Malware Analysis Report

2024-11-13 16:52

Sample ID 241109-bk75qstgjb
Target fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665
SHA256 fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665
Tags
cryptbot nullmixer privateloader redline sectoprat vidar pub1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665

Threat Level: Known bad

The file fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665 was found to be: Known bad.

Malicious Activity Summary

cryptbot nullmixer privateloader redline sectoprat vidar pub1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan

CryptBot

NullMixer

RedLine

Sectoprat family

Nullmixer family

Vidar family

SectopRAT

Cryptbot family

PrivateLoader

Privateloader family

Redline family

SectopRAT payload

CryptBot payload

RedLine payload

Vidar

Vidar Stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Enumerates physical storage devices

Program crash

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Checks processor information in registry

Enumerates system info in registry

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 01:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 01:13

Reported

2024-11-09 01:15

Platform

win7-20241023-en

Max time kernel

74s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1497365abb788a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2156 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe

"C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14c9e3c490fa4f949.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1498a421242.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri147cee36d090.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1435ec83714.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14c6f2b7659c1a82.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14fe0320b9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14692ed4ae437c956.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe

Fri14c9e3c490fa4f949.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe

Fri147cee36d090.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14cea698c62f415a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1497365abb788a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe

Fri14692ed4ae437c956.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe

Fri14c6f2b7659c1a82.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe

Fri14fe0320b9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe

Fri1435ec83714.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1497365abb788a.exe

Fri1497365abb788a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe

Fri1498a421242.exe

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe

Fri14cea698c62f415a.exe

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Abbassero.wmv

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

Piu.exe.com L

C:\Windows\SysWOW64\PING.EXE

ping PJCSDMRP -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 936

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 hsiens.xyz udp
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 mfBkjRLTfwLSsveoSyZ.mfBkjRLTfwLSsveoSyZ udp
US 8.8.8.8:53 viacetequn.site udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.18:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 your-info-services.xyz udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 webboutiquestudio.xyz udp
N/A 127.0.0.1:49307 tcp
N/A 127.0.0.1:49309 tcp
US 8.8.8.8:53 yournewsservices.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp
SG 37.0.10.171:80 tcp
US 8.8.8.8:53 knuywu58.top udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.185:80 tcp
CN 121.41.94.177:80 viacetequn.site tcp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 viacetequn.site udp
CN 121.41.94.177:80 viacetequn.site tcp
CN 121.41.94.177:80 viacetequn.site tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe

MD5 d4f2614edddfb2fb0ba60561265b8309
SHA1 7fb374343525c4e58fc1a4a1dc29979c56606361
SHA256 6fa1eb87a19e1fd41a2d51af5a6bc833223521a7ef33aab9de30b64cd8ea7f8d
SHA512 f53f867ed3460dbb281bd76272248790cc7f9b6bec7fb4e62aef63fc0ff8afb95f567c7697e1fab4158e417b5974e9a2b2678479646645dedc3d3a9b10c04794

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2232-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2232-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2232-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2232-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2232-67-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2232-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2232-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2232-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2232-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2232-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2232-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2232-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2232-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2232-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe

MD5 139248e50d20d493bf95f679c68ad64c
SHA1 a13268026a8d748b5f4b740ae568c18da14defdc
SHA256 05d4a18cc67b91a3096b56054262100bcbd3ff0629a5620f0952220a06773ec4
SHA512 a85f573bd6692c175900cc830d2b74ec6f0cabcf4a9427900342cb5c9d4a15ddb3c6e488c57819b6c6987c138192aea086a0f161a1065be73f891fe1e7723e88

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe

MD5 d23c06e25b4bd295e821274472263572
SHA1 9ad295ec3853dc465ae77f9479f8c4f76e2748b8
SHA256 f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c
SHA512 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe

MD5 25e20e52fcefa0ed318533d5d7f40cd5
SHA1 190e6b113de6670dc8b39342425e23277605dcc7
SHA256 fae3ff017b23815daf41969d77f423a3e78190d940b7db9c74bd10135824734c
SHA512 4813ca15148956e9420f8ffb41bb9ef153bbd54c1f8c17067b65ed6b079e7add6b867f2a3f77db2fc5291bdefa6149799a58dfa2de7bf3ad8d0c07aef96b0a57

\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe

MD5 74e932c7e8211fd316cfd375f6bf6e99
SHA1 217915ee056af645a87efb9e121d9e340a413fa8
SHA256 7c11723d937c08c86275f02eb9bcdbc9f5af8be7d0506e5e809e077ed735c825
SHA512 9a84fcb6283db7bc686f2dc797abb9eaa99876185cf4fb38c2584e0f193152115df543b3876a282c6c3392a8c7a50acc825016c6c23c9ebe196620fa7fd789ca

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe

MD5 cda12ae37191467d0a7d151664ed74aa
SHA1 2625b2e142c848092aa4a51584143ab7ed7d33d2
SHA256 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e
SHA512 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1497365abb788a.exe

MD5 d1d4b4d26a9b9714a02c252fb46b72ce
SHA1 af9e34a28f8f408853d3cd504f03ae43c03cc24f
SHA256 8a77dd50b720322088fbe92aeba219cc744bd664ff660058b1949c3b9b428bac
SHA512 182929a5ff0414108f74283e77ba044ab359017ace35a06f9f3ebd8b69577c22ecc85705cb908d1aa99d3a20246076bc82a7f6de7e3c4424d4e1dc3a9a6954cd

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe

MD5 0a0d22f1c9179a67d04166de0db02dbb
SHA1 106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256 a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA512 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe

MD5 9816173c0462753439780cd040d546e2
SHA1 cb63512db6f800cc62dfe943a41613b4cbb15484
SHA256 da65a761ea15c24fdb4e322e48d67f914c9399e6c804de75127424211551d51f
SHA512 c9443baaf190b01b36d0d65103634d5f9492acd395ef2b9924e60822d7023dfc40692443362342534db284829ae36302f75d3ebc04d3ebf5bc3107e3b59e46bf

memory/2200-150-0x0000000000400000-0x0000000002CB4000-memory.dmp

memory/1804-156-0x0000000004D20000-0x0000000004D42000-memory.dmp

memory/2144-166-0x0000000000B20000-0x0000000000B4C000-memory.dmp

memory/2924-165-0x0000000000E00000-0x0000000000E08000-memory.dmp

memory/1804-167-0x0000000004F00000-0x0000000004F20000-memory.dmp

memory/2144-169-0x0000000000240000-0x0000000000262000-memory.dmp

memory/2232-184-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2232-183-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2232-182-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2232-181-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2232-179-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2232-175-0x0000000000400000-0x000000000051B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCAA1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCAD3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1804-238-0x0000000000400000-0x0000000002CCD000-memory.dmp

memory/288-239-0x0000000000400000-0x0000000002D0F000-memory.dmp

memory/2740-243-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2740-242-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2740-241-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2448-244-0x0000000003D50000-0x0000000003DF3000-memory.dmp

memory/2448-246-0x0000000003D50000-0x0000000003DF3000-memory.dmp

memory/2448-245-0x0000000003D50000-0x0000000003DF3000-memory.dmp

memory/2448-247-0x0000000003D50000-0x0000000003DF3000-memory.dmp

memory/2448-249-0x0000000003D50000-0x0000000003DF3000-memory.dmp

memory/2448-250-0x0000000003D50000-0x0000000003DF3000-memory.dmp

memory/2448-251-0x0000000003D50000-0x0000000003DF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\_Files\_Information.txt

MD5 ced5b3b709b2856e52cb0567c40754d3
SHA1 2b85a84aa17b8f05249bedc5077e8d5686d644b9
SHA256 9482583aab7bfbe7d56e38f85bab1de1d0f8cd3d268c7b671f7faa99f3f7ef41
SHA512 24c9dc12922dc0a9203f571939794c4019e66a8c6f692712b225602f45e51bbd714c9d550c10a1a4b875cf6862a0142644aaaf0b9ac8ea296df9cb2a12919f4d

C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\_Files\_Information.txt

MD5 c96686e0f7dd0a30ec880c149e3b47a0
SHA1 153bd7f41f5c4ea66b8d8e63103494c49ba8b7f2
SHA256 15562c77833a6c9506a238e1af5debea517a7df460e9fb467945fddcb96a6822
SHA512 bf5c32b8c22c72d21e1b3ee5a28f6e0464bff2fc08acb3e5271396c941c2b52fdd90d61d4cbe42dfaa1418844b2142923d8b414c8d87cc4d22cd40080b44d9f0

C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\files_\system_info.txt

MD5 e624556a0b574d6c3f46fc6cb24b6916
SHA1 c3b7bcec318c9e940aa4c39420aad71be6ef1bc7
SHA256 356a7cd05aca11fb02ffedcabe49cf4a442a6cc39425dda94176689ca817e379
SHA512 7411b977bea67f5cd26b156b3ea6c96835e387039df0ad745c54895370087d6b1a80351c61d0b4fb02b9cc5cef9219fea41605b749bb90922fb8267a56bcb287

C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\files_\system_info.txt

MD5 64dc8bdab9a79cccd23aea4940320aff
SHA1 c51c23cf6b9b3088fc0ee6658678880e842a7410
SHA256 77de3658929149b9aa282958391d7f0fe79bf4fbe5842a3d0c78881b8f007f02
SHA512 2a89ba51b8ac935071e15ae6c0de9ae267f80477089b0749fa6692c506a77dddff967cf7b1a4b4e6806e392e279c6d5ef200cc8d7d01bd5ec4707e56d30f537f

C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\_Files\_Screen_Desktop.jpeg

MD5 25c4e3a20b06ec735b78ba0caeb0a98b
SHA1 a6961ff82048863f55b5cf5ec610f2db62ffd384
SHA256 d4349d5f299a18d57fa460de8e18e4ee615b1b666148bae2451f0ed381bdf78c
SHA512 bcb04ba9182764628802a2099fcaf8a95d54d7889beed1dd14c92fbeecbd709aea758cae22bf1a0d8849428e40a213008e0c2518086c0a657f55cf8a4d99f278

C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\V8BJZigwg6jLqk.zip

MD5 042e6866596d31f450c76eab99f14f58
SHA1 6730d8ca01659ecff8e046b8ced434243d728ab9
SHA256 ff86c4e2ad625870eef1226eac7588772fe384e90e19deb08f83f72a9ab4662f
SHA512 8b7025ddebd75048e803765b6f5a7961f5b64f5c6388f91a26bab740bd724d223f646a41bb189a24b96464e7a02598e532c6aa0a5f04c4a0bab98507e47e4cfb

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 01:13

Reported

2024-11-09 01:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe
PID 4284 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe
PID 4284 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe
PID 1436 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
PID 400 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
PID 400 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
PID 2584 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri147cee36d090.exe
PID 2584 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri147cee36d090.exe
PID 1856 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe
PID 1856 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe
PID 1856 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe
PID 2556 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe
PID 3512 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe
PID 3512 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe
PID 4168 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
PID 4168 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
PID 4168 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
PID 3360 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe
PID 3360 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe
PID 3644 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe
PID 3644 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe
PID 740 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe
PID 740 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe
PID 740 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe
PID 4944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe
PID 4944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe
PID 4944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe
PID 4956 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
PID 4956 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
PID 4956 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
PID 616 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe C:\Windows\SysWOW64\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe

"C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14c9e3c490fa4f949.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1498a421242.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri147cee36d090.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1435ec83714.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14c6f2b7659c1a82.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14fe0320b9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14692ed4ae437c956.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri14cea698c62f415a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Fri1497365abb788a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe

Fri14c9e3c490fa4f949.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri147cee36d090.exe

Fri147cee36d090.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe

Fri1498a421242.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1436 -ip 1436

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe

Fri14cea698c62f415a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe

Fri1435ec83714.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe

Fri1497365abb788a.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe

Fri14692ed4ae437c956.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe

Fri14c6f2b7659c1a82.exe

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe

Fri14fe0320b9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 564

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe" -a

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Abbassero.wmv

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 872 -ip 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 228

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

Piu.exe.com L

C:\Windows\SysWOW64\PING.EXE

ping GLZCSNLK -n 30

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4632 -ip 4632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1620

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 your-info-services.xyz udp
US 8.8.8.8:53 webboutiquestudio.xyz udp
US 8.8.8.8:53 yournewsservices.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 229.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
N/A 127.0.0.1:55734 tcp
N/A 127.0.0.1:55736 tcp
US 8.8.8.8:53 viacetequn.site udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 mfBkjRLTfwLSsveoSyZ.mfBkjRLTfwLSsveoSyZ udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.18:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
SG 37.0.10.171:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
SG 37.0.10.185:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
CN 121.41.94.177:80 viacetequn.site tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 viacetequn.site udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe

MD5 d4f2614edddfb2fb0ba60561265b8309
SHA1 7fb374343525c4e58fc1a4a1dc29979c56606361
SHA256 6fa1eb87a19e1fd41a2d51af5a6bc833223521a7ef33aab9de30b64cd8ea7f8d
SHA512 f53f867ed3460dbb281bd76272248790cc7f9b6bec7fb4e62aef63fc0ff8afb95f567c7697e1fab4158e417b5974e9a2b2678479646645dedc3d3a9b10c04794

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1436-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1436-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri147cee36d090.exe

MD5 0a0d22f1c9179a67d04166de0db02dbb
SHA1 106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256 a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA512 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe

MD5 9816173c0462753439780cd040d546e2
SHA1 cb63512db6f800cc62dfe943a41613b4cbb15484
SHA256 da65a761ea15c24fdb4e322e48d67f914c9399e6c804de75127424211551d51f
SHA512 c9443baaf190b01b36d0d65103634d5f9492acd395ef2b9924e60822d7023dfc40692443362342534db284829ae36302f75d3ebc04d3ebf5bc3107e3b59e46bf

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe

MD5 d1d4b4d26a9b9714a02c252fb46b72ce
SHA1 af9e34a28f8f408853d3cd504f03ae43c03cc24f
SHA256 8a77dd50b720322088fbe92aeba219cc744bd664ff660058b1949c3b9b428bac
SHA512 182929a5ff0414108f74283e77ba044ab359017ace35a06f9f3ebd8b69577c22ecc85705cb908d1aa99d3a20246076bc82a7f6de7e3c4424d4e1dc3a9a6954cd

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe

MD5 cda12ae37191467d0a7d151664ed74aa
SHA1 2625b2e142c848092aa4a51584143ab7ed7d33d2
SHA256 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e
SHA512 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe

MD5 74e932c7e8211fd316cfd375f6bf6e99
SHA1 217915ee056af645a87efb9e121d9e340a413fa8
SHA256 7c11723d937c08c86275f02eb9bcdbc9f5af8be7d0506e5e809e077ed735c825
SHA512 9a84fcb6283db7bc686f2dc797abb9eaa99876185cf4fb38c2584e0f193152115df543b3876a282c6c3392a8c7a50acc825016c6c23c9ebe196620fa7fd789ca

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe

MD5 d23c06e25b4bd295e821274472263572
SHA1 9ad295ec3853dc465ae77f9479f8c4f76e2748b8
SHA256 f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c
SHA512 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe

MD5 25e20e52fcefa0ed318533d5d7f40cd5
SHA1 190e6b113de6670dc8b39342425e23277605dcc7
SHA256 fae3ff017b23815daf41969d77f423a3e78190d940b7db9c74bd10135824734c
SHA512 4813ca15148956e9420f8ffb41bb9ef153bbd54c1f8c17067b65ed6b079e7add6b867f2a3f77db2fc5291bdefa6149799a58dfa2de7bf3ad8d0c07aef96b0a57

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe

MD5 139248e50d20d493bf95f679c68ad64c
SHA1 a13268026a8d748b5f4b740ae568c18da14defdc
SHA256 05d4a18cc67b91a3096b56054262100bcbd3ff0629a5620f0952220a06773ec4
SHA512 a85f573bd6692c175900cc830d2b74ec6f0cabcf4a9427900342cb5c9d4a15ddb3c6e488c57819b6c6987c138192aea086a0f161a1065be73f891fe1e7723e88

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1436-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1436-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1436-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1436-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1436-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1436-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1436-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1436-53-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1436-52-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1436-51-0x00000000007B0000-0x000000000083F000-memory.dmp

memory/1436-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1436-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1436-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/784-81-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

memory/2736-85-0x0000000002690000-0x00000000026C6000-memory.dmp

memory/2736-88-0x0000000004D60000-0x0000000005388000-memory.dmp

memory/4868-87-0x0000000000370000-0x000000000039C000-memory.dmp

memory/4868-89-0x0000000000B40000-0x0000000000B62000-memory.dmp

memory/2736-100-0x0000000005400000-0x0000000005466000-memory.dmp

memory/2736-99-0x0000000004D20000-0x0000000004D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2uyptzwc.gyf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2736-103-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/2736-111-0x0000000005820000-0x0000000005B74000-memory.dmp

memory/1436-120-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1436-121-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1436-119-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1436-118-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1436-117-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1436-112-0x0000000000400000-0x000000000051B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbassero.wmv

MD5 697af31c63a3d02a3e39109027671e68
SHA1 8a7083bc918366b05f75e54853cc39a45cc0da7c
SHA256 6cb806bec68db2c4f5aee59c4f604b502a4266f020cdf408e4dc543974b88036
SHA512 12a0b4f4023e04afe7515da738a4574931ff1d7538e264c93eef6142675be6bf83cdd590bbdaa6f704da9a78addd6b111a0bf23542f5c11d65b213feeaf8a8b8

memory/2736-123-0x0000000005C70000-0x0000000005C8E000-memory.dmp

memory/2736-124-0x0000000006200000-0x000000000624C000-memory.dmp

memory/2736-127-0x0000000074E10000-0x0000000074E5C000-memory.dmp

memory/2736-126-0x0000000006250000-0x0000000006282000-memory.dmp

memory/2736-137-0x00000000061D0000-0x00000000061EE000-memory.dmp

memory/2736-138-0x0000000006D10000-0x0000000006DB3000-memory.dmp

memory/2736-139-0x0000000007640000-0x0000000007CBA000-memory.dmp

memory/2736-140-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

memory/2736-141-0x0000000007020000-0x000000000702A000-memory.dmp

memory/2736-142-0x0000000007240000-0x00000000072D6000-memory.dmp

memory/2736-143-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/2736-145-0x00000000071F0000-0x00000000071FE000-memory.dmp

memory/4060-144-0x0000000004B20000-0x0000000004B42000-memory.dmp

memory/4060-147-0x0000000007440000-0x00000000079E4000-memory.dmp

memory/2736-146-0x0000000007200000-0x0000000007214000-memory.dmp

memory/4060-148-0x0000000004ED0000-0x0000000004EF0000-memory.dmp

memory/2736-149-0x0000000007300000-0x000000000731A000-memory.dmp

memory/4060-150-0x00000000079F0000-0x0000000008008000-memory.dmp

memory/4060-151-0x0000000004F90000-0x0000000004FA2000-memory.dmp

memory/2736-152-0x00000000072E0000-0x00000000072E8000-memory.dmp

memory/4060-153-0x0000000004FB0000-0x0000000004FEC000-memory.dmp

memory/872-154-0x0000000000400000-0x0000000002CB4000-memory.dmp

memory/4060-159-0x00000000080D0000-0x00000000081DA000-memory.dmp

memory/4632-155-0x0000000000400000-0x0000000002D0F000-memory.dmp

memory/4060-158-0x0000000000400000-0x0000000002CCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rugiada.wmv

MD5 48c3a0e572e8b258f5d9f4891278ea7a
SHA1 db742db08c27bd7f74977d53ba532a5fae6e3cad
SHA256 ed7cf7296658bc2aae125c803ce7e6242397f7ed783f8852708d2c558fc6e75e
SHA512 615542411ff6fbec3ac03573ab6b975a10056b51541503ac9ee8f683b9f4875d7f5f00ed8c19a07d25b5daea0ef39fe7ef45414b1e6dc7d5d45147172c33f672

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riaprirmi.wmv

MD5 9d64d14627e79c6f733c74a2049c334d
SHA1 771f3b69b8954df0134c5f750a92aa521a2d9a36
SHA256 0d16e628415ab84ab9d56af4587fe1419acdb5806b7d9dda552a5bf66a5b56c6
SHA512 433da42bd563ff43e5e4ce399b9bab8bb64a62fc67aea8114b49b4a1e8e4b0bdba68ade2e70b5a62cb4417e06200e2dfb5fe8bb6ca9141947148d22af09223db

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovella.wmv

MD5 77b02472e42d7fdae3f1f39cfc5d9158
SHA1 f5f4570b452b6554e0ac7c9ab476ca6db9320f29
SHA256 111b913a0dab95cd7efaaca4676b1ea47113ebd0f8e3b4a6707af0fa62337a97
SHA512 945a6727e0d0f98db230b93933e3fa20ea4b5e98d2e6e03374e6718d2cd5097a20f8a5dc4cb4e00a9f070286a623f7719cc1ee9a5f9910a6156fb29ce8f559d0

memory/4528-180-0x0000000077700000-0x000000007770A000-memory.dmp

memory/1820-183-0x00007FF6FB200000-0x00007FF6FB21F000-memory.dmp

memory/3508-185-0x00007FF991BC0000-0x00007FF991C5D000-memory.dmp

memory/3508-189-0x00007FF9872A0000-0x00007FF9872C8000-memory.dmp

memory/4156-192-0x00007FF992620000-0x00007FF9926A3000-memory.dmp

memory/2584-194-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

memory/4168-195-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

memory/740-197-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

memory/4632-198-0x0000000000400000-0x0000000002D0F000-memory.dmp