d22b49e8d2451835de3173e
SHA2567a6cbdae2f59fbdbfbac2afcfb34d425c16fb5386b6dd8f2a06d5992a210f457
SHA5128e27cc7f97234067cc62cdedb65c1901dccd329459a59ce338b9e05043fd2cc6fec963f260e4dfd9837e9caf420b11fd8edfee0847e5f04d9ab8152dbcee1ba2
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exeFilesize
102KB
MD514adccb95bcd06491a6fe1f8dc484006
SHA11b86059f4371c5165c3cd1f89902703173ea6782
SHA2562b9d935574a5c5cd4cd9a1d084668b936fa57698dd8dcfffae909eaf48c60121
SHA5124c53be1570dde450c235a85e077367dfee9fe45d54b192a0417c575d112fa17744c558e8b0901b918fa0ef28590234e8baf216dbcca0cb37fc1635b583315009
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exeFilesize
41KB
MD5fa22f87be41789e52650698f67a1420d
SHA1dcd2e20f31dc580283603cad5706cf2b62aad403
SHA2568f0f7c33e3177ea11e952d2864b9c058a9d89dc4eef876b6828400bc23ca740f
SHA5124a94300dfd8ee1026d190dee71c388c06778333a4bc882d55906c5b229dabcd5eaff09e6a0cd69cab6fc6f8f4e0de6562d28c54d44c956807621e96e334953bd
-
C:\Users\Admin\AppData\Local\Temp\83C4.exeFilesize
42KB
MD5a7a7b5cc5fe3dda99571b839149cf027
SHA101722b3c8710293d4a0f5a8dd47b59343a00f84c
SHA256f9f131216f72c5b1623f359f279b906f7ac339b54704c8a8da3428bf3fabb6dc
SHA512562f4ad11ccc337a308ef1266902123aceddb21b5d4e507fdfdf6fc37ce0d863b15e0a7fe25cd4e2cddb54b69f70166a3a7697cc794a324af803b2718b094465
-
C:\Users\Admin\AppData\Local\Temp\8A0F.exeFilesize
20KB
MD511af4e5290ce27d906d2cca36d77b8c1
SHA1782f98710cd49de373059310baa4b99a0bfb440e
SHA2564db861478fe027ccfca1ae79ec433170a9be851b7c23f4278f4ddb75d651cedb
SHA5128742c531f7aef254b68ee8e28c45ff63835b974eea5f67ac288c3bd1d90cc5e3f0a6d9d320909a1aef1d384263e762bda28de5791edd91c307686678ea33bcf9
-
C:\Users\Admin\AppData\Local\Temp\8A0F.exeFilesize
25KB
MD5f4d0d7c44ecdf5fcc53e09c28434ca7f
SHA1336d2032cf549ec4bd86c2728e261aaf5ecc29f5
SHA256b49a2f75ad64e7c698647c6ec6adf61bd579eb0bd3732c26c6b729d6f522396d
SHA5129d7dc2d6e3815ea7a3fb2953d56a6bdc16da31c4a34ce4118ca542621a09457db621ffb6dd6f1bdb5f5c2acc93f9087ea1f36b77d38c3085e72a9a1382e90b28
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeFilesize
50KB
MD55907f03c7fb0f5f98df745aa37d5c4ce
SHA18fcd5aa1e89925fde0cf6a0670902164e91ce7c7
SHA25656a0a84bb86e741af6bf835764e3d990342f37e9cc4be7b34a5163350393f0a9
SHA512654c2b3688c20af79bef27767f02ea2fd5309c9409a676ea1ca1e16b6368e4db8bfc2fb6aa441ce512f3ee31d5a2d476539125f8ccc9b89d0173f04f38dedfe4
-
C:\Users\Admin\AppData\Local\Temp\F9C1.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exeFilesize
15KB
MD5bf1645d3b4f601df7f0a7521731d94ff
SHA1fe8d1c6dd5d173bc6c1dacfacd0afdb94edaa291
SHA256020ce09b7c4ca4638420efa7088329c743fe54504f3301748a532c0cddcdc08f
SHA512a0d97661f87f7078e8bbe7ab06990047bd32af43ab8b1c111b47853e1cc4619700bdcf828c709e34c2315b0182e7dd29730706886d01bd492a9124916ff591a9
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exeFilesize
142KB
MD56dc187d9810cf4ef859b13fdedf01c85
SHA1df86975c7c795d3f8ffdc03cf3511f23aff929f1
SHA2561d0dc5e687659710a57e0dcbffcf204831e71c2932489f6ba1a904c31bc5071f
SHA512579f0eeeabd9658414b043d44fef1a941ff6d946adddb93599bb35644ff4a1d5a04268c0ab017cab6e627af0cad1d4db57f422ab57615a6c5daf29d53eca8675
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exeFilesize
92KB
MD53d4e9c6b7c72ef640574cec0a0d63437
SHA1ae6b23512affb5f2cfbcb81b46c5d6bc0cf0d533
SHA256f43588d137f5daf9aac7e1ec4670217854c6849056522621a641f9cdbb2c0877
SHA5120d3b49e38c64f3ed9a6a14b4940f4e6746cd3e69cf2020f14a676ec99cf4d62256d291a1648e9c43ec4f88dd218ca34df1522dd0174ad873016a6033a48d3e83
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
65KB
MD5a41c6a11fc055a644a822c835f67d489
SHA121fc72eeb88cacd12063f286d8e4afbe8920bcf9
SHA256230edc15d55d560e42f2b0ca09dfb5053e3449f971df7996261824fac104ccad
SHA512a8261e8c37459ef393bdfce87dcc6c878b00e0d0e1251e54fab49f5f8952988d743c77fe585c6e938ccfca870182d00e5810015172cf6efc699556c6279f9352
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
6KB
MD5c389b4daad13cfb6164027b781757362
SHA18a2143de15855cd3ad0c9c4c85871e4432236428
SHA2563a6b01f77be8da5f0dad5607bbaa0742692c9b1eda941c46d40132b09a1da64a
SHA512484364764b1ec03f32f3fac418edac9488713001d0838a5094500d72a892ce7b1d2b2aeabd8d9fe70b449f51b7cb11f850824dc83a4e3369cf4f6dc222bc8e3f
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
1KB
MD582e7ec300c75f36dcb1a6e69cb4d3dac
SHA12a2039401777bd21453d7b06bd3b59597b438ac5
SHA256f5a7e084aad2fdbadbd3487da157f416e96fd95856e735285b35ce42c88cf0bc
SHA512c732a2243727a54a0584090b58a1f99583f7fafe714afca638adc8d9b824cb658011c0246bff4392ef0c7d5174c2ee2f9bd28704f9503579ef2ccbe52064da72
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
3KB
MD50a1241c27e2520e19a830df95838ceba
SHA1f4f802448202a8aeafdc6ce5a2b7bad6dd3d0b26
SHA256d4978d1e8b9eed3e4106e72d2d009a5b63cf58e360450532e58f6ed59805dd68
SHA51270b8755dfd52c1233011abf912bba13faf1ea239731b7b4a9c887e61c13457e06fcd7072d45b022cfd7f6e8d49b87b0b9f5aba75ac78de4c5032aaf9b3d76cab
-
C:\Users\Admin\AppData\Local\Temp\etopt.exeFilesize
84KB
MD5fc30a9bfe05f7c351b98dc8ffbfa2a6f
SHA103f17378ef42facc394799ef3084ff6eafa37aa0
SHA2566aebdf898ae238107b40326b28409f2bcad3ca479206ea558a9c63e22c7bd0bb
SHA512d5785ba6e419438a837a0dfeb9b4449e8f52211ac6203d20225c9930a81ff836bc535fefad3ba70cc3b3cb30c64a33fab1502da0a2a9d3e59d2cbb08efccdf34
-
C:\Users\Admin\AppData\Local\Temp\etopt.exeFilesize
34KB
MD574ab00c50d2742e4defd5e4eca193576
SHA1f35e645ae1cb4d90fb9b74e2a390f1c8ca6840a5
SHA25652d1a9da40ee45d26701f7d12f217a29cbbdcde496397014cf7aa1d6e8e446ad
SHA5127e1a4b647d1056962ad1eaf0d63a36da3a656b627e532fd5b59fe71795125ea6e8c71e48b1f91b74b4a80a3f17b7a8671cdf1aed8ec4739af7f811c92251d339
-
C:\Users\Admin\AppData\Local\Temp\is-QJTUV.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-QJTUV.tmp\_isetup\_isdecmp.dllFilesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303
-
C:\Users\Admin\AppData\Local\Temp\is-QJTUV.tmp\_isetup\_isdecmp.dllFilesize
9KB
MD5de7b34e99c2043554f16b6806e49bce0
SHA15e08185f1395452e8d77819af78e243fbc644810
SHA2561ec5e4582653e60ca1b65f05ce5d47691f20977c17642b13155a15228b7229c0
SHA5121267faf589d4924dcdd259f93719f6b5ec7fe639459b7586c84bad011379ee81ac7d23085beeb011ae5487da366de614e6328b3f9657d0711b5f4e995c442813
-
C:\Users\Admin\AppData\Local\Temp\is-UGJFR.tmp\tuc4.tmpFilesize
19KB
MD5789e2b5bcc171671fa5e97e5b5af6172
SHA156e417f9cc32768c2526fa5ed35e87351900b600
SHA25653b9fa0d8a945ff25c3db770fa5110338259be30493f12a8826fa64b4f679923
SHA51273a09c0f1a647af5515f6628078c8ba9c77b8ae34961234dfe8d9a3e69e90ca1dd7a794991f0d300b0dd2cd667d0ffc8e5512d0947b4e5009d1cf4009ead98c9
-
C:\Users\Admin\AppData\Local\Temp\is-UGJFR.tmp\tuc4.tmpFilesize
30KB
MD52dfc75683aa9d14974e3298e080f82bc
SHA16718700c4f172dfc7176dc96b55f6c3874dde5b6
SHA256ff29ceceefa4f0b10fc36024d51aa3b9e303668ce43a27ea77b5d4dc3c46c6dc
SHA51226063f317c4f59682464e703c5f8013a68bcffbf887cbbfd9db8e4ecff967d98efeb0a84d5cdb9c9dec8700cece0482e237108c395152c92177f363e5125b696
-
C:\Users\Admin\AppData\Local\Temp\lib.dllFilesize
311B
MD5ec987ae0564cdfbe9c15f4c0bf62335f
SHA16a7f47e98f6428e5ea3c42e8c0662db39802c4a4
SHA256f9756368ace7ff80d15cc73e63c161cf248be567396b1bffd3d0082c862a5e21
SHA512c8427cfa6fa586f6183aa500795e7efd86bc342fdfc02f7891c0067fc70854c3080ebbd293045df33ec2ac81f03fabd7f96e5be2e3945019b4f83dc2e6847948
-
C:\Users\Admin\AppData\Local\Temp\nsi8B35.tmp\System.dllFilesize
3KB
MD5310ce502954a073c8bac174ebbd4777e
SHA1bed9de10e0c2c9202ea452b29e78ab535976db72
SHA256a6610123ef29b2789113c19cb859587b8c700f5636eab954849fe74bb48a13cc
SHA512a345d30151d725f666263cce4f09f974865ecaf4dd6100f03de9d23ecf1c5b3656c1da4349822fdc86122aa1380194d018f8b70dd11d3834c37fe5bf041e665b
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exeFilesize
6KB
MD5a54ae24dae30b6b371d41dd9ada52af4
SHA19dd944b22ba66a7a59ac4b27776b1bbbc01d32e2
SHA256371bdf4c1a5b47ac4b1b591076cd2f8f5fe628b130dfafc0e42ea6ff1113d875
SHA51221107478d78ba7115b9f17f184d75df63898d9446e2ac7b450bbd1b35e7464ef6a531b13495033cc6570eb5b5843ae7341bc791e8c589a22a089a3bbc1d0552d
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exeFilesize
92KB
MD534a8ce442674425ae01d01e7f4c88bcb
SHA1d7d30970aa75ce1271402a0adae465fe1f9995c9
SHA2567a084687df35c670ce06698e719664a55198c43660d47fc8fb16afda7ac59062
SHA5129ddecb5b6827a1aff9682cc442d03a9a711dadf2325a4e3044eb3e8b3b465f0bfbf61b916408da1cc84585185c2794a80d1c636a7646441ed2f104fea6386ea3
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exeFilesize
16KB
MD5dc48625030d7e1cc1f13b3f4526e5bc9
SHA13da768188c93a68e0238df6c048b827e40a94c58
SHA256307f1a6cca35bc165cf4dc82377dbf681fe572787e8abe9cf7fa62a7d98e1cbc
SHA512d1ff55f6ac592b47fc669941e3bbcb44dd39c4850282951286512db86f10da871a6625a40ca2680fa260104fa42770f38ae1d2a294139a96aabd1d902abd0c0a
-
C:\Users\Admin\AppData\Local\Temp\tuc4.exeFilesize
92KB
MD5fae94342344cf05220adecd174669718
SHA14bde8df1feeefa9a443beb3eeed81a31d9ce7f54
SHA256c7329adb2098eb71bcc6f33e6c0550f65ae76be4e09cae80730fdc580c7418e0
SHA512fd1420cd06b1d6f7e9529fea5639d1958ef786a595e8ec3bd08bf9a1f0e41889b1524944f12679300f810359b5eb4089e8dd80fe4024883f94a26e67fe73b868
-
C:\Windows\windefender.exeFilesize
8KB
MD5bc5d78edd38b2612f5620e201db6bb81
SHA1533295f1e982f31e2ad92952a1621d5b21f68f22
SHA2563813ff11c62e3acef1030eacc9cc1452197349eda1fe364068ed92f8d1d019ee
SHA512389ec1d180c46f509ff0249a59be137f3e515a3ac6776b8d2478e662846ca5f23f5cac284206cd3770e02679d6570550bbda81ddabba14463a1ba9763730f7a1
-
C:\Windows\windefender.exeFilesize
4KB
MD5d9b9a67d63e0ebb80358a418ca0047eb
SHA15c5d88c85ee00cd162ce617de1be16bc7fbeaf99
SHA256c8b637935494caa414c39f9ad940c06029889fd60c09b08c58c7583881b7353b
SHA512eafb72ec1dc89d7462fd0ceb59bc6d7267fc0b1516b2c608c0f9cdc6516b1ec6ef0c935e3301effec9a9b596f672e3ed3a82a1378f2fddb440ae3a75b8ec1092
-
C:\Windows\windefender.exeFilesize
20KB
MD5e3c678bc09d820aae0c799756fdb1ccf
SHA1d677824621cc11de0dfdc8cdd872bd4a8d82315c
SHA256ac07b7029101b3e4c3b59f2f3947164ffc6bf2f2864c086a436649cc3bda9028
SHA51247b24df4c797cf8bc57ad3bab7fac3ab82e3c6617f0a7f747934f720b5fe1b38ad306db4492e4bd1d458ee44d5be18527d27ef5f14f99fa602ba33db237fb633
-
memory/1512-599-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1540-133-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/1540-292-0x0000000006BA0000-0x0000000006BEC000-memory.dmpFilesize
304KB
-
memory/1540-235-0x0000000005B10000-0x0000000005B20000-memory.dmpFilesize
64KB
-
memory/1540-255-0x0000000006DF0000-0x0000000007408000-memory.dmpFilesize
6.1MB
-
memory/1540-201-0x0000000005AD0000-0x0000000005ADA000-memory.dmpFilesize
40KB
-
memory/1540-291-0x0000000006A20000-0x0000000006A5C000-memory.dmpFilesize
240KB
-
memory/1540-159-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/1540-286-0x00000000069C0000-0x00000000069D2000-memory.dmpFilesize
72KB
-
memory/1540-138-0x0000000005DE0000-0x0000000006386000-memory.dmpFilesize
5.6MB
-
memory/1540-111-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1540-284-0x0000000006A90000-0x0000000006B9A000-memory.dmpFilesize
1.0MB
-
memory/1588-383-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1588-376-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2180-105-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/2180-107-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/2180-128-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/2180-134-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/2180-102-0x0000000000070000-0x00000000000D0000-memory.dmpFilesize
384KB
-
memory/2180-109-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/2196-14-0x0000000005AB0000-0x0000000005B4C000-memory.dmpFilesize
624KB
-
memory/2196-13-0x0000000000D30000-0x00000000010F6000-memory.dmpFilesize
3.8MB
-
memory/2196-311-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/2196-12-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/2292-228-0x00000000043B0000-0x0000000004FD8000-memory.dmpFilesize
12.2MB
-
memory/2292-294-0x0000000003150000-0x000000000318A000-memory.dmpFilesize
232KB
-
memory/2292-229-0x0000000003100000-0x0000000003101000-memory.dmpFilesize
4KB
-
memory/2292-158-0x0000000010000000-0x000000001001B000-memory.dmpFilesize
108KB
-
memory/2428-222-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/2428-397-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2508-475-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2548-633-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2548-636-0x0000000000AC0000-0x0000000000B26000-memory.dmpFilesize
408KB
-
memory/3120-329-0x0000000002F90000-0x0000000002FA6000-memory.dmpFilesize
88KB
-
memory/3120-1-0x00000000010B0000-0x00000000010C6000-memory.dmpFilesize
88KB
-
memory/3592-75-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/3592-97-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/3640-131-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3640-73-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3788-130-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/3788-20-0x0000000000BE0000-0x0000000001EBE000-memory.dmpFilesize
18.9MB
-
memory/3788-19-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/3820-215-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3820-139-0x0000000002B90000-0x0000000002F94000-memory.dmpFilesize
4.0MB
-
memory/3820-367-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3820-198-0x0000000002FA0000-0x000000000388B000-memory.dmpFilesize
8.9MB
-
memory/3876-79-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/3876-374-0x0000000000400000-0x0000000000965000-memory.dmpFilesize
5.4MB
-
memory/4040-538-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4268-78-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4268-333-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4268-101-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4512-353-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4512-332-0x0000000006DF0000-0x0000000006E36000-memory.dmpFilesize
280KB
-
memory/4512-361-0x0000000007EF0000-0x0000000007F0A000-memory.dmpFilesize
104KB
-
memory/4512-310-0x00000000053D0000-0x0000000005406000-memory.dmpFilesize
216KB
-
memory/4512-313-0x0000000074350000-0x0000000074B01000-memory.dmpFilesize
7.7MB
-
memory/4512-360-0x0000000007EA0000-0x0000000007EB5000-memory.dmpFilesize
84KB
-
memory/4512-359-0x0000000007E90000-0x0000000007E9E000-memory.dmpFilesize
56KB
-
memory/4512-314-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4512-358-0x0000000007E40000-0x0000000007E51000-memory.dmpFilesize
68KB
-
memory/4512-315-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4512-316-0x0000000005980000-0x00000000059A2000-memory.dmpFilesize
136KB
-
memory/4512-326-0x0000000006350000-0x00000000063B6000-memory.dmpFilesize
408KB
-
memory/4512-340-0x0000000007C60000-0x0000000007C94000-memory.dmpFilesize
208KB
-
memory/4512-327-0x0000000006490000-0x00000000067E7000-memory.dmpFilesize
3.3MB
-
memory/4512-357-0x0000000007F30000-0x0000000007FC6000-memory.dmpFilesize
600KB
-
memory/4512-342-0x000000006B610000-0x000000006B967000-memory.dmpFilesize
3.3MB
-
memory/4512-356-0x0000000007E20000-0x0000000007E2A000-memory.dmpFilesize
40KB
-
memory/4512-354-0x0000000008420000-0x0000000008A9A000-memory.dmpFilesize
6.5MB
-
memory/4512-355-0x0000000007DE0000-0x0000000007DFA000-memory.dmpFilesize
104KB
-
memory/4512-352-0x0000000007CC0000-0x0000000007D64000-memory.dmpFilesize
656KB
-
memory/4512-312-0x0000000005A50000-0x000000000607A000-memory.dmpFilesize
6.2MB
-
memory/4512-351-0x0000000007CA0000-0x0000000007CBE000-memory.dmpFilesize
120KB
-
memory/4512-317-0x0000000006270000-0x00000000062D6000-memory.dmpFilesize
408KB
-
memory/4512-341-0x0000000070C60000-0x0000000070CAC000-memory.dmpFilesize
304KB
-
memory/4512-339-0x000000007F580000-0x000000007F590000-memory.dmpFilesize
64KB
-
memory/4512-362-0x0000000007F10000-0x0000000007F18000-memory.dmpFilesize
32KB
-
memory/4512-328-0x0000000006850000-0x000000000686E000-memory.dmpFilesize
120KB
-
memory/4660-0-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4660-2-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4852-306-0x0000000000AA0000-0x0000000000BA0000-memory.dmpFilesize
1024KB
-
memory/4852-607-0x0000000000400000-0x000000000084B000-memory.dmpFilesize
4.3MB
-
memory/4852-307-0x0000000000990000-0x00000000009AC000-memory.dmpFilesize
112KB
-
memory/4852-505-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4852-309-0x0000000000400000-0x000000000084B000-memory.dmpFilesize
4.3MB
-
memory/4968-635-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB