Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-03-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Resource
win10v2004-20240226-en
General
-
Target
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
-
Size
303KB
-
MD5
91971721b53c791bd1e4bef7ae44c4fc
-
SHA1
ffd271ebad1b0afae61b36a62d63352d38c703bd
-
SHA256
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
-
SHA512
25675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
-
SSDEEP
3072:oQciUCwAoPh+BYYCEXWHbbk9B/armuE/1K8nD2ey7AOD65xL4dK:kOIhmhbL/uER2ey752L44
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
vidar
8.4
95002d0a9d65ffced363a8f35f42a529
https://steamcommunity.com/profiles/76561199654112719
https://t.me/r2d0s
-
profile_id_v2
95002d0a9d65ffced363a8f35f42a529
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exeF21D.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7be4f0c0-9fc7-450c-be03-5bc0e600e9b4\\F21D.exe\" --AutoStart" F21D.exe 2780 schtasks.exe 2292 schtasks.exe -
Detect Vidar Stealer 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2144-106-0x0000000002D60000-0x0000000002D91000-memory.dmp family_vidar_v7 behavioral1/memory/848-110-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/848-113-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/848-114-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/848-122-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/848-268-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 14 IoCs
Processes:
resource yara_rule behavioral1/memory/3068-33-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2060-32-0x00000000024D0000-0x00000000025EB000-memory.dmp family_djvu behavioral1/memory/3068-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3068-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3068-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-68-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-69-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-82-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-83-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-89-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-90-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-108-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2804-279-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
Processes:
resource yara_rule behavioral1/memory/848-110-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/848-113-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/848-114-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/848-122-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/848-268-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 5 IoCs
Processes:
resource yara_rule behavioral1/memory/848-110-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/848-113-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/848-114-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/848-122-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/848-268-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
30FF.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 30FF.exe -
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
30FF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 30FF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 30FF.exe -
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Executes dropped EXE 13 IoCs
Processes:
F21D.exeF21D.exeF21D.exeF21D.exebuild2.exebuild2.exebuild3.exebuild3.exe9F9B.exemstsca.exejiigavemstsca.exe30FF.exepid process 2060 F21D.exe 3068 F21D.exe 1628 F21D.exe 2804 F21D.exe 2144 build2.exe 848 build2.exe 2848 build3.exe 1936 build3.exe 1628 9F9B.exe 572 mstsca.exe 1608 jiigave 2776 mstsca.exe 2644 30FF.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
30FF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine 30FF.exe -
Loads dropped DLL 15 IoCs
Processes:
F21D.exeF21D.exeF21D.exeF21D.exeWerFault.exeWerFault.exepid process 2060 F21D.exe 3068 F21D.exe 3068 F21D.exe 1628 F21D.exe 2804 F21D.exe 2804 F21D.exe 2568 WerFault.exe 2568 WerFault.exe 2568 WerFault.exe 2568 WerFault.exe 2804 F21D.exe 2804 F21D.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
F21D.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7be4f0c0-9fc7-450c-be03-5bc0e600e9b4\\F21D.exe\" --AutoStart" F21D.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.2ip.ua 7 api.2ip.ua 8 api.2ip.ua -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
30FF.exepid process 2644 30FF.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
F21D.exeF21D.exebuild2.exebuild3.exedescription pid process target process PID 2060 set thread context of 3068 2060 F21D.exe F21D.exe PID 1628 set thread context of 2804 1628 F21D.exe F21D.exe PID 2144 set thread context of 848 2144 build2.exe build2.exe PID 2848 set thread context of 1936 2848 build3.exe build3.exe -
Drops file in Windows directory 1 IoCs
Processes:
30FF.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 30FF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2568 848 WerFault.exe build2.exe 532 1628 WerFault.exe 9F9B.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exejiigavedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jiigave Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jiigave Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jiigave -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2780 schtasks.exe 2292 schtasks.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Processes:
build2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exepid process 2004 b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe 2004 b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exejiigavepid process 2004 b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe 1608 jiigave -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1208 Token: SeShutdownPrivilege 1208 Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe Token: SeShutdownPrivilege 2948 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exe30FF.exepid process 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2644 30FF.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeF21D.exeF21D.exeF21D.exeF21D.exebuild2.exebuild2.exebuild3.exedescription pid process target process PID 1208 wrote to memory of 2572 1208 cmd.exe PID 1208 wrote to memory of 2572 1208 cmd.exe PID 1208 wrote to memory of 2572 1208 cmd.exe PID 2572 wrote to memory of 2920 2572 cmd.exe reg.exe PID 2572 wrote to memory of 2920 2572 cmd.exe reg.exe PID 2572 wrote to memory of 2920 2572 cmd.exe reg.exe PID 1208 wrote to memory of 2060 1208 F21D.exe PID 1208 wrote to memory of 2060 1208 F21D.exe PID 1208 wrote to memory of 2060 1208 F21D.exe PID 1208 wrote to memory of 2060 1208 F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 2060 wrote to memory of 3068 2060 F21D.exe F21D.exe PID 3068 wrote to memory of 2788 3068 F21D.exe icacls.exe PID 3068 wrote to memory of 2788 3068 F21D.exe icacls.exe PID 3068 wrote to memory of 2788 3068 F21D.exe icacls.exe PID 3068 wrote to memory of 2788 3068 F21D.exe icacls.exe PID 3068 wrote to memory of 1628 3068 F21D.exe F21D.exe PID 3068 wrote to memory of 1628 3068 F21D.exe F21D.exe PID 3068 wrote to memory of 1628 3068 F21D.exe F21D.exe PID 3068 wrote to memory of 1628 3068 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 1628 wrote to memory of 2804 1628 F21D.exe F21D.exe PID 2804 wrote to memory of 2144 2804 F21D.exe build2.exe PID 2804 wrote to memory of 2144 2804 F21D.exe build2.exe PID 2804 wrote to memory of 2144 2804 F21D.exe build2.exe PID 2804 wrote to memory of 2144 2804 F21D.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 2144 wrote to memory of 848 2144 build2.exe build2.exe PID 848 wrote to memory of 2568 848 build2.exe WerFault.exe PID 848 wrote to memory of 2568 848 build2.exe WerFault.exe PID 848 wrote to memory of 2568 848 build2.exe WerFault.exe PID 848 wrote to memory of 2568 848 build2.exe WerFault.exe PID 2804 wrote to memory of 2848 2804 F21D.exe build3.exe PID 2804 wrote to memory of 2848 2804 F21D.exe build3.exe PID 2804 wrote to memory of 2848 2804 F21D.exe build3.exe PID 2804 wrote to memory of 2848 2804 F21D.exe build3.exe PID 2848 wrote to memory of 1936 2848 build3.exe build3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe"C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7DF6.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\F21D.exeC:\Users\Admin\AppData\Local\Temp\F21D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F21D.exeC:\Users\Admin\AppData\Local\Temp\F21D.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7be4f0c0-9fc7-450c-be03-5bc0e600e9b4" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\F21D.exe"C:\Users\Admin\AppData\Local\Temp\F21D.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F21D.exe"C:\Users\Admin\AppData\Local\Temp\F21D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build2.exe"C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build2.exe"C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 14447⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build3.exe"C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build3.exe"C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\9F9B.exeC:\Users\Admin\AppData\Local\Temp\9F9B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1242⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A46D.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\30FF.exeC:\Users\Admin\AppData\Local\Temp\30FF.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskeng.exetaskeng.exe {D3B6A961-24E4-4B38-B868-3BB6ADE84282} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\jiigaveC:\Users\Admin\AppData\Roaming\jiigave2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
3File and Directory Permissions Modification
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD52d219418fcb0d3e1548d258fa9b7dd71
SHA1146cd8d22a84293a9b6627e11d22c9bf634bbec1
SHA25660418db0de82c337580dbb3af5e20e99576c0473cb346fa33aecb0fd13c1ff77
SHA512da31791377fc23a247521c438a04751615ebb853dba8820ca4191e31a117c32645255c33138c31158509e5d565c958ae6210c926c344e17a5bc02b5007c50ab5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5f738757a3ee2cf638ac2a2982f6959da
SHA16f435d0c1925c800c9e18f4a41ee8709b4b17308
SHA2568120c8bf9a614cd5ed3107c9a76428c11f4c57ae0ef676c4fa9cd5ffee7a64c8
SHA5128ddbf701ab171eaeeef40f4f683766b980b2255085dd3f85306e444aec74a95acf7eefcedaaf00282c17edef8447d6a7dc5f7c37f664eacd7e93c7856b72a935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53bdd69a85cbba79a39618281fbe7b04d
SHA12d930d66107e9b9562d2ca8266a06db959c29f58
SHA25689476f6e982ea50f7e51c8193e43f728d53cfb6dfdd5c7f31161d8cbbd513895
SHA512c6fc93adef92995ef385dcc5f69bea7a63dd29c84f491879cfdfb89c825d1e569d44f4efdcec5d8f6f4a38e3d895c1ff250401de456eea61b367357af37d4acd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b2000c4e7be85dd93a58a5a20704f7a1
SHA17de626a2ed28eb0da987d63a85805218bfd9fafc
SHA25669885d4512ab54506477bb4be1e96a59bade6ae5c01cebf77d3a32f02e2f675b
SHA512c3ace967e54aa2bab14adda7e58b2d8e8eea4bb75a5800d7ff92e5d0564ff05df8d1142b7969f07aba5f8b29d002f2a70dd8caa59c8556eda38445b824aa3e33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD500bb8be5baf7ad9800c456341e1bc1a1
SHA18bfc58d9fa9320c9dd26ac401cb2a11c3e814844
SHA256eba62d52b41d31823f85b7f2ce9d92cbc4910204dd4d71bbf3b8374244cc4c79
SHA51237b11d1caca614c68183e7168bbee211388fd76d576160faa8f4ceff8b6fd23b8bb01e6feead9ef684c470a0adb1cbd1361c84daee4c3583bc9d45acb48b4418
-
C:\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build2.exeFilesize
128KB
MD5a4c234335047c828df39c0b35d73ab72
SHA13ca7d455cfa0926d10411ce1abe3c00c1246fd80
SHA2566a85083e3fe348171aecd5699b7a396d1a5c5dfb336521da99d26dece059bba8
SHA51279bdaa7418c998c1fc6c357e1ed81f68f4aa41e566aab932d6dab9d0e432eb536139f5ed5980134336c965b81453b9b426987204a9b4560452f74b488c097743
-
C:\Users\Admin\AppData\Local\Temp\30FF.exeFilesize
896KB
MD57a9200f57912af165d728847592c8ac8
SHA1d22e797b0b8a0bd29526cb6b4b42286d81008bdc
SHA256b79928f6cd85e2dbb446aa0ad9d99b272da05d65ddcb2028dbee35cee33d7681
SHA5123741e15d89ddabacd5b1afc964845b56dd779b45cb29b0363c0c6831476ee11caf8f9643c41612b31cf4e0d55593db09dbd2a33b334049231b32b18dd7c8e6d5
-
C:\Users\Admin\AppData\Local\Temp\30FF.exeFilesize
768KB
MD5f286952654a9b080b108abf0fb4c8317
SHA132411bb7bf98b3079570ec4b8e66c858e5f31870
SHA2560d35c620ee4b8c9148f53210afcef26bb1873c3cb675b9c29027d2e1027ad33a
SHA51279f2aac0a73369ed352c30a4029f0406d0d2d39815ccf741902efca463583abc6a983e8cfac8b48c408bd23c48025678d234f466f1696a8c90e0043468588fa5
-
C:\Users\Admin\AppData\Local\Temp\30FF.exeFilesize
1.8MB
MD5b8b5138dc6f97136cfebece16f80203d
SHA1e020d3ac6d101791801e8ce8c921a5f54f78abf5
SHA2567d1e736b876ad9f4effc5736323bbb1db9d53b49abda5a13d238cbe5f56e136c
SHA512f26e295c0845b57520ee8392761c532527ca41974f68f189bb37637b45455edceb098ca23d2952e495635719a8da8a39d86d880467bc6ad79071afd870dd9877
-
C:\Users\Admin\AppData\Local\Temp\7DF6.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\9F9B.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\CabFDB0.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\F21D.exeFilesize
818KB
MD540a0b12623cca2067aaf9047c8fb36d6
SHA196be356366e488fca45b666138082fdd440fbedd
SHA256b5b61da6a6817d9815bd46ac996f56d285fe2b8fd85c961ce174adaff0c0d398
SHA512c178116559efe609067132c29bc88637b0e7c5b116e27705ff37080f7b4be0b2192b537ac342a19e9624602f99e066fe49687fbf77e2fbf11a4ae29e0fddfd2d
-
C:\Users\Admin\AppData\Local\Temp\Tar365D.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar3C0E.tmpFilesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\jiigaveFilesize
303KB
MD591971721b53c791bd1e4bef7ae44c4fc
SHA1ffd271ebad1b0afae61b36a62d63352d38c703bd
SHA256b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
SHA51225675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
-
\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build2.exeFilesize
342KB
MD526544ec9adc1864de80222fb0b38e6dc
SHA12ca52374bb468a8e2c10d39b64d1e4e9d7d0adee
SHA25603b38ccf2c3145839d5ea7c5ccec609de3a67a7e435e94ca05c8c080d9df4411
SHA512f7eb99db8eb4df15ac252bd4523a407b32089d22c435303499bc3813ecdf1ffbc8483417bb97e901fba3e3f36c6e9e47eb30fa78b7c461d3f78f5d5899fae730
-
\Users\Admin\AppData\Local\2760e992-e841-4768-aec7-76e158f3ae9d\build3.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
\Users\Admin\AppData\Local\Temp\9F9B.exeFilesize
2.2MB
MD55ea2783a31e61dc879745a665e51c38d
SHA1fff59be0d75c01f567781766aeb08cbbdc63a029
SHA25673488116ac8ea455a05e2cb81db9d4821705132663943fa5c04296894b0f7f04
SHA5128aa3c9f05a6e0194d25d04dbc350c71fde97233dc5e462b790fd6e6d5b70cb38bec1fbb6363720969eca9aaa7563c815acda74f51c3a6de4ef69b14e309d8fb4
-
\Users\Admin\AppData\Local\Temp\9F9B.exeFilesize
2.8MB
MD53a4ee818575e5c70bfb7e229fd7cb6e3
SHA132d1db3d9074e42eb4da253b398e65d34759cda4
SHA2563c183e100f9d6a0605d1f656706e1c2ea17c52b1b0fd159e2c6a07e8930ca14d
SHA51291c7a5c0e7b846c63322098a541876ed9e5547f22550e93db5c4cf1ca60d09eec18742dbaf85e915edec966944374c2eb3b5c1075a2c81ad60910b650a7e7d61
-
\Users\Admin\AppData\Local\Temp\9F9B.exeFilesize
2.3MB
MD53c8525ff68cc9325f839869b6103ceff
SHA1514e4e38d79bd15b9e10a8eeaccd608209d49f5d
SHA2569719de06f312d017ed23ddf2f93dc98afcd1ccbe0930c26dab5c154f8eb8f834
SHA51213187e88185e797a8ce4dfd69d88e1cdc9ba253b66c9b9d5786cae652d7faf99caf194fb03381445ea9cf2d9372868d574d22ccf12fef506c2adedaeacccaebc
-
\Users\Admin\AppData\Local\Temp\F21D.exeFilesize
512KB
MD54fcdcebcaaf807a4fbae635135581674
SHA1f8a864047334847f352d9ff222db3baa5c3b2bc3
SHA2568869a07cc35bd3bd4ed8b78cdd31d7f84989a1600a26ec2350bc90e01102e978
SHA51262ba562b5f7f9ea9a23cc35f50ae6966ec5a9aab25ee521fbe4a0d0ff0e6b451b6b31be7c49419f288ecc39e9159a55bdaea0948179e7cb81c882432ebbc11c7
-
memory/848-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/848-268-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/848-122-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/848-114-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/848-113-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/848-110-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/1208-4-0x0000000002A90000-0x0000000002AA6000-memory.dmpFilesize
88KB
-
memory/1608-378-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/1608-365-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/1608-364-0x0000000003190000-0x0000000003290000-memory.dmpFilesize
1024KB
-
memory/1628-317-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1628-320-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1628-347-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1628-307-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1628-380-0x0000000000B00000-0x00000000017E5000-memory.dmpFilesize
12.9MB
-
memory/1628-59-0x00000000002E0000-0x0000000000372000-memory.dmpFilesize
584KB
-
memory/1628-312-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1628-313-0x0000000000B00000-0x00000000017E5000-memory.dmpFilesize
12.9MB
-
memory/1628-309-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1628-322-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1628-302-0x0000000000B00000-0x00000000017E5000-memory.dmpFilesize
12.9MB
-
memory/1628-311-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1628-61-0x00000000002E0000-0x0000000000372000-memory.dmpFilesize
584KB
-
memory/1628-315-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1936-283-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1936-287-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1936-290-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1936-292-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2004-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2004-3-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/2004-5-0x0000000000400000-0x0000000002D4A000-memory.dmpFilesize
41.3MB
-
memory/2004-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmpFilesize
1024KB
-
memory/2060-26-0x0000000000320000-0x00000000003B2000-memory.dmpFilesize
584KB
-
memory/2060-32-0x00000000024D0000-0x00000000025EB000-memory.dmpFilesize
1.1MB
-
memory/2060-30-0x0000000000320000-0x00000000003B2000-memory.dmpFilesize
584KB
-
memory/2144-105-0x0000000000260000-0x0000000000360000-memory.dmpFilesize
1024KB
-
memory/2144-106-0x0000000002D60000-0x0000000002D91000-memory.dmpFilesize
196KB
-
memory/2644-397-0x0000000000FC0000-0x0000000001473000-memory.dmpFilesize
4.7MB
-
memory/2644-407-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/2644-405-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/2644-404-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2644-416-0x0000000000FC0000-0x0000000001473000-memory.dmpFilesize
4.7MB
-
memory/2644-402-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/2644-401-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/2644-415-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/2644-409-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/2644-399-0x0000000000FC0000-0x0000000001473000-memory.dmpFilesize
4.7MB
-
memory/2644-408-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/2644-406-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/2644-398-0x0000000077590000-0x0000000077592000-memory.dmpFilesize
8KB
-
memory/2804-87-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-68-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-89-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-90-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-108-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-69-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-83-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-82-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2804-279-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2848-284-0x0000000000930000-0x0000000000A30000-memory.dmpFilesize
1024KB
-
memory/2848-285-0x0000000000220000-0x0000000000224000-memory.dmpFilesize
16KB
-
memory/2948-396-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/2948-366-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/3068-33-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3068-58-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3068-37-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3068-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3068-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB