ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
Size

3.0MB
MD5

ee3f168d7d032b8ccce800b8bd63214b
SHA1

46c7808867be5eab309eb53dcf735827d4f59d95
SHA256

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733
SHA512

e75ac3f0bafdc2d825fae6d50443a8efcfd8fd70816b81673aee6bc4f4fc39d563766586555874056883b4f1b0e55e99d2023152c8ddeedbf4897a353b2c56a1
SSDEEP

98304:pjlpHBlcfV6F0ozPrJKhZg+SWPzuNwOyoSe:pjlDlqsF90g+SWPWv

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

BrokerNet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\System.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\System.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\ChainwebbrokerHost\\BrokerNet.exe\""	BrokerNet.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3028	schtasks.exe

Detects executables packed with unregistered version of .NET Reactor 37 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1980-46-0x0000000001370000-0x000000000151A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2228-79-0x00000000002B0000-0x000000000045A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-116-0x000000001AEC0000-0x000000001B090000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-117-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-124-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-136-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-140-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-138-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-156-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-176-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-174-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-172-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-170-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-168-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-166-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-164-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-162-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-160-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-159-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-154-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-152-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-150-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-148-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-146-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-144-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-142-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-134-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-132-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-130-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-129-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-126-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-122-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-120-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-118-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-180-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1316-178-0x000000001AEC0000-0x000000001B089000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 64 IoCs

Processes:

Nursultan.exeExpensiveLauncher.exeExpensiveLauncher.exedllhost.exeBrokerNet.exeExpensiveLauncher.exedllhost.exeBrokerNet.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exedllhost.exeExpensiveLauncher.execontainercomponentWinsession.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.execontainercomponentWinsession.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exedllhost.execontainercomponentWinsession.exeExpensiveLauncher.exe

pid	process
2744	Nursultan.exe
2916	ExpensiveLauncher.exe
2980	ExpensiveLauncher.exe
1636	dllhost.exe
1980	BrokerNet.exe
1788	ExpensiveLauncher.exe
1804	dllhost.exe
2228	BrokerNet.exe
1052	ExpensiveLauncher.exe
2468	dllhost.exe
336	ExpensiveLauncher.exe
2940	dllhost.exe
2692	ExpensiveLauncher.exe
2196	dllhost.exe
2984	ExpensiveLauncher.exe
2232	dllhost.exe
1316	containercomponentWinsession.exe
3772	ExpensiveLauncher.exe
3796	dllhost.exe
5012	containercomponentWinsession.exe
5036	dllhost.exe
3248	ExpensiveLauncher.exe
3936	containercomponentWinsession.exe
5232	containercomponentWinsession.exe
2500	ExpensiveLauncher.exe
2872	dllhost.exe
2260	containercomponentWinsession.exe
4048	ExpensiveLauncher.exe
4236	dllhost.exe
5648	containercomponentWinsession.exe
3716	containercomponentWinsession.exe
6548	containercomponentWinsession.exe
4972	ExpensiveLauncher.exe
4200	dllhost.exe
4040	containercomponentWinsession.exe
3288	ExpensiveLauncher.exe
2372	dllhost.exe
4364	containercomponentWinsession.exe
608	ExpensiveLauncher.exe
5464	dllhost.exe
4228	containercomponentWinsession.exe
3168	ExpensiveLauncher.exe
2852	dllhost.exe
2576	ExpensiveLauncher.exe
5672	dllhost.exe
4244	ExpensiveLauncher.exe
1116	dllhost.exe
4672	containercomponentWinsession.exe
6960	ExpensiveLauncher.exe
7080	dllhost.exe
5484	containercomponentWinsession.exe
6088	ExpensiveLauncher.exe
2492	dllhost.exe
6676	containercomponentWinsession.exe
5336	ExpensiveLauncher.exe
6196	dllhost.exe
4736	containercomponentWinsession.exe
6132	ExpensiveLauncher.exe
5448	dllhost.exe
1044	containercomponentWinsession.exe
6884	ExpensiveLauncher.exe
3952	dllhost.exe
712	containercomponentWinsession.exe
4540	ExpensiveLauncher.exe

Loads dropped DLL 21 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1984	cmd.exe
1984	cmd.exe
2436	cmd.exe
2436	cmd.exe
4936	cmd.exe
4948	cmd.exe
5208	cmd.exe
3556	cmd.exe
5632	cmd.exe
6516	cmd.exe
6128	cmd.exe
5028	cmd.exe
6256	cmd.exe
1304	cmd.exe
1788	cmd.exe
3236	cmd.exe
2004	cmd.exe
6508	cmd.exe
4536	cmd.exe
6156	cmd.exe
6320	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BrokerNet.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\BrokerNet = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChainwebbrokerHost\\BrokerNet.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrokerNet = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChainwebbrokerHost\\BrokerNet.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\AppData\\Local\\System.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\AppData\\Local\\System.exe\""	BrokerNet.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
34 ip-api.com
59 ip-api.com
Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description ioc process

File created \??\c:\Windows\System32\CSC1CE803BEE60D452AA699FCBAC0542C9E.TMP csc.exe
File created \??\c:\Windows\System32\hccjfr.exe csc.exe

flow	ioc
4	ip-api.com
34	ip-api.com
59	ip-api.com

description	ioc	process
File created	\??\c:\Windows\System32\CSC1CE803BEE60D452AA699FCBAC0542C9E.TMP	csc.exe
File created	\??\c:\Windows\System32\hccjfr.exe	csc.exe

Drops file in Windows directory 3 IoCs

Processes:

containercomponentWinsession.exe

description	ioc	process
File created	C:\Windows\addins\lsm.exe	containercomponentWinsession.exe
File opened for modification	C:\Windows\addins\lsm.exe	containercomponentWinsession.exe
File created	C:\Windows\addins\101b941d020240	containercomponentWinsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4092 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2224 schtasks.exe
1764 schtasks.exe
2456 schtasks.exe
2096 schtasks.exe
2516 schtasks.exe
2212 schtasks.exe

pid	process
4092	PING.EXE

pid	process
2224	schtasks.exe
1764	schtasks.exe
2456	schtasks.exe
2096	schtasks.exe
2516	schtasks.exe
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BrokerNet.exeBrokerNet.execontainercomponentWinsession.exe

pid	process
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
1980	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
2228	BrokerNet.exe
1316	containercomponentWinsession.exe
1316	containercomponentWinsession.exe
1316	containercomponentWinsession.exe
1316	containercomponentWinsession.exe
1316	containercomponentWinsession.exe
1316	containercomponentWinsession.exe
1316	containercomponentWinsession.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BrokerNet.exe

pid process

2228 BrokerNet.exe

pid	process
2228	BrokerNet.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exeExpensiveLauncher.exeBrokerNet.exeExpensiveLauncher.exeBrokerNet.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.execontainercomponentWinsession.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exeExpensiveLauncher.execontainercomponentWinsession.exe

description	pid	process
Token: SeDebugPrivilege	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
Token: SeDebugPrivilege	2916	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1980	BrokerNet.exe
Token: SeDebugPrivilege	2980	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2228	BrokerNet.exe
Token: SeDebugPrivilege	1788	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1052	ExpensiveLauncher.exe
Token: SeDebugPrivilege	336	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2692	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2984	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1316	containercomponentWinsession.exe
Token: SeDebugPrivilege	3772	ExpensiveLauncher.exe
Token: SeDebugPrivilege	5012	containercomponentWinsession.exe
Token: SeDebugPrivilege	3936	containercomponentWinsession.exe
Token: SeDebugPrivilege	3248	ExpensiveLauncher.exe
Token: SeDebugPrivilege	5232	containercomponentWinsession.exe
Token: SeDebugPrivilege	2500	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2260	containercomponentWinsession.exe
Token: SeDebugPrivilege	3716	containercomponentWinsession.exe
Token: SeDebugPrivilege	5648	containercomponentWinsession.exe
Token: SeDebugPrivilege	4048	ExpensiveLauncher.exe
Token: SeDebugPrivilege	6548	containercomponentWinsession.exe
Token: SeDebugPrivilege	4972	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4040	containercomponentWinsession.exe
Token: SeDebugPrivilege	3288	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4364	containercomponentWinsession.exe
Token: SeDebugPrivilege	608	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4228	containercomponentWinsession.exe
Token: SeDebugPrivilege	3168	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2576	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4244	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4672	containercomponentWinsession.exe
Token: SeDebugPrivilege	6960	ExpensiveLauncher.exe
Token: SeDebugPrivilege	5484	containercomponentWinsession.exe
Token: SeDebugPrivilege	6088	ExpensiveLauncher.exe
Token: SeDebugPrivilege	6676	containercomponentWinsession.exe
Token: SeDebugPrivilege	5336	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4736	containercomponentWinsession.exe
Token: SeDebugPrivilege	6132	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1044	containercomponentWinsession.exe
Token: SeDebugPrivilege	6884	ExpensiveLauncher.exe
Token: SeDebugPrivilege	712	containercomponentWinsession.exe
Token: SeDebugPrivilege	4540	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1808	containercomponentWinsession.exe
Token: SeDebugPrivilege	5036	ExpensiveLauncher.exe
Token: SeDebugPrivilege	5080	containercomponentWinsession.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exeNursultan.exeExpensiveLauncher.exedllhost.exeWScript.execmd.exeBrokerNet.execsc.execmd.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exe

description	pid	process	target process
PID 1680 wrote to memory of 2744	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 1680 wrote to memory of 2744	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 1680 wrote to memory of 2744	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 1680 wrote to memory of 2744	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 1680 wrote to memory of 2916	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	ExpensiveLauncher.exe
PID 1680 wrote to memory of 2916	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	ExpensiveLauncher.exe
PID 1680 wrote to memory of 2916	1680	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	ExpensiveLauncher.exe
PID 2744 wrote to memory of 2204	2744	Nursultan.exe	WScript.exe
PID 2744 wrote to memory of 2204	2744	Nursultan.exe	WScript.exe
PID 2744 wrote to memory of 2204	2744	Nursultan.exe	WScript.exe
PID 2744 wrote to memory of 2204	2744	Nursultan.exe	WScript.exe
PID 2916 wrote to memory of 2980	2916	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2916 wrote to memory of 2980	2916	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2916 wrote to memory of 2980	2916	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2916 wrote to memory of 1636	2916	ExpensiveLauncher.exe	dllhost.exe
PID 2916 wrote to memory of 1636	2916	ExpensiveLauncher.exe	dllhost.exe
PID 2916 wrote to memory of 1636	2916	ExpensiveLauncher.exe	dllhost.exe
PID 2916 wrote to memory of 1636	2916	ExpensiveLauncher.exe	dllhost.exe
PID 1636 wrote to memory of 2764	1636	dllhost.exe	WScript.exe
PID 1636 wrote to memory of 2764	1636	dllhost.exe	WScript.exe
PID 1636 wrote to memory of 2764	1636	dllhost.exe	WScript.exe
PID 1636 wrote to memory of 2764	1636	dllhost.exe	WScript.exe
PID 2204 wrote to memory of 1984	2204	WScript.exe	cmd.exe
PID 2204 wrote to memory of 1984	2204	WScript.exe	cmd.exe
PID 2204 wrote to memory of 1984	2204	WScript.exe	cmd.exe
PID 2204 wrote to memory of 1984	2204	WScript.exe	cmd.exe
PID 1984 wrote to memory of 1980	1984	cmd.exe	BrokerNet.exe
PID 1984 wrote to memory of 1980	1984	cmd.exe	BrokerNet.exe
PID 1984 wrote to memory of 1980	1984	cmd.exe	BrokerNet.exe
PID 1984 wrote to memory of 1980	1984	cmd.exe	BrokerNet.exe
PID 1980 wrote to memory of 1564	1980	BrokerNet.exe	csc.exe
PID 1980 wrote to memory of 1564	1980	BrokerNet.exe	csc.exe
PID 1980 wrote to memory of 1564	1980	BrokerNet.exe	csc.exe
PID 1564 wrote to memory of 2100	1564	csc.exe	cvtres.exe
PID 1564 wrote to memory of 2100	1564	csc.exe	cvtres.exe
PID 1564 wrote to memory of 2100	1564	csc.exe	cvtres.exe
PID 1980 wrote to memory of 2084	1980	BrokerNet.exe	cmd.exe
PID 1980 wrote to memory of 2084	1980	BrokerNet.exe	cmd.exe
PID 1980 wrote to memory of 2084	1980	BrokerNet.exe	cmd.exe
PID 2084 wrote to memory of 608	2084	cmd.exe	chcp.com
PID 2084 wrote to memory of 608	2084	cmd.exe	chcp.com
PID 2084 wrote to memory of 608	2084	cmd.exe	chcp.com
PID 2084 wrote to memory of 320	2084	cmd.exe	w32tm.exe
PID 2084 wrote to memory of 320	2084	cmd.exe	w32tm.exe
PID 2084 wrote to memory of 320	2084	cmd.exe	w32tm.exe
PID 2980 wrote to memory of 1788	2980	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2980 wrote to memory of 1788	2980	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2980 wrote to memory of 1788	2980	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2980 wrote to memory of 1804	2980	ExpensiveLauncher.exe	dllhost.exe
PID 2980 wrote to memory of 1804	2980	ExpensiveLauncher.exe	dllhost.exe
PID 2980 wrote to memory of 1804	2980	ExpensiveLauncher.exe	dllhost.exe
PID 2980 wrote to memory of 1804	2980	ExpensiveLauncher.exe	dllhost.exe
PID 1804 wrote to memory of 1672	1804	dllhost.exe	WScript.exe
PID 1804 wrote to memory of 1672	1804	dllhost.exe	WScript.exe
PID 1804 wrote to memory of 1672	1804	dllhost.exe	WScript.exe
PID 1804 wrote to memory of 1672	1804	dllhost.exe	WScript.exe
PID 2084 wrote to memory of 2228	2084	cmd.exe	BrokerNet.exe
PID 2084 wrote to memory of 2228	2084	cmd.exe	BrokerNet.exe
PID 2084 wrote to memory of 2228	2084	cmd.exe	BrokerNet.exe
PID 1788 wrote to memory of 1052	1788	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 1788 wrote to memory of 1052	1788	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 1788 wrote to memory of 1052	1788	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 1788 wrote to memory of 2468	1788	ExpensiveLauncher.exe	dllhost.exe
PID 1788 wrote to memory of 2468	1788	ExpensiveLauncher.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
"C:\Users\Admin\AppData\Local\Temp\ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\gYZ4rUP2ZbhoMyNj3nrlLxq5R7jYF3gYX.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\zVePG0oR7GxsFrzVQOAnRVyOvcDN7woYPN55AHo3GILC8wcbBKG.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe
"C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost/BrokerNet.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlyfjinn\rlyfjinn.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4598.tmp" "c:\Windows\System32\CSC1CE803BEE60D452AA699FCBAC0542C9E.TMP"
7⤵
PID:2100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LltyZU6Ic5.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:608

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:320

C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe
"C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6960

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6088

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6884

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
26⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
26⤵
PID:5468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
27⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
25⤵
PID:4240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
26⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
24⤵
PID:4184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
25⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
23⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
24⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
22⤵
- Executes dropped EXE
PID:5448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
23⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
21⤵
- Executes dropped EXE
PID:6196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
22⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
20⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
21⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
22⤵
- Loads dropped DLL
PID:6320

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
19⤵
- Executes dropped EXE
PID:7080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
20⤵
PID:6016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
21⤵
- Loads dropped DLL
PID:6156

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
18⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
19⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
20⤵
- Loads dropped DLL
PID:4536

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
17⤵
- Executes dropped EXE
PID:5672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
18⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
19⤵
- Loads dropped DLL
PID:6508

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
16⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
17⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
18⤵
- Loads dropped DLL
PID:2004

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
15⤵
- Executes dropped EXE
PID:5464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
16⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
17⤵
- Loads dropped DLL
PID:3236

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6676

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
14⤵
- Executes dropped EXE
PID:2372

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
15⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
16⤵
- Loads dropped DLL
PID:1788

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
13⤵
- Executes dropped EXE
PID:4200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
14⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
15⤵
- Loads dropped DLL
PID:1304

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
12⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
13⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
14⤵
- Loads dropped DLL
PID:6256

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
11⤵
- Executes dropped EXE
PID:2872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
12⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
13⤵
- Loads dropped DLL
PID:5028

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
10⤵
- Executes dropped EXE
PID:5036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
11⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
12⤵
- Loads dropped DLL
PID:6128

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
9⤵
- Executes dropped EXE
PID:3796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
10⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
11⤵
- Loads dropped DLL
PID:6516

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6548

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
8⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
9⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
10⤵
- Loads dropped DLL
PID:5632

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
7⤵
- Executes dropped EXE
PID:2196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
8⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
9⤵
- Loads dropped DLL
PID:3556

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
6⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
7⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
8⤵
- Loads dropped DLL
PID:5208

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5232

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
5⤵
- Executes dropped EXE
PID:2468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
6⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
7⤵
- Loads dropped DLL
PID:4948

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
5⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
6⤵
- Loads dropped DLL
PID:4936

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
4⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgehyperintoref\s0CRYs.bat" "
5⤵
- Loads dropped DLL
PID:2436

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ZUKzs1xos.bat"
7⤵
PID:5072

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4084

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4092

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref\containercomponentWinsession.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BrokerNetB" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BrokerNet" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BrokerNetB" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9ZUKzs1xos.bat
Filesize
182B

MD5
e004101ffd67481bd5193d06f57c2039

SHA1
2be58e161ce61cff21a462725d5221073e587dc6

SHA256
8e0da10cd92604e7d98e53a666d3191d410e5a37f1b5e21a4d21e78f646ce336

SHA512
e7142d052d98156032ccc40f089112cbde175ed3b23b2b722aed11a41332153f4c1baca835a3530a39d024a7892318482b760ecf6e1a588e93254abe66272811

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
Filesize
1.6MB

MD5
7e31f174306b2b48ece36a0d3428336e

SHA1
c533507974dedf73e651b5e0d8c224b1c8af7ccc

SHA256
dcc8e595c5aa29e8ba84d43d8775428b6f24e463544b54770107ec6181409236

SHA512
6baafa73dcce7ecef1fc32d31886df3dd6c766b8fcdd442971e297024f7252a318f195e968e2148131b54b2696d4f78514dc0ad2babb00b545c679b7e15eedd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LltyZU6Ic5.bat
Filesize
239B

MD5
cffbc4ba505e5c3e80fffea75d80e3f7

SHA1
0ad62c2e4ea7d86e8cca1bc4c8dae365c126e449

SHA256
e11a475d16d673ceb8605f3af0cb84040bedb31cebc4f8e1b1dc6266dfe1323e

SHA512
5444e96c307a93243c2583de60c48926e42d5594fc030c83304c2803836abdcb97910190d2d711f8e1afcb570fd381b7c3d83f82494e85e2db6111f5089c3b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
Filesize
1.5MB

MD5
f764cf674295a57ad7fa668a1736a8ec

SHA1
0b8af6669c4b26703773313c2537d261120e3a0f

SHA256
d1b7468729fe223bb9c6c8935b85e4bef13aa0e034837185fb7d79732fbf7433

SHA512
c10fd604b54319914bc745c17d3918dcb07636e93906436b1ed1075480bbda4f10242660801c838e779324b9523f7756c680de4dad2d96b17d82e6e40050f002

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4598.tmp
Filesize
1KB

MD5
771fe9ec0591319b19c191a84a119d28

SHA1
776f14d7459488955964d0d633347fa5b892f19a

SHA256
05e8ae107ffa154bd2a65218e5a468b355da67e0cc46780626796d7461607eaa

SHA512
8021d114ff12db2cff2e58776b32132fdc0f24d4089578d031af3add7f7af2f8c5b3ee6ae50ed23aac31cdb4e78c026b1854c8a4b0101d895919eeed6d116999

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe
Filesize
1.8MB

MD5
89ac03c00af06a3a6af77cc6d3efb90f

SHA1
21e58d891fc3a2cbb1d8e3873e3b8b44404bc044

SHA256
47c5daa5705213579570529232641cba391bb6bf2d4c38523d5ea6a596f15e12

SHA512
c4899c371aa855df5bb4f646fe624cea9ae0a8313784dde1b455f54f970c87bc07c9900cf3a98a15a32a50ae4ba7d95621e41f5ff31cc7493bad150d3546d6fa

Download Submit
C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\gYZ4rUP2ZbhoMyNj3nrlLxq5R7jYF3gYX.vbe
Filesize
254B

MD5
3a6c857270f1479ca63e27b5704e0e98

SHA1
066bbf1da6ffe36b282015a6482671ad3fab62db

SHA256
266759d52df9bad8b31787bd1c68a613437ebe66acbccf99c3f00a437d6bf190

SHA512
176a81b885a50347be30d1ad3effdc6981a34df72df4a44b6a77fa3abe817f243c5ee1f8343b9f119980f607a5d6ae8c0e1c8dc3e5787d9ce376df788863f636

Download Submit
C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\zVePG0oR7GxsFrzVQOAnRVyOvcDN7woYPN55AHo3GILC8wcbBKG.bat
Filesize
95B

MD5
78444b954218e281512655767a79a9d4

SHA1
928b23937e1278aa8312cf6bc42eb1e81e9d60c2

SHA256
3d79cdd944b481434beb2b41b0cd6f2fc9312fd59ce4fdad0356a32e1530edf5

SHA512
89193e0b911ccf219d6d3d1a56f504adc8264628d14a9cc72b539375a27ed5af64499602d8f9296cfe562af5e4f36182d0c7d4e30a9401b7ebe9f0be9588464e

Download Submit
C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe
Filesize
203B

MD5
8fdb05b80cb5e35641b747d91cce3170

SHA1
650d31e0b46c0c33b0d1688d85591392c66fa379

SHA256
a3839907cd1c1f9bcf807e9d63fdaf4365774b6f934a8e988f48d020248e987f

SHA512
db4dd9275fc9cc63e7a7c21f3914b901b16ba2e520581fc2562fd22ac6f93262f1305f99650ee0f3b0234b7c744a30dda3bd0a642705ddc8aca97dfb23f49191

Download Submit
C:\bridgehyperintoref\s0CRYs.bat
Filesize
112B

MD5
2abdf3942852851e59a786f6785137a0

SHA1
da856a32c0505e9315a9a7e250dbe735adfdbb1b

SHA256
4bd82dd25116b82653b6a443f09476e796c6e5b7bd101ed47983c1413f3405dc

SHA512
ae8cc651a4a179651e91ac65edaa854b9176767c13d20159edba8f9f9e187338018bf3c700c0d6e7a7c010ff09a9d0e58418d72b3a8c3470b8ad2323c40ee394

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlyfjinn\rlyfjinn.0.cs
Filesize
371B

MD5
326fdfd90fce9e5c121719b8ba28b315

SHA1
23b115029406eb75a6201fbb42b1dcf1bd702bd7

SHA256
e12303b3421d1beb0d9dddbf7446c1fb0e4b7347bd25ad93a8ffb0c0b1202913

SHA512
ebe569dc8d7a2892c4f0b6cb90d36553240952d08cc88f662cf0f65927df7cc677f61c70cb662705609886451c382b53f68d27e8e6342ab82af4424ee87148c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlyfjinn\rlyfjinn.cmdline
Filesize
235B

MD5
d2fa0de206dedfc882f706da4fca8c78

SHA1
142a9bf45755ffceaf0448f186744b3068e600ff

SHA256
d5d0747abeea7105c84be16e5cb533e161941e734c654e4b5a543522ba86bc7c

SHA512
7defa66bf618275d7be958c3e60b00b17a202f5885a128caf44f03470c71de0ef34cd8c0ed5f870ea4b891f7597d6f88cbe7460c1318463ad0bd7d0b146af278

Download Submit
\??\c:\Windows\System32\CSC1CE803BEE60D452AA699FCBAC0542C9E.TMP
Filesize
1KB

MD5
707f3ae17d1443518c14e3d57f6b0fa5

SHA1
78ac15700b932222fa2ce60142966a1716c90838

SHA256
1fafc870513c7e90d1f2569dd473478821fb4798e8eb51e1f8a1620b3bf29aea

SHA512
ac3805f209da253c7eb6758d472a7c6a084392594a4dd7389dc926181933f9333fa0a74d7f749bc7ecb0b901afa5cad91d64d62989122acd3f4b583c3a4e2c9f

Download Submit
\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe
Filesize
1.6MB

MD5
dea574319381eb096140dd23a8125405

SHA1
9a5dc9d11617ec9fe821a799a272f044bcf12c0b

SHA256
63d827abee6c1f7704f58b9bf2afa6c414b52b704bb2698c9f5c74d08b418b0b

SHA512
b69d8eed06e3b018fc22b308353631978aa0bf31e0048b7b14f7f374ced6857f772cfd9df8ea057d2b297dc761155b1f6e748868ac3b7a253a4d23ac9338e322

Download Submit
\bridgehyperintoref\containercomponentWinsession.exe
Filesize
1.4MB

MD5
5bd9f36c577a19e117525a0054b00486

SHA1
f6c8e2234efdb1e9af35413e326dc3143dc14e59

SHA256
7c6aa6eae77e2371a257892151e07d7a96316087aae3c45aed0fe49ecfab0ff5

SHA512
fb91ff8eba24d28f5d644012c45879308fb90ff114274e9aeb1305aee60a9d386356dba471be9358822798afb21e1478a79d7cb66563206ac3b8c72f10e85639

Download Submit
memory/1316-150-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-166-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-3683-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1316-3681-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1316-178-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-180-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-118-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-120-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-122-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-126-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-115-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/1316-116-0x000000001AEC0000-0x000000001B090000-memory.dmp

Filesize
1.8MB

Download
memory/1316-117-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-124-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-136-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-140-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-138-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-156-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-176-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-174-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-172-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-170-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-168-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-129-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-164-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-162-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-160-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-159-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-154-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-152-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-130-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-148-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-146-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-144-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-142-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-134-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1316-132-0x000000001AEC0000-0x000000001B089000-memory.dmp

Filesize
1.8MB

Download
memory/1680-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1680-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-12-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-1-0x00000000000E0000-0x00000000003EE000-memory.dmp

Filesize
3.1MB

Download
memory/1980-50-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/1980-46-0x0000000001370000-0x000000000151A000-memory.dmp

Filesize
1.7MB

Download
memory/1980-48-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2228-79-0x00000000002B0000-0x000000000045A000-memory.dmp

Filesize
1.7MB

Download
memory/2916-14-0x00000000000A0000-0x000000000024A000-memory.dmp

Filesize
1.7MB

Download
memory/2916-15-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-32-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download