Analysis Overview
SHA256
fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665
Threat Level: Known bad
The file fd09b71d35b55a7beb80386eeec03f0495d26613e4204b7ba4940a01431c6665 was found to be: Known bad.
Malicious Activity Summary
CryptBot
NullMixer
RedLine
Sectoprat family
Nullmixer family
Vidar family
SectopRAT
Cryptbot family
PrivateLoader
Privateloader family
Redline family
SectopRAT payload
CryptBot payload
RedLine payload
Vidar
Vidar Stealer
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Enumerates physical storage devices
Program crash
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Checks processor information in registry
Enumerates system info in registry
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 01:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 01:13
Reported
2024-11-09 01:15
Platform
win7-20241023-en
Max time kernel
74s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1497365abb788a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe
"C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14c9e3c490fa4f949.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1498a421242.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri147cee36d090.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1435ec83714.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14c6f2b7659c1a82.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14fe0320b9.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14692ed4ae437c956.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe
Fri14c9e3c490fa4f949.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe
Fri147cee36d090.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14cea698c62f415a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1497365abb788a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe
Fri14692ed4ae437c956.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe
Fri14c6f2b7659c1a82.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe
Fri14fe0320b9.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe
Fri1435ec83714.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1497365abb788a.exe
Fri1497365abb788a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe
Fri1498a421242.exe
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe
Fri14cea698c62f415a.exe
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Abbassero.wmv
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
Piu.exe.com L
C:\Windows\SysWOW64\PING.EXE
ping PJCSDMRP -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 936
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | mfBkjRLTfwLSsveoSyZ.mfBkjRLTfwLSsveoSyZ | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| N/A | 127.0.0.1:49307 | tcp | |
| N/A | 127.0.0.1:49309 | tcp | |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| SG | 37.0.10.171:80 | tcp | |
| US | 8.8.8.8:53 | knuywu58.top | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.185:80 | tcp | |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\setup_install.exe
| MD5 | d4f2614edddfb2fb0ba60561265b8309 |
| SHA1 | 7fb374343525c4e58fc1a4a1dc29979c56606361 |
| SHA256 | 6fa1eb87a19e1fd41a2d51af5a6bc833223521a7ef33aab9de30b64cd8ea7f8d |
| SHA512 | f53f867ed3460dbb281bd76272248790cc7f9b6bec7fb4e62aef63fc0ff8afb95f567c7697e1fab4158e417b5974e9a2b2678479646645dedc3d3a9b10c04794 |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2232-46-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2232-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2232-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2232-68-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2232-67-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2232-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2232-65-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2232-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2232-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2232-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2232-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2232-59-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2232-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2232-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1498a421242.exe
| MD5 | 139248e50d20d493bf95f679c68ad64c |
| SHA1 | a13268026a8d748b5f4b740ae568c18da14defdc |
| SHA256 | 05d4a18cc67b91a3096b56054262100bcbd3ff0629a5620f0952220a06773ec4 |
| SHA512 | a85f573bd6692c175900cc830d2b74ec6f0cabcf4a9427900342cb5c9d4a15ddb3c6e488c57819b6c6987c138192aea086a0f161a1065be73f891fe1e7723e88 |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c9e3c490fa4f949.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14c6f2b7659c1a82.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1435ec83714.exe
| MD5 | 25e20e52fcefa0ed318533d5d7f40cd5 |
| SHA1 | 190e6b113de6670dc8b39342425e23277605dcc7 |
| SHA256 | fae3ff017b23815daf41969d77f423a3e78190d940b7db9c74bd10135824734c |
| SHA512 | 4813ca15148956e9420f8ffb41bb9ef153bbd54c1f8c17067b65ed6b079e7add6b867f2a3f77db2fc5291bdefa6149799a58dfa2de7bf3ad8d0c07aef96b0a57 |
\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14fe0320b9.exe
| MD5 | 74e932c7e8211fd316cfd375f6bf6e99 |
| SHA1 | 217915ee056af645a87efb9e121d9e340a413fa8 |
| SHA256 | 7c11723d937c08c86275f02eb9bcdbc9f5af8be7d0506e5e809e077ed735c825 |
| SHA512 | 9a84fcb6283db7bc686f2dc797abb9eaa99876185cf4fb38c2584e0f193152115df543b3876a282c6c3392a8c7a50acc825016c6c23c9ebe196620fa7fd789ca |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14692ed4ae437c956.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri1497365abb788a.exe
| MD5 | d1d4b4d26a9b9714a02c252fb46b72ce |
| SHA1 | af9e34a28f8f408853d3cd504f03ae43c03cc24f |
| SHA256 | 8a77dd50b720322088fbe92aeba219cc744bd664ff660058b1949c3b9b428bac |
| SHA512 | 182929a5ff0414108f74283e77ba044ab359017ace35a06f9f3ebd8b69577c22ecc85705cb908d1aa99d3a20246076bc82a7f6de7e3c4424d4e1dc3a9a6954cd |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri147cee36d090.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zSC686BFB6\Fri14cea698c62f415a.exe
| MD5 | 9816173c0462753439780cd040d546e2 |
| SHA1 | cb63512db6f800cc62dfe943a41613b4cbb15484 |
| SHA256 | da65a761ea15c24fdb4e322e48d67f914c9399e6c804de75127424211551d51f |
| SHA512 | c9443baaf190b01b36d0d65103634d5f9492acd395ef2b9924e60822d7023dfc40692443362342534db284829ae36302f75d3ebc04d3ebf5bc3107e3b59e46bf |
memory/2200-150-0x0000000000400000-0x0000000002CB4000-memory.dmp
memory/1804-156-0x0000000004D20000-0x0000000004D42000-memory.dmp
memory/2144-166-0x0000000000B20000-0x0000000000B4C000-memory.dmp
memory/2924-165-0x0000000000E00000-0x0000000000E08000-memory.dmp
memory/1804-167-0x0000000004F00000-0x0000000004F20000-memory.dmp
memory/2144-169-0x0000000000240000-0x0000000000262000-memory.dmp
memory/2232-184-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2232-183-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2232-182-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2232-181-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2232-179-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2232-175-0x0000000000400000-0x000000000051B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCAA1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCAD3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1804-238-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/288-239-0x0000000000400000-0x0000000002D0F000-memory.dmp
memory/2740-243-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2740-242-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2740-241-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2448-244-0x0000000003D50000-0x0000000003DF3000-memory.dmp
memory/2448-246-0x0000000003D50000-0x0000000003DF3000-memory.dmp
memory/2448-245-0x0000000003D50000-0x0000000003DF3000-memory.dmp
memory/2448-247-0x0000000003D50000-0x0000000003DF3000-memory.dmp
memory/2448-249-0x0000000003D50000-0x0000000003DF3000-memory.dmp
memory/2448-250-0x0000000003D50000-0x0000000003DF3000-memory.dmp
memory/2448-251-0x0000000003D50000-0x0000000003DF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\_Files\_Information.txt
| MD5 | ced5b3b709b2856e52cb0567c40754d3 |
| SHA1 | 2b85a84aa17b8f05249bedc5077e8d5686d644b9 |
| SHA256 | 9482583aab7bfbe7d56e38f85bab1de1d0f8cd3d268c7b671f7faa99f3f7ef41 |
| SHA512 | 24c9dc12922dc0a9203f571939794c4019e66a8c6f692712b225602f45e51bbd714c9d550c10a1a4b875cf6862a0142644aaaf0b9ac8ea296df9cb2a12919f4d |
C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\_Files\_Information.txt
| MD5 | c96686e0f7dd0a30ec880c149e3b47a0 |
| SHA1 | 153bd7f41f5c4ea66b8d8e63103494c49ba8b7f2 |
| SHA256 | 15562c77833a6c9506a238e1af5debea517a7df460e9fb467945fddcb96a6822 |
| SHA512 | bf5c32b8c22c72d21e1b3ee5a28f6e0464bff2fc08acb3e5271396c941c2b52fdd90d61d4cbe42dfaa1418844b2142923d8b414c8d87cc4d22cd40080b44d9f0 |
C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\files_\system_info.txt
| MD5 | e624556a0b574d6c3f46fc6cb24b6916 |
| SHA1 | c3b7bcec318c9e940aa4c39420aad71be6ef1bc7 |
| SHA256 | 356a7cd05aca11fb02ffedcabe49cf4a442a6cc39425dda94176689ca817e379 |
| SHA512 | 7411b977bea67f5cd26b156b3ea6c96835e387039df0ad745c54895370087d6b1a80351c61d0b4fb02b9cc5cef9219fea41605b749bb90922fb8267a56bcb287 |
C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\files_\system_info.txt
| MD5 | 64dc8bdab9a79cccd23aea4940320aff |
| SHA1 | c51c23cf6b9b3088fc0ee6658678880e842a7410 |
| SHA256 | 77de3658929149b9aa282958391d7f0fe79bf4fbe5842a3d0c78881b8f007f02 |
| SHA512 | 2a89ba51b8ac935071e15ae6c0de9ae267f80477089b0749fa6692c506a77dddff967cf7b1a4b4e6806e392e279c6d5ef200cc8d7d01bd5ec4707e56d30f537f |
C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\_Files\_Screen_Desktop.jpeg
| MD5 | 25c4e3a20b06ec735b78ba0caeb0a98b |
| SHA1 | a6961ff82048863f55b5cf5ec610f2db62ffd384 |
| SHA256 | d4349d5f299a18d57fa460de8e18e4ee615b1b666148bae2451f0ed381bdf78c |
| SHA512 | bcb04ba9182764628802a2099fcaf8a95d54d7889beed1dd14c92fbeecbd709aea758cae22bf1a0d8849428e40a213008e0c2518086c0a657f55cf8a4d99f278 |
C:\Users\Admin\AppData\Local\Temp\U2g7VWv5\V8BJZigwg6jLqk.zip
| MD5 | 042e6866596d31f450c76eab99f14f58 |
| SHA1 | 6730d8ca01659ecff8e046b8ced434243d728ab9 |
| SHA256 | ff86c4e2ad625870eef1226eac7588772fe384e90e19deb08f83f72a9ab4662f |
| SHA512 | 8b7025ddebd75048e803765b6f5a7961f5b64f5c6388f91a26bab740bd724d223f646a41bb189a24b96464e7a02598e532c6aa0a5f04c4a0bab98507e47e4cfb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 01:13
Reported
2024-11-09 01:15
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe
"C:\Users\Admin\AppData\Local\Temp\abb236e254e7d272e7d060c62765f69f60ae90b18c2f2706c108346ebe0b1ba2.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14c9e3c490fa4f949.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1498a421242.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri147cee36d090.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1435ec83714.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14c6f2b7659c1a82.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14fe0320b9.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14692ed4ae437c956.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri14cea698c62f415a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1497365abb788a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
Fri14c9e3c490fa4f949.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri147cee36d090.exe
Fri147cee36d090.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe
Fri1498a421242.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1436 -ip 1436
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe
Fri14cea698c62f415a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
Fri1435ec83714.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe
Fri1497365abb788a.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe
Fri14692ed4ae437c956.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe
Fri14c6f2b7659c1a82.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe
Fri14fe0320b9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 564
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe" -a
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Abbassero.wmv
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 872 -ip 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 228
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
Piu.exe.com L
C:\Windows\SysWOW64\PING.EXE
ping GLZCSNLK -n 30
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4632 -ip 4632
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1620
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| N/A | 127.0.0.1:55734 | tcp | |
| N/A | 127.0.0.1:55736 | tcp | |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | mfBkjRLTfwLSsveoSyZ.mfBkjRLTfwLSsveoSyZ | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| SG | 37.0.10.171:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| SG | 37.0.10.185:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| CN | 121.41.94.177:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\setup_install.exe
| MD5 | d4f2614edddfb2fb0ba60561265b8309 |
| SHA1 | 7fb374343525c4e58fc1a4a1dc29979c56606361 |
| SHA256 | 6fa1eb87a19e1fd41a2d51af5a6bc833223521a7ef33aab9de30b64cd8ea7f8d |
| SHA512 | f53f867ed3460dbb281bd76272248790cc7f9b6bec7fb4e62aef63fc0ff8afb95f567c7697e1fab4158e417b5974e9a2b2678479646645dedc3d3a9b10c04794 |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1436-62-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1436-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri147cee36d090.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14cea698c62f415a.exe
| MD5 | 9816173c0462753439780cd040d546e2 |
| SHA1 | cb63512db6f800cc62dfe943a41613b4cbb15484 |
| SHA256 | da65a761ea15c24fdb4e322e48d67f914c9399e6c804de75127424211551d51f |
| SHA512 | c9443baaf190b01b36d0d65103634d5f9492acd395ef2b9924e60822d7023dfc40692443362342534db284829ae36302f75d3ebc04d3ebf5bc3107e3b59e46bf |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1497365abb788a.exe
| MD5 | d1d4b4d26a9b9714a02c252fb46b72ce |
| SHA1 | af9e34a28f8f408853d3cd504f03ae43c03cc24f |
| SHA256 | 8a77dd50b720322088fbe92aeba219cc744bd664ff660058b1949c3b9b428bac |
| SHA512 | 182929a5ff0414108f74283e77ba044ab359017ace35a06f9f3ebd8b69577c22ecc85705cb908d1aa99d3a20246076bc82a7f6de7e3c4424d4e1dc3a9a6954cd |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14692ed4ae437c956.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14fe0320b9.exe
| MD5 | 74e932c7e8211fd316cfd375f6bf6e99 |
| SHA1 | 217915ee056af645a87efb9e121d9e340a413fa8 |
| SHA256 | 7c11723d937c08c86275f02eb9bcdbc9f5af8be7d0506e5e809e077ed735c825 |
| SHA512 | 9a84fcb6283db7bc686f2dc797abb9eaa99876185cf4fb38c2584e0f193152115df543b3876a282c6c3392a8c7a50acc825016c6c23c9ebe196620fa7fd789ca |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c6f2b7659c1a82.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1435ec83714.exe
| MD5 | 25e20e52fcefa0ed318533d5d7f40cd5 |
| SHA1 | 190e6b113de6670dc8b39342425e23277605dcc7 |
| SHA256 | fae3ff017b23815daf41969d77f423a3e78190d940b7db9c74bd10135824734c |
| SHA512 | 4813ca15148956e9420f8ffb41bb9ef153bbd54c1f8c17067b65ed6b079e7add6b867f2a3f77db2fc5291bdefa6149799a58dfa2de7bf3ad8d0c07aef96b0a57 |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri1498a421242.exe
| MD5 | 139248e50d20d493bf95f679c68ad64c |
| SHA1 | a13268026a8d748b5f4b740ae568c18da14defdc |
| SHA256 | 05d4a18cc67b91a3096b56054262100bcbd3ff0629a5620f0952220a06773ec4 |
| SHA512 | a85f573bd6692c175900cc830d2b74ec6f0cabcf4a9427900342cb5c9d4a15ddb3c6e488c57819b6c6987c138192aea086a0f161a1065be73f891fe1e7723e88 |
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\Fri14c9e3c490fa4f949.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/1436-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1436-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1436-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1436-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1436-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1436-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1436-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1436-53-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1436-52-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1436-51-0x00000000007B0000-0x000000000083F000-memory.dmp
memory/1436-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCB0861A7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/1436-54-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1436-43-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/784-81-0x0000000000CB0000-0x0000000000CB8000-memory.dmp
memory/2736-85-0x0000000002690000-0x00000000026C6000-memory.dmp
memory/2736-88-0x0000000004D60000-0x0000000005388000-memory.dmp
memory/4868-87-0x0000000000370000-0x000000000039C000-memory.dmp
memory/4868-89-0x0000000000B40000-0x0000000000B62000-memory.dmp
memory/2736-100-0x0000000005400000-0x0000000005466000-memory.dmp
memory/2736-99-0x0000000004D20000-0x0000000004D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2uyptzwc.gyf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2736-103-0x0000000005470000-0x00000000054D6000-memory.dmp
memory/2736-111-0x0000000005820000-0x0000000005B74000-memory.dmp
memory/1436-120-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1436-121-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1436-119-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1436-118-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1436-117-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1436-112-0x0000000000400000-0x000000000051B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbassero.wmv
| MD5 | 697af31c63a3d02a3e39109027671e68 |
| SHA1 | 8a7083bc918366b05f75e54853cc39a45cc0da7c |
| SHA256 | 6cb806bec68db2c4f5aee59c4f604b502a4266f020cdf408e4dc543974b88036 |
| SHA512 | 12a0b4f4023e04afe7515da738a4574931ff1d7538e264c93eef6142675be6bf83cdd590bbdaa6f704da9a78addd6b111a0bf23542f5c11d65b213feeaf8a8b8 |
memory/2736-123-0x0000000005C70000-0x0000000005C8E000-memory.dmp
memory/2736-124-0x0000000006200000-0x000000000624C000-memory.dmp
memory/2736-127-0x0000000074E10000-0x0000000074E5C000-memory.dmp
memory/2736-126-0x0000000006250000-0x0000000006282000-memory.dmp
memory/2736-137-0x00000000061D0000-0x00000000061EE000-memory.dmp
memory/2736-138-0x0000000006D10000-0x0000000006DB3000-memory.dmp
memory/2736-139-0x0000000007640000-0x0000000007CBA000-memory.dmp
memory/2736-140-0x0000000006CE0000-0x0000000006CFA000-memory.dmp
memory/2736-141-0x0000000007020000-0x000000000702A000-memory.dmp
memory/2736-142-0x0000000007240000-0x00000000072D6000-memory.dmp
memory/2736-143-0x00000000071C0000-0x00000000071D1000-memory.dmp
memory/2736-145-0x00000000071F0000-0x00000000071FE000-memory.dmp
memory/4060-144-0x0000000004B20000-0x0000000004B42000-memory.dmp
memory/4060-147-0x0000000007440000-0x00000000079E4000-memory.dmp
memory/2736-146-0x0000000007200000-0x0000000007214000-memory.dmp
memory/4060-148-0x0000000004ED0000-0x0000000004EF0000-memory.dmp
memory/2736-149-0x0000000007300000-0x000000000731A000-memory.dmp
memory/4060-150-0x00000000079F0000-0x0000000008008000-memory.dmp
memory/4060-151-0x0000000004F90000-0x0000000004FA2000-memory.dmp
memory/2736-152-0x00000000072E0000-0x00000000072E8000-memory.dmp
memory/4060-153-0x0000000004FB0000-0x0000000004FEC000-memory.dmp
memory/872-154-0x0000000000400000-0x0000000002CB4000-memory.dmp
memory/4060-159-0x00000000080D0000-0x00000000081DA000-memory.dmp
memory/4632-155-0x0000000000400000-0x0000000002D0F000-memory.dmp
memory/4060-158-0x0000000000400000-0x0000000002CCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rugiada.wmv
| MD5 | 48c3a0e572e8b258f5d9f4891278ea7a |
| SHA1 | db742db08c27bd7f74977d53ba532a5fae6e3cad |
| SHA256 | ed7cf7296658bc2aae125c803ce7e6242397f7ed783f8852708d2c558fc6e75e |
| SHA512 | 615542411ff6fbec3ac03573ab6b975a10056b51541503ac9ee8f683b9f4875d7f5f00ed8c19a07d25b5daea0ef39fe7ef45414b1e6dc7d5d45147172c33f672 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riaprirmi.wmv
| MD5 | 9d64d14627e79c6f733c74a2049c334d |
| SHA1 | 771f3b69b8954df0134c5f750a92aa521a2d9a36 |
| SHA256 | 0d16e628415ab84ab9d56af4587fe1419acdb5806b7d9dda552a5bf66a5b56c6 |
| SHA512 | 433da42bd563ff43e5e4ce399b9bab8bb64a62fc67aea8114b49b4a1e8e4b0bdba68ade2e70b5a62cb4417e06200e2dfb5fe8bb6ca9141947148d22af09223db |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovella.wmv
| MD5 | 77b02472e42d7fdae3f1f39cfc5d9158 |
| SHA1 | f5f4570b452b6554e0ac7c9ab476ca6db9320f29 |
| SHA256 | 111b913a0dab95cd7efaaca4676b1ea47113ebd0f8e3b4a6707af0fa62337a97 |
| SHA512 | 945a6727e0d0f98db230b93933e3fa20ea4b5e98d2e6e03374e6718d2cd5097a20f8a5dc4cb4e00a9f070286a623f7719cc1ee9a5f9910a6156fb29ce8f559d0 |
memory/4528-180-0x0000000077700000-0x000000007770A000-memory.dmp
memory/1820-183-0x00007FF6FB200000-0x00007FF6FB21F000-memory.dmp
memory/3508-185-0x00007FF991BC0000-0x00007FF991C5D000-memory.dmp
memory/3508-189-0x00007FF9872A0000-0x00007FF9872C8000-memory.dmp
memory/4156-192-0x00007FF992620000-0x00007FF9926A3000-memory.dmp
memory/2584-194-0x0000000000AF0000-0x0000000000B4A000-memory.dmp
memory/4168-195-0x0000000000AF0000-0x0000000000B4A000-memory.dmp
memory/740-197-0x0000000000AF0000-0x0000000000B4A000-memory.dmp
memory/4632-198-0x0000000000400000-0x0000000002D0F000-memory.dmp