Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2024 22:35
Static task
static1
Behavioral task
behavioral1
Sample
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe
Resource
win10v2004-20231215-en
General
-
Target
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe
-
Size
11KB
-
MD5
d2e9696ec235cec72512dec6e9ce5935
-
SHA1
dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea
-
SHA256
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
-
SHA512
573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a
-
SSDEEP
192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Exodus
91.92.255.187:4449
ypyertvpyqfr
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Extracted
redline
Bloomberg
194.33.191.102:21751
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.siscop.com.co - Port:
21 - Username:
pedophile@siscop.com.co - Password:
+5s48Ia2&-(t
Extracted
redline
Exodus
91.92.255.187:1334
Extracted
xworm
secure-connection.portmap.io:62391
-
Install_directory
%AppData%
-
install_file
svc.exe
Extracted
risepro
193.233.132.62:50500
195.20.16.210:50500
Extracted
formbook
4.1
he09
clhear.com
maythunguyen.com
xiongmaoaijia.com
kembangzadsloh.xyz
speedwagner.com
360bedroom.com
campereurorg.top
cwxg2.site
mcdlibre.live
globigprimecompanylimited.com
1707102023-stripe.com
xhfj5.site
mugiwaranousopp.xyz
texmasco.com
sc9999.net
lite.team
8xb898.com
cibecuetowing.top
mgplatinemlak.xyz
southwestharborkeyword.top
mil840.vip
mygovindexhtml.online
pepecasinofun.online
lindalilly.com
4da8.com
gladespringtowing.top
tinblaster.net
jpedwardscoaching.com
toursardegna.net
ngocchiluong.com
darringtontowing.top
oiuajh.xyz
nighvideos.com
15868.mom
blueblaze.app
escachifollad.store
credclub.shop
digitalfreedomhub.com
onemobileal.com
obqk8.site
kelownainsulationservices.com
skywatchnewsstores.com
neu-de-update.com
streamart.live
popla9001.com
theundraftd.com
claims.scot
bonk-token.com
iwoulddye4u.com
tenderherbschool.com
thegoodbeautypodcast.com
nahanttowing.top
moneyshift.store
relaxify.cloud
wjr3x0d.shop
churchsec.net
chromadentalclinic.com
kadeonline.com
frank-cazino.com
desixair.com
cftd4o5.com
ipodenergy.com
kravingsbykiersten.com
richmondvilletowing.top
fino-shop.store
Extracted
xworm
5.0
KspRabpn35rQf3I6
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/yLqnBLCS
Extracted
C:\Users\ONa9v7hKI.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5532-317-0x0000000000400000-0x000000000041A000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\file.exe.exe family_xworm -
Detect ZGRat V1 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\autorun.exe.exe family_zgrat_v1 behavioral2/memory/112-30-0x0000000000A10000-0x0000000000A82000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1.exe.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1.exe.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1.exe.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\twoo.exe.exe family_zgrat_v1 -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4408-34-0x0000000000400000-0x0000000000452000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\red.exe.exe family_redline behavioral2/memory/2496-135-0x00000000001F0000-0x000000000020E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\red.exe.exe family_sectoprat behavioral2/memory/2496-135-0x00000000001F0000-0x000000000020E000-memory.dmp family_sectoprat behavioral2/memory/2496-137-0x0000000004B40000-0x0000000004B50000-memory.dmp family_sectoprat -
Processes:
miner.exe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe.exe -
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\venom.exe.exe asyncrat behavioral2/memory/3164-17-0x0000000000160000-0x0000000000178000-memory.dmp asyncrat behavioral2/memory/1260-61-0x000000001B5A0000-0x000000001B5B0000-memory.dmp asyncrat -
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5348-523-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4936-540-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1.exe.exe net_reactor C:\Users\Admin\AppData\Local\Temp\1.exe.exe net_reactor C:\Users\Admin\AppData\Local\Temp\1.exe.exe net_reactor C:\Users\Admin\AppData\Local\Temp\twoo.exe.exe net_reactor -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exevenom.exe.exesecurityhealths.exe.exesecurityhealths.exe.exesvc.exefile.exe.exeminer.exe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation venom.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation securityhealths.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation securityhealths.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation svc.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation file.exe.exe Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation miner.exe.exe -
Drops startup file 2 IoCs
Processes:
securityhealths.exe.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.lnk securityhealths.exe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.lnk securityhealths.exe.exe -
Executes dropped EXE 20 IoCs
Processes:
venom.exe.exeautorun.exe.exechromeupdate.exesecurityhealths.exe.exeexploittttt.exe.exeplugmanzx.exe.exered.exe.exesecurityhealths.exe.exeplugmanzx.exe.execonhost.exe.exeleru.exe.execonhost.exe.exesvc.exeperlo.exe.exefile.exe.exe1.exe.exeminer.exe.exerty31.exe.exesvc.exeabc.exe.exepid process 3164 venom.exe.exe 112 autorun.exe.exe 1260 chromeupdate.exe 548 securityhealths.exe.exe 4924 exploittttt.exe.exe 4724 plugmanzx.exe.exe 2496 red.exe.exe 5532 securityhealths.exe.exe 5928 plugmanzx.exe.exe 5564 conhost.exe.exe 5284 leru.exe.exe 5348 conhost.exe.exe 5988 svc.exe 5448 perlo.exe.exe 5328 file.exe.exe 4016 1.exe.exe 1396 miner.exe.exe 5548 rty31.exe.exe 2728 svc.exe 1584 abc.exe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
securityhealths.exe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svc = "C:\\Users\\Admin\\AppData\\Roaming\\svc.exe" securityhealths.exe.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
miner.exe.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA miner.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
abc.exe.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini abc.exe.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini abc.exe.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 289 ip-api.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
abc.exe.exepid process 1584 abc.exe.exe 1584 abc.exe.exe 1584 abc.exe.exe 1584 abc.exe.exe 1584 abc.exe.exe 1584 abc.exe.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
autorun.exe.exeexploittttt.exe.exesecurityhealths.exe.exeplugmanzx.exe.execonhost.exe.execonhost.exe.exeipconfig.exesvc.exedescription pid process target process PID 112 set thread context of 4408 112 autorun.exe.exe RegAsm.exe PID 4924 set thread context of 1280 4924 exploittttt.exe.exe RegSvcs.exe PID 548 set thread context of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 4724 set thread context of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 5564 set thread context of 5348 5564 conhost.exe.exe conhost.exe.exe PID 5348 set thread context of 3488 5348 conhost.exe.exe Explorer.EXE PID 4936 set thread context of 3488 4936 ipconfig.exe Explorer.EXE PID 5988 set thread context of 2728 5988 svc.exe svc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2732 1584 WerFault.exe abc.exe.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2684 schtasks.exe 5280 schtasks.exe 4300 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3812 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4936 ipconfig.exe -
Modifies registry class 8 IoCs
Processes:
abc.exe.exeExplorer.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI\DefaultIcon\ = "C:\\ProgramData\\ONa9v7hKI.ico" abc.exe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ONa9v7hKI abc.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ONa9v7hKI\ = "ONa9v7hKI" abc.exe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI\DefaultIcon abc.exe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ONa9v7hKI abc.exe.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
venom.exe.exechromeupdate.exeRegAsm.exeRegSvcs.exered.exe.exesecurityhealths.exe.exepowershell.exeplugmanzx.exe.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 3164 venom.exe.exe 1260 chromeupdate.exe 1260 chromeupdate.exe 1260 chromeupdate.exe 1260 chromeupdate.exe 4408 RegAsm.exe 4408 RegAsm.exe 4408 RegAsm.exe 4408 RegAsm.exe 4408 RegAsm.exe 4408 RegAsm.exe 4408 RegAsm.exe 1260 chromeupdate.exe 1280 RegSvcs.exe 1280 RegSvcs.exe 1280 RegSvcs.exe 1260 chromeupdate.exe 1260 chromeupdate.exe 2496 red.exe.exe 2496 red.exe.exe 2496 red.exe.exe 548 securityhealths.exe.exe 548 securityhealths.exe.exe 548 securityhealths.exe.exe 5524 powershell.exe 5524 powershell.exe 5524 powershell.exe 5928 plugmanzx.exe.exe 5928 plugmanzx.exe.exe 5928 plugmanzx.exe.exe 1260 chromeupdate.exe 5260 powershell.exe 5260 powershell.exe 5260 powershell.exe 5440 powershell.exe 5440 powershell.exe 5440 powershell.exe 5848 powershell.exe 5848 powershell.exe 5848 powershell.exe 4580 powershell.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
exploittttt.exe.execonhost.exe.exeipconfig.exepid process 4924 exploittttt.exe.exe 5348 conhost.exe.exe 5348 conhost.exe.exe 5348 conhost.exe.exe 4936 ipconfig.exe 4936 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exevenom.exe.exechromeupdate.exeRegAsm.exeRegSvcs.exered.exe.exesecurityhealths.exe.exesecurityhealths.exe.exepowershell.exeplugmanzx.exe.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe.exeipconfig.exeExplorer.EXEfile.exe.exesvc.exesvc.exepowershell.exepowershell.exepowershell.exeminer.exe.exepowershell.exeabc.exe.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe Token: SeDebugPrivilege 3164 venom.exe.exe Token: SeDebugPrivilege 1260 chromeupdate.exe Token: SeDebugPrivilege 4408 RegAsm.exe Token: SeDebugPrivilege 1280 RegSvcs.exe Token: SeDebugPrivilege 2496 red.exe.exe Token: SeDebugPrivilege 548 securityhealths.exe.exe Token: SeDebugPrivilege 5532 securityhealths.exe.exe Token: SeDebugPrivilege 5524 powershell.exe Token: SeDebugPrivilege 5928 plugmanzx.exe.exe Token: SeDebugPrivilege 5260 powershell.exe Token: SeDebugPrivilege 5440 powershell.exe Token: SeDebugPrivilege 5848 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 5348 conhost.exe.exe Token: SeDebugPrivilege 4936 ipconfig.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeDebugPrivilege 5328 file.exe.exe Token: SeDebugPrivilege 5988 svc.exe Token: SeDebugPrivilege 2728 svc.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeDebugPrivilege 4248 powershell.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 1396 miner.exe.exe Token: SeDebugPrivilege 5376 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1584 abc.exe.exe Token: SeBackupPrivilege 1584 abc.exe.exe Token: SeDebugPrivilege 1584 abc.exe.exe Token: 36 1584 abc.exe.exe Token: SeImpersonatePrivilege 1584 abc.exe.exe Token: SeIncBasePriorityPrivilege 1584 abc.exe.exe Token: SeIncreaseQuotaPrivilege 1584 abc.exe.exe Token: 33 1584 abc.exe.exe Token: SeManageVolumePrivilege 1584 abc.exe.exe Token: SeProfSingleProcessPrivilege 1584 abc.exe.exe Token: SeRestorePrivilege 1584 abc.exe.exe Token: SeSecurityPrivilege 1584 abc.exe.exe Token: SeSystemProfilePrivilege 1584 abc.exe.exe Token: SeTakeOwnershipPrivilege 1584 abc.exe.exe Token: SeShutdownPrivilege 1584 abc.exe.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeDebugPrivilege 1584 abc.exe.exe Token: SeDebugPrivilege 3948 powershell.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeDebugPrivilege 4856 powershell.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeBackupPrivilege 1584 abc.exe.exe Token: SeBackupPrivilege 1584 abc.exe.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3488 Explorer.EXE 3488 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
chromeupdate.exesecurityhealths.exe.exeperlo.exe.exepid process 1260 chromeupdate.exe 5532 securityhealths.exe.exe 5448 perlo.exe.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3488 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exeautorun.exe.exevenom.exe.execmd.execmd.exeexploittttt.exe.exesecurityhealths.exe.exeplugmanzx.exe.exesecurityhealths.exe.exedescription pid process target process PID 4824 wrote to memory of 3164 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe venom.exe.exe PID 4824 wrote to memory of 3164 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe venom.exe.exe PID 4824 wrote to memory of 112 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe autorun.exe.exe PID 4824 wrote to memory of 112 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe autorun.exe.exe PID 4824 wrote to memory of 112 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe autorun.exe.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 112 wrote to memory of 4408 112 autorun.exe.exe RegAsm.exe PID 3164 wrote to memory of 3424 3164 venom.exe.exe cmd.exe PID 3164 wrote to memory of 3424 3164 venom.exe.exe cmd.exe PID 3164 wrote to memory of 3452 3164 venom.exe.exe cmd.exe PID 3164 wrote to memory of 3452 3164 venom.exe.exe cmd.exe PID 3424 wrote to memory of 2684 3424 cmd.exe schtasks.exe PID 3424 wrote to memory of 2684 3424 cmd.exe schtasks.exe PID 3452 wrote to memory of 3812 3452 cmd.exe timeout.exe PID 3452 wrote to memory of 3812 3452 cmd.exe timeout.exe PID 3452 wrote to memory of 1260 3452 cmd.exe chromeupdate.exe PID 3452 wrote to memory of 1260 3452 cmd.exe chromeupdate.exe PID 4824 wrote to memory of 548 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe securityhealths.exe.exe PID 4824 wrote to memory of 548 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe securityhealths.exe.exe PID 4824 wrote to memory of 548 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe securityhealths.exe.exe PID 4824 wrote to memory of 4924 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe exploittttt.exe.exe PID 4824 wrote to memory of 4924 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe exploittttt.exe.exe PID 4824 wrote to memory of 4924 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe exploittttt.exe.exe PID 4924 wrote to memory of 1280 4924 exploittttt.exe.exe RegSvcs.exe PID 4924 wrote to memory of 1280 4924 exploittttt.exe.exe RegSvcs.exe PID 4924 wrote to memory of 1280 4924 exploittttt.exe.exe RegSvcs.exe PID 4924 wrote to memory of 1280 4924 exploittttt.exe.exe RegSvcs.exe PID 4824 wrote to memory of 4724 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe plugmanzx.exe.exe PID 4824 wrote to memory of 4724 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe plugmanzx.exe.exe PID 4824 wrote to memory of 4724 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe plugmanzx.exe.exe PID 4824 wrote to memory of 2496 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe red.exe.exe PID 4824 wrote to memory of 2496 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe red.exe.exe PID 4824 wrote to memory of 2496 4824 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe red.exe.exe PID 548 wrote to memory of 5524 548 securityhealths.exe.exe powershell.exe PID 548 wrote to memory of 5524 548 securityhealths.exe.exe powershell.exe PID 548 wrote to memory of 5524 548 securityhealths.exe.exe powershell.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 548 wrote to memory of 5532 548 securityhealths.exe.exe securityhealths.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 4724 wrote to memory of 5928 4724 plugmanzx.exe.exe plugmanzx.exe.exe PID 5532 wrote to memory of 5260 5532 securityhealths.exe.exe powershell.exe PID 5532 wrote to memory of 5260 5532 securityhealths.exe.exe powershell.exe PID 5532 wrote to memory of 5260 5532 securityhealths.exe.exe powershell.exe PID 5532 wrote to memory of 5440 5532 securityhealths.exe.exe powershell.exe PID 5532 wrote to memory of 5440 5532 securityhealths.exe.exe powershell.exe PID 5532 wrote to memory of 5440 5532 securityhealths.exe.exe powershell.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
miner.exe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe"C:\Users\Admin\AppData\Local\Temp\0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\venom.exe.exe"C:\Users\Admin\AppData\Local\Temp\venom.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD86.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\autorun.exe.exe"C:\Users\Admin\AppData\Local\Temp\autorun.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'securityhealths.exe.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svc" /tr "C:\Users\Admin\AppData\Roaming\svc.exe"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe"C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\red.exe.exe"C:\Users\Admin\AppData\Local\Temp\red.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exe"C:\Users\Admin\AppData\Local\Temp\leru.exe.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exe"C:\Users\Admin\AppData\Local\Temp\perlo.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\file.exe.exe"C:\Users\Admin\AppData\Local\Temp\file.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exe"C:\Users\Admin\AppData\Local\Temp\1.exe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\miner.exe.exe"C:\Users\Admin\AppData\Local\Temp\miner.exe.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\miner.exe.exe'; Add-MpPreference -ExclusionProcess 'miner.exe'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rty31.exe.exe"C:\Users\Admin\AppData\Local\Temp\rty31.exe.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\abc.exe.exe"C:\Users\Admin\AppData\Local\Temp\abc.exe.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\92A1.tmp"C:\ProgramData\92A1.tmp"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 8564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\twoo.exe.exe"C:\Users\Admin\AppData\Local\Temp\twoo.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exe"C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ER2RM.tmp\tuc5.exe.tmp"C:\Users\Admin\AppData\Local\Temp\is-ER2RM.tmp\tuc5.exe.tmp" /SL5="$B01C8,4682184,54272,C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exe"4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 11235⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 11236⤵
-
C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe"C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe" -i5⤵
-
C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe"C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe" -s5⤵
-
C:\Users\Admin\AppData\Local\Temp\dwm2.exe.exe"C:\Users\Admin\AppData\Local\Temp\dwm2.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\love.exe.exe"C:\Users\Admin\AppData\Local\Temp\love.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0Sh71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0Sh71.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft4zB43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft4zB43.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kz3UX33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kz3UX33.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yT7zk44.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yT7zk44.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mo36kY7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mo36kY7.exe8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,2473637822182172198,6246527500349494235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11403953976269777907,11193221203574651712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:810⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff83979758,0x7fff83979768,0x7fff8397977810⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff83979758,0x7fff83979768,0x7fff8397977810⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com9⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6096 CREDAT:17410 /prefetch:210⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com9⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com10⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login9⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login10⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"3⤵
-
C:\Windows\system32\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\svc.exeC:\Users\Admin\AppData\Roaming\svc.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svc.exe"C:\Users\Admin\AppData\Roaming\svc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1584 -ip 15841⤵
-
C:\Users\Admin\AppData\Roaming\svc.exeC:\Users\Admin\AppData\Roaming\svc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.iniFilesize
129B
MD562b61238e513136dcae39ac313f13c76
SHA19cfd97c6ca306218f8a2abe63fd89d05dd321ff3
SHA2568dd0851b82095046b5edbb16e7788a5f52158d51971f4b86492e3f693fe1c090
SHA5128973fb232256166b3902eae193e481c6a21ff16ab7b0b48c5e742f593cb72f8718cdef50dfd58466d04f487a113d09751127ca2fafcb03f1cddddfab10ff6c32
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\plugmanzx.exe.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d5564ccbd62bac229941d2812fc4bfba
SHA10483f8496225a0f2ca0d2151fab40e8f4f61ab6d
SHA256d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921
SHA512300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5dc3878a836972b5ef809b76a239ab31b
SHA19f4d47f13cedf3ee8ff00f93e9bea273bbbf9f57
SHA256526e06f544f25923af904bf0067dcaeae9bf92e67f942b44650e810b7c726fc6
SHA512d66928455d9551aa017035275d8d9715aa3879b21ebd47a09a15197453166a47c7d08098b8107f9910ac72817f37f69fd036fa13f056569620adb1d016090560
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56b5fec177b378618d39fec7045763a79
SHA1d8769699f61c0f26cfb45af68f7068f7a5e52d3c
SHA256e04e61bd3e6607f9a8716fe697719c2983177ece992776f608a38422e00e937a
SHA5121593f4348bceec890f41141768cb40a7a239eda992752570e52706755a0acf99c0c0b12f8dea7170844859fee994e85375889708f093e4e5071dd34f314f3a92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5a4254c3f39b036a29005b3864aabcb34
SHA1ee6ddfa1b68d29e8065aab7bb1c4c02c65f2b924
SHA256fac4742d42bd62c9fc90931012c54f3129b8782ef4a2b26edea63ec5d9225911
SHA512df6951d961a6e8cc6bea5ac24c1703543eb7989ec56ac20fb4e46cb5936f7d4ccc79fead624c8adac2358d325c652aa89260b5b83619650c0cd120ecbbe4153e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5798c12bcccd6628cd8bf33fbd80f3843
SHA1da0c325c67cebe4d7f5abe63ca7fcd59337fcffc
SHA2560deb41da91b71b31615f3d48ad67bd59b0728096ba5321518ac724d95946ae34
SHA5120403437b39195c90599ef44bfacb8e708605f883a0a54e636972fc4b2930abde9594de12cb731a68620e8733d5b116c26b79476ba3c6b5f1800cd3ea71e726af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ba15fe4e6cb00686a8c4c286a6eaa047
SHA19c79a10348992ab2f1a362216a6bd3a3ba8dbffb
SHA2563ab92587a9126907ca045be7a5b8db92e6bf622a8d764fbc4a65bb1ffbe602a5
SHA51286fffebc5d2e13fe5f69ce8f27e5f9ec7294381547d18e5c81dc3a1d8031c65bf147b4143c8bb4896748f08e19777c6b6fecd87c8617c611d03be25f635c90ef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exeFilesize
584KB
MD5e741a2b67316f180a249808375aca0b5
SHA13500982a3c4b48cde5dfa290eaee0ced72683c80
SHA2569c51db3ead53b07f7c9efa6d20adc9fdf96c3feb1b5d568d0d04adb27d3bd2cf
SHA51238c6c1a4b27c65123251d948535cdf1092cf8f1ff404fa507dc053d0aa8858055cccc3d767a65eab59806c95fa016f044bae8350f553d6c211a5104af384192c
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exeFilesize
320KB
MD56eb62463b50208a3e025b1bcd3ef792a
SHA194ffadb67408683d3d221ddbb42f565a8efc6d74
SHA2564c6a56c6f44f55a6c8a3758e5b4f24c233dfc1d555902727a7efe19f010ded0f
SHA512b304f3f33ee7b6f47694ec0da04105acd6302df258e999aa3ae339d7d6a3101460719c1471000784ca974d5b769ead0de9ce62c5d313b51be9eda736467bff0f
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exeFilesize
373KB
MD5cdbaeac3e88b8413d20a6c6a05771013
SHA191c5b06ddf008fb777c34c7489c614f6393a1891
SHA25691327d7a280dcbea151156b0cc87df1b9fe5f84b01c9ee5e27d0d244697a92aa
SHA512cf53ec60c788cab330c226d647ab0bfd59775856d0e04b9fbb19c401e4e89c53f4c48803226d9da0b68339c209eafd8966458f17cfc0b0bfa3216abc3b3baca5
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDFilesize
371KB
MD5c2c62876867408019c6a57fb545cc297
SHA12f445353eae05c0e5a8273e679afd23a9435c077
SHA25697e8c33194b06bf2a61a09b977248dbc14b68c2ad65339a0dcda09cdeea3a2c9
SHA512d80e9c1e7900ff29d98d94dd03858ebf87bdbeadcddfc8beb084a41cb28783c9477f9a6a58b0ceb77c0da98174bbcf39a79b68fd0316cc411702fce34f560be0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcce1cbp.x5n.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\abc.exe.exeFilesize
371KB
MD57a83a738db05418c0ae6795b317a45f9
SHA1bbd1c1fe4a01b698963c28a2231c33d70338014c
SHA2561520e4cb2748aa5725d8b6c242ff6cf365f6672db35df2745c920ed228666317
SHA512735c9762d72ae8cbce79749145d7530b89ce2be75f591af963bca225f68d80b824c33e36f7805cc778838d684cb23dc317be83b291e4bd77239085082183dad2
-
C:\Users\Admin\AppData\Local\Temp\autorun.exe.exeFilesize
434KB
MD549a101f27b36c7ee8a0931a656749c43
SHA113874d352aa3fbb9a262e29c03ff885714ff8429
SHA256b61c3baadd541bcafad124668888e322d70720335a6f46173b489a47d5b66c1c
SHA512121f6b0b8c8342df96837e173cac6814fff315385a2f1a234b77c5b59fd661930b6f67e910f797db2f7a69d00f282dd9788770925c8390dfe6abcb52ac612ad3
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe.exeFilesize
575KB
MD557ec8609c4c4bdc9c6249a30ba59b489
SHA1437cfeb671c04f5393cf0732bf602d3fae226501
SHA256861f5ebaad65712e0c699fe6fad2f63cca3f35759ed92f44db0d6d089889d209
SHA512860496bfa148c6c69416797ceacb2085f317833474d8a018b66da142f4ca167096b5c9f7988b99159236d0325d1435db3b515d7a84ea3f13cc548ad968ee1e58
-
C:\Users\Admin\AppData\Local\Temp\dwm2.exe.exeFilesize
188KB
MD5cdb5da91ed9624691148563d0c234e06
SHA1fd12f9d82869b65184d4bbe76119f623a9746303
SHA256cb1ae846ff0cf850daca17d92289cbbcd099f5ea3b68c3f3877409b8c4df2b44
SHA5122f773775f0b4b83b8a8ebd0c88831d7588c06c8733fbc1571086f568e0226b5ba27305cf89f3a338727dc3abcc8aeb1135de2353b94c32a953a91339da78e88a
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exeFilesize
293KB
MD5603afaa08ee271ed30466d84ac63c81f
SHA179c1c3e466875effdf84269f902df1e1f4fae052
SHA2564c93aaee0b19b0a8e4d9f1c5cb4e66ca060837bcb1d59e61c482eea7a06b661b
SHA512a7e9eba2841873094cf326d4e9f46e26137f953d7113644bb75e47981f7eaf442f928a5c59aa66737b71e30adc14eb153714aa193c69eb472a7a41bc807efa44
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exeFilesize
245KB
MD5e3aac295f104b5978ea88b26a2fb3d8e
SHA1ca4944a3fadd292c3b4d6bdb2dc12625c5be0f24
SHA2563ed49485349289ba7cc596a5d6b3f755593be0a14e70ebe7415f775dd7c289d4
SHA512360fccccabe4a080bf59ed5934b2d3a4efbecaef92d2227c0faf78b998cc1609d1c51f1e61355a517fa4064c6391a54b7af14a242d0c9565aa8279c8e0855725
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exeFilesize
371KB
MD5df897e2c03db226d842971cdae69e384
SHA101abe6e49dd388eb75d16cfd2b6f211325d95e21
SHA2564916f80936024362c970124bbe89e2eff9ff035f1a375eccfed83a1f73c96b52
SHA51223a2d850ef3bde4c0488d62e3f2c6305bdf40bb81bb723c858a3964b3d0b7541d04be419765c2f4336733aa869a9e144a3c3b861812269f8f0a9c0c747d95517
-
C:\Users\Admin\AppData\Local\Temp\file.exe.exeFilesize
206KB
MD5cdba8c58e4d9e0a5e0b5053b8198f302
SHA1f2eea90e6d683f6d9c3dd973c33ccb526160ea05
SHA256ff0bd362c496178316aa66375828349d11825dd9afaa90c5ece39a401e4e0a7d
SHA51234cd31b65b587ae1abd59ec37d80c3036eb75730182a2b72f4d544d40325654f07588c72a32f738f13a4d67dc05013f3c978430fdcdb07d8e23ee78905c2c069
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exeFilesize
250KB
MD5c4270737aa55801b20ec0c0a7f70b68c
SHA1a3564ce59d9e35b59b218fb94a83c6480424473f
SHA256b8d4c2d8d806946988857b0dc1cdc0fda72df6baf9e270fb86431ee998e29dc8
SHA5122a4e4710f39ee1edefe503df758bc363a7d75464dad12b0c4d73161e19ef539bc99492e173166248fc44dd5e19bcb6cf0d441751441a1f336c360afcaef10f5c
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exeFilesize
545KB
MD562025eb8dbb3867db2dcbca5c8afa8cb
SHA1674ed0a7aaa67f6702ae6df8609d07090a810432
SHA25681a4ed8622278c5d4beff07909f93aa4a5530eca2df0e2ca3541f282867ac041
SHA51274930212f133e728d8e03f130384651f9bd1b8880648795581831ebd4d127552d54f8c2d2e0b10f013cb2a9f8d74cd3ab4e1b605962a3730aa9e0714d1c159c4
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exeFilesize
234KB
MD5c6f8f6e181ef80ca60d5c2ae12da5e02
SHA1e355265a3f921959fa241d75cc692476b88e60d9
SHA2562290e215b5763822c839f5878b2432c246bd9d31e5fa65d00b9ec59d9f7b1df9
SHA51222fcc385e1d83a7746fb5bc7843fd96353a83b6a33ac081a43979c283b79dde501613e03bb3f3fe3f7b7c02bb491d888aec5a47226106ef14f40d7ec133ecbb4
-
C:\Users\Admin\AppData\Local\Temp\love.exe.exeFilesize
5.4MB
MD55a6a676298bfb90f1fe093b469f2af75
SHA1f3e36d48a6653707235b76a85fdf0822736dde37
SHA2563ff4800fe0822f42c5c44f0efc8dc7dbd92a27ce36032bc0cc49ef514af89d0c
SHA5128fd9c237873c22566c58e6b3234e16b4010891519fb178c7cd4ddaaae72b0922b45468a6ce4826a6c2b1bc20c6db8cd81f52fcf41e9a47e8f17a5b7cd8455d90
-
C:\Users\Admin\AppData\Local\Temp\miner.exe.exeFilesize
23KB
MD5cafeab1513ff424cc79caeca170678d1
SHA11b0f46593b38a577f56aa617f37413ea1053ffb1
SHA25671f7d548c9ea57b8c9dcc3f426adabdddb4451e65837b63c4c25dc2a812717e2
SHA5129fd7762058b41612eecf8ed17888ad884cb97185c19cdde960a24a1835627158bc5cf339bd33ed15bf3df91456f91e91038f03de0ad04c043f442d3da04ba113
-
C:\Users\Admin\AppData\Local\Temp\newrock2.exe.exeFilesize
1.1MB
MD54b3f1024a48676ccceb11098c2abb1be
SHA1fd86c4fc060d8584364520bbabd298f7b629d179
SHA256394c3d5a9c159861454e2db0d8ee5c97d050e011caa4cb387488911af8bd936b
SHA5128a06a101215e45bbfdc01f335e5098a50dc77c339e0d09a3a3eccfefc4037be958d39616abcdb713397e508800c9e7aadf8b0863867979e7900000eaadb333d1
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exeFilesize
1.8MB
MD53324f385006b03800693844e46126fc0
SHA1e2d7636a96c3fde5a62bd1244035cbb119bb439c
SHA2563fe20b6304e4252a8ac3592f69ea2e6d1354c0b16bf51062fb094f26d024ea39
SHA512c243367801d00fc224b2fc25c1517a1d49ab755f8cb20c1c1956484998a0542c18108787ab163f34578d2521210f0f67e2e0c23c61a592f040e6bf9f37e4c1ed
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exeFilesize
1.6MB
MD5cdf2a0f359f9b72781003c5045ce3e18
SHA1d877424e91b8003e490a9a446a38ca2673db6a70
SHA2561d80a6708dd23984f980a5c9d4acfa5d8e318a2bfb3864c142adbc7d273a49d6
SHA512ad9930923e9a24e3d1b9ea8f607199312aef15251169db982fe1b0c3bb8498eaf61be9affd5a1a9373f31aa740aaded0fc3782bdb17f5c6e95605699c3fbeab3
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exeFilesize
1.3MB
MD5fc0195c69a6a9cccbeab20f7d4c46571
SHA16f2f3394f721fe891afd14f84ea8d62cb15426d2
SHA256c4fc1b26b6a1ba69aa5c872efdf80048ac0d3d7aefc67ea5b70d817abf0e38b6
SHA5126abc2ea919148c4330e6e42a3a9454fccdbdeace5ee67c5fa44df77330fccfbf547acc5e5e032adaead5383075368516a7306559db0ca01714da0e9f317f1d3d
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
185KB
MD5ec5083852bb834b1918fb748acc02f2b
SHA1085b672cd356665231e5fa491a727c51b67f9dfb
SHA256ba1f7240b30530c040734308fba5ce453e07b6a8df58a298fb3030a66f34627c
SHA51206a76e69670c4b419f37378938ad0ff85b9c61f3b89b956f1d2c97f3fe824b677a8a45f5ffa68037a09444f58f39ca6f8256349c3fd1a9f7c3bc2085ece59274
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
116KB
MD5685cada243cf1f9989f0fe40f91ad835
SHA169c55eded5c8bfa335e35978f300111a5b5f91db
SHA2566d273c5084341d530e8631444c8ed231e5d5513e78f3357e90f1dd983c9077c4
SHA5123c6bd1b11bf61e3b007a694a5aab4c1725f944279eafb30f810fb7aa369513ddc2d5040f1894abeefa0dc8c736006eb571af3cef9c5126402d0f6ce201177bdf
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
374KB
MD598122b8f1aacd9238a1fa64510248316
SHA11aa02f7b21f5900f0712be32464ab72f7fa8fb21
SHA2568360f4c0dac11ccc290856411afbd7e969d48f1159b7de208f046d521553e991
SHA512952c367c5c5b61d6ecb91649cb4fe9e7b8f9fd8c9eadd63cdff1bc8908a046c5a28fbc1f720e2c6890e088714cb95e3495dcd033c081e3133cc89481c6d49cda
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
173KB
MD50aabfdb57eb36835e6be031a5997bf7c
SHA1fe1d9c1c875fe50c5fe5e05bcecef1fcb9f03940
SHA256e6b61f2f5faf7b13e6857dec75aec024d4938bc3216774a84d2c012a5bf1970a
SHA5128c9814d9dec447e7d6c9b0a33df45d303c387a3a87b0778e6809be289c99a2a5153221d2cc23a406e96d821cef866bfe72109bcddf98937bd64890bebee9c9c4
-
C:\Users\Admin\AppData\Local\Temp\red.exe.exeFilesize
95KB
MD53c78cef4203a47012167be0877274540
SHA18fba278e3fbcfcf5dffc871a92aa0a5a382edda8
SHA256202ebcf24cd4b6a4394e7dddd7ee98bceb9ac2b8c281e9f4610c7a93dafaa959
SHA512009391e72b23e5fd963a09dc1a91db37b9b0815cea80311333c8c7f52cb0c43095cc29b60d7db145b49006b7c2fdcdfda31e52c8f6ceeb7085c4dc615b3fae66
-
C:\Users\Admin\AppData\Local\Temp\rty31.exe.exeFilesize
369KB
MD5797344a5766214c49734b8f63f78e797
SHA19635642026072bc12dcc5fdfb017b9c234c5bab8
SHA256aafa82fb621b4843c3ae89bb8beddfe66244e203149880b79a4e8f42f5a7c4b9
SHA512cacbf814ec9eeb5fa586cbf90437e82330d463d024af92a1a728b51e96d69ae0f6d8f7274691df534945accde3fb6c54c000095191d55d57653dfc1f0a8f6d9e
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
198KB
MD5d45f14011ea40c3a966764d4d057fe0f
SHA1167a0ef966167f078ad14cc14a6d2c39615c8283
SHA25650f231d1596f874eed3b6e3942f2f409a83f6e39fbef18915ea92687d26bb22c
SHA512735204c1d5e3386cf3121c1e4d68ccdfcd7b4fbecdfe238b033408a6f01cee0a731c7ec4230f4187eb19e2e897c1e7b81f1294fe96fbfb55a9fcb84bdfb430d8
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
198KB
MD58a9dec3a337b97aaa890c7a2ff14caa4
SHA131485e61b54bac91c0431bf6a613361cbccf9785
SHA2563c7e45c9437b93e5ddbb1485b6b6b5e56135e02ba0842a8798750fbf80db4146
SHA51220d172c8f34d37c5b5c8b20eb31b6c4f2a08f23b343db72471ec0b900908e061de38e5c98703634bf6aeed8cd79a381172fbefd5b779ac1a0b38f9faad0d5ee1
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
247KB
MD5d72482254a4aeb092be5fc1a957a533e
SHA141d61c1195c0a4a374f298170f64ad117e246248
SHA256278e6fe465356877f204df347b239befbe043006c39e5422a4579ae9c62411c8
SHA512436aa9726c26887c2a4d9561d59621144c420d1975367fc57065aac8bd92250e973302422e45952847b3dfbb979938d24d9230564a98cb3e3702a2fb2ce8a7c2
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
151KB
MD5a8bcaa953a8f675728850c6977ac24b5
SHA14b43ddff1aaf30f453e776897988eb8a50f40b24
SHA2564369a95490aa433f6aa1c01c87311b441f765653971a07e31fbf54c7dcc16a6a
SHA5129a28e99dab0217d5d3f5ac5f8cc6bb9f823611caee1351c96c1478520f06c47d19df295f716efb0a138aeef3a4fa7a0e6e166485f02a8992cf74fe4e3bc75e76
-
C:\Users\Admin\AppData\Local\Temp\tmp163A.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp165F.tmpFilesize
92KB
MD546a9527bd64f05259f5763e2f9a8dca1
SHA10bb3166e583e6490af82ca99c73cc977f62a957b
SHA256f226fe907da2a1c71bff39823b1cb5063431c7e756ca79e6e86973f1b7c46742
SHA512f49e5b0f584765fc93cc6d972553b7acfc618a950022ad9d1b05bc3185dd685d9fe8ea3d6376c6b257fda49f9db52e73770b3ef0612943c96c818c5d0e0f5241
-
C:\Users\Admin\AppData\Local\Temp\tmp169A.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmp16AF.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\tmp16B5.tmpFilesize
54KB
MD5c64a422bdeba1d491bc0823a7d1474c2
SHA1dbfc60fbbe11ab578a98ce0754574f6a5da64a6f
SHA256a85d200fb53ff115b7624aaccd889a11087c4bedf498d3ea6e03b0ea7f23341a
SHA512eafa11cccd266bbffdcfbe5c54b19699537861ce2007a5d0abfed0ee86b30fe4b18aa0c26a557073ef5beaa74c0d319b21a6f6ab8ea52fd39d98cc62bca4f076
-
C:\Users\Admin\AppData\Local\Temp\tmp16F0.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmpAD86.tmp.batFilesize
156B
MD50515205550c16b42b4525295d34c52c1
SHA1ff1dccb3ed336a17f61e804ff3a51b78e02accd0
SHA25627281db06861cff7aa138f67a08fa3f8bc82fdb09e7fc221e02c773810b588f8
SHA51277cdedd902260d1e429a4cdf1fd219a4a4c368b25603e068ceeb7e753e83f84a62328230ac31227433403e3ceef397229835ab5080a7c6508a4046ddbe3f2562
-
C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exeFilesize
4.7MB
MD50fa21a39b7e1858af3604852116b7af1
SHA141cf29a9656ebd1afb4f4e002e244dd683b31b90
SHA25674a74a949bf4727ce7b8318c1f5baea1ca58b8bbd6a6b65f89f56ac5470f2c65
SHA512de45e6476ac29b674e7ce6272d816a842551d059c37eb38da1ea230becd62bdc66cd4ba96af4b7313747ac94048e27991004a849d4237a4c5c12c930cc251433
-
C:\Users\Admin\AppData\Local\Temp\twoo.exe.exeFilesize
5.8MB
MD5013dd34c1d52ad6a86419657437e247a
SHA17e3e065d69e1217ac0a795989464e8c1266f9224
SHA2566fc264d3ffc563ee44ae41f7693c1ec08d3d57e19b69b6e59c0a300c7317135c
SHA512f5adcb348abf7255b5369e05c6c883acbc3015ffa18cb67e95f296b51eeb525cc1d1f17c4e33f026d7aa5333aec4c529dea1f73358515892da8b0ec61b4466a6
-
C:\Users\Admin\AppData\Local\Temp\venom.exe.exeFilesize
73KB
MD538312527c8f936445c85e7ddde36f420
SHA1725a7f7522e907878eb84456ccb0424332b5cdd6
SHA2563df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
SHA512b748a3c76aaeefe29ca856ebbe49b7e316c992af399e6678bb43e0bef297e03cf0144b06cad64a9c46c6a2950e38036a07bd9e3dc23cc67f1b63702153fc38d0
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\AppData\Roaming\svc.exeFilesize
632KB
MD593f01bd10921f4455e9577442cbadcec
SHA1c102e4fa585fd6a4005274cfa4150f4ffb59bfc3
SHA256ca9b7d7e6c9100b5f7987a56ade722b373343af8be2e498723219a8d6d993257
SHA5126dec77c8a473bc948d0145c1b1a851647cbb187bdf815e2d273d28657992439cc5666b7365f94d079e284bcc2fa72434454e97777824dccdcc7a30187155dcca
-
C:\Users\ONa9v7hKI.README.txtFilesize
10KB
MD50a673ba4a3710f76f2fd417744f21904
SHA16b9de57ffb3e4188600044bf582bc2ccf96270d8
SHA25682eba2fde3799ac6daa62fafc401daf73aa4b3fb76e77b5c7c0a75ae97d70b57
SHA512f962f3084920d4d9687be55f739b30836d6dc919d09168ef687b80d8b5c55a39930e058b4ef2956276c2c6dc81d89198cbe62c2363675ca3d6a2380192d9d84c
-
F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\DDDDDDDDDDDFilesize
129B
MD5cb7f20bfbcdab730e3e352f65dae38a4
SHA1ef4594a75f89e0b3ab64e588a9c0f513dec70676
SHA256fb74f1794303111006b65454527b889c6c6f59639713cfd0995f3afa51fc11b9
SHA512b966839d6bfc933696d6d4d8dde6e35858fe8661c8a919b2b529d98686d37f8eb45d3661322a3bfeb109ee0850f73f993c7440516316b655997ec939828620c2
-
memory/112-29-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/112-33-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/112-63-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/112-35-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/112-31-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/112-30-0x0000000000A10000-0x0000000000A82000-memory.dmpFilesize
456KB
-
memory/548-316-0x0000000008DA0000-0x0000000008E3C000-memory.dmpFilesize
624KB
-
memory/548-139-0x0000000007BC0000-0x0000000007BD0000-memory.dmpFilesize
64KB
-
memory/548-315-0x0000000008D50000-0x0000000008DA4000-memory.dmpFilesize
336KB
-
memory/548-79-0x0000000000BA0000-0x0000000000C44000-memory.dmpFilesize
656KB
-
memory/548-78-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/548-104-0x0000000007CF0000-0x0000000007D02000-memory.dmpFilesize
72KB
-
memory/548-314-0x0000000007D30000-0x0000000007D3E000-memory.dmpFilesize
56KB
-
memory/548-80-0x0000000007BC0000-0x0000000007BD0000-memory.dmpFilesize
64KB
-
memory/548-321-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/548-138-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/1260-60-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/1260-108-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/1260-61-0x000000001B5A0000-0x000000001B5B0000-memory.dmpFilesize
64KB
-
memory/1280-320-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/1280-107-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/1280-106-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1280-325-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/1280-109-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/1584-1094-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2496-135-0x00000000001F0000-0x000000000020E000-memory.dmpFilesize
120KB
-
memory/2496-136-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/2496-137-0x0000000004B40000-0x0000000004B50000-memory.dmpFilesize
64KB
-
memory/2496-141-0x0000000006740000-0x000000000675E000-memory.dmpFilesize
120KB
-
memory/2496-140-0x00000000065D0000-0x0000000006646000-memory.dmpFilesize
472KB
-
memory/2544-1256-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2544-1332-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/3164-54-0x00007FFFA7890000-0x00007FFFA7A85000-memory.dmpFilesize
2.0MB
-
memory/3164-17-0x0000000000160000-0x0000000000178000-memory.dmpFilesize
96KB
-
memory/3164-28-0x0000000002310000-0x0000000002320000-memory.dmpFilesize
64KB
-
memory/3164-26-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/3164-49-0x00007FFFA7890000-0x00007FFFA7A85000-memory.dmpFilesize
2.0MB
-
memory/3164-52-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/3488-627-0x00000000091A0000-0x0000000009249000-memory.dmpFilesize
676KB
-
memory/4408-65-0x0000000006F70000-0x0000000007132000-memory.dmpFilesize
1.8MB
-
memory/4408-39-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/4408-34-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4408-38-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4408-40-0x0000000005320000-0x00000000053B2000-memory.dmpFilesize
584KB
-
memory/4408-41-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/4408-42-0x00000000052C0000-0x00000000052CA000-memory.dmpFilesize
40KB
-
memory/4408-43-0x00000000064A0000-0x0000000006AB8000-memory.dmpFilesize
6.1MB
-
memory/4408-44-0x0000000005600000-0x000000000570A000-memory.dmpFilesize
1.0MB
-
memory/4408-45-0x0000000005530000-0x0000000005542000-memory.dmpFilesize
72KB
-
memory/4408-48-0x0000000005590000-0x00000000055CC000-memory.dmpFilesize
240KB
-
memory/4408-55-0x0000000005710000-0x000000000575C000-memory.dmpFilesize
304KB
-
memory/4408-62-0x0000000005F80000-0x0000000005FE6000-memory.dmpFilesize
408KB
-
memory/4408-64-0x0000000006D50000-0x0000000006DA0000-memory.dmpFilesize
320KB
-
memory/4408-66-0x0000000007670000-0x0000000007B9C000-memory.dmpFilesize
5.2MB
-
memory/4408-102-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4408-105-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/4724-326-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4724-121-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4724-122-0x0000000000430000-0x00000000004E2000-memory.dmpFilesize
712KB
-
memory/4724-123-0x00000000050E0000-0x00000000050F2000-memory.dmpFilesize
72KB
-
memory/4824-0-0x00000000006F0000-0x00000000006FA000-memory.dmpFilesize
40KB
-
memory/4824-1-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/4824-32-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/4824-2-0x000000001B3F0000-0x000000001B400000-memory.dmpFilesize
64KB
-
memory/4924-103-0x0000000003670000-0x0000000003674000-memory.dmpFilesize
16KB
-
memory/4936-540-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4936-533-0x0000000000910000-0x000000000091B000-memory.dmpFilesize
44KB
-
memory/4936-532-0x0000000000910000-0x000000000091B000-memory.dmpFilesize
44KB
-
memory/5348-523-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5448-1057-0x0000000000D90000-0x00000000012A7000-memory.dmpFilesize
5.1MB
-
memory/5464-1270-0x0000000000400000-0x00000000005CD000-memory.dmpFilesize
1.8MB
-
memory/5524-328-0x0000000005880000-0x0000000005EA8000-memory.dmpFilesize
6.2MB
-
memory/5524-323-0x00000000050B0000-0x00000000050E6000-memory.dmpFilesize
216KB
-
memory/5524-327-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/5524-324-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/5524-329-0x00000000057D0000-0x00000000057F2000-memory.dmpFilesize
136KB
-
memory/5532-322-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/5532-317-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/5696-1276-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/5696-1278-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/5696-1279-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/5856-1117-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5856-1255-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5928-370-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB