lokibot | hxxps://anonfiles[.]com/R1G9Zc79qe/Malware_Testing_rar

Analysis

max time kernel
83s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
02-03-2021 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/R1G9Zc79qe/Malware_Testing_rar

Score

10^/10

lokibot metasploit snakekeylogger systembc xmrig agilenet backdoor dave evasion keylogger miner pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://172.98.192.214:443/cSVlo1FeFAInvJDJkZ9P99GLwSTqIGUF

Extracted

Family

lokibot

http://becharnise.ir/fb2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://pitr0s.com/DJ/luck/fre.php

Extracted

Family

systembc

fb01ddd.com:4039

fb01ddd.xyz:4039

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
server255.web-hosting.com
Port:
587
Username:
dakbooks@janrytwo.xyz
Password:
rK(gSd%NWaQ@

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6820-285-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5700-100-0x0000000000400000-0x00000000009B5000-memory.dmp	xmrig

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/6072-114-0x0000000000500000-0x0000000000502000-memory.dmp	dave

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

MalwareDownloader2.1.exeMalwareDownloader2.1.exe

pid process

3300 MalwareDownloader2.1.exe
4768 MalwareDownloader2.1.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3300	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5700-100-0x0000000000400000-0x00000000009B5000-memory.dmp	upx

Loads dropped DLL 15 IoCs

Processes:

MalwareDownloader2.1.exe

pid	process
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe
4768	MalwareDownloader2.1.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1896-217-0x0000000006B50000-0x0000000006B71000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

671 api.ipify.org
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

flow	ioc
671	api.ipify.org

Detects Pyinstaller 6 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe	pyinstaller
C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe	pyinstaller
C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe	pyinstaller
C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe	pyinstaller
C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe	pyinstaller
C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe	pyinstaller

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1172 4244 WerFault.exe 5m2RChDBFCESkrBzJycV.exe
7148 7056 WerFault.exe Bskbs.exe
5200 5632 WerFault.exe Bskbs.exe

pid	pid_target	process	target process
1172	4244	WerFault.exe	5m2RChDBFCESkrBzJycV.exe
7148	7056	WerFault.exe	Bskbs.exe
5200	5632	WerFault.exe	Bskbs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

204 schtasks.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2160 taskkill.exe
3268 taskkill.exe
6920 taskkill.exe
6984 taskkill.exe

pid	process
204	schtasks.exe

pid	process
2160	taskkill.exe
3268	taskkill.exe
6920	taskkill.exe
6984	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = de4ef1e88fadd601	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeAcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F49EE347-7B0C-11EB-BEBD-7203859AD7E4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30871321"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b5dcca190fd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3375649826"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30871321"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3387057436"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{B2D9542A-DAC3-4331-BFD0-1C6F20057726}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30871321"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3000fafca1662499122fd32dd161f74000000000200000000001066000000010000200000008d410f8be486478b1cb51605ef64690048358d48ff3b7d61a91269105d54ccfd000000000e8000000002000020000000814feb169b332619769038540e5b15770b7191f95dd04918c6c297d1c896a2b12000000078d4d2f651f930538adc96308bef74ecc57975f910442bce078ba87237e556fd40000000b50db1db6dcffd4f6c52f1f4f2617a9880bb623846099e3789472fcc6d615b17ca6ae634adf222076eed66f0658c0f11527d5e54d79c4977b90b5e53387ab295	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3375649826"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3000fafca1662499122fd32dd161f74000000000200000000001066000000010000200000000dadb830500ba42d8e4ec33148ff232d7a2eb2dfa2da507111537dd1570324eb000000000e80000000020000200000004a486bf6dcdee015d32262e0171c36fd602676e2de73718cb09cfe006aba9f5420000000d35d613976e8762e78b7f931beb890eaf067e512a02321852a03d666d71cbfc1400000007a1a6d76f9692dabaf866b87a4f0fc9f8af2e465bc0d3e8b9c6e2a79bbb5c73363cb1ff30afea8a96fde7975a7d1d6d662721bb7bcc850c480c3eb72384a53ab	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3057edca190fd701	iexplore.exe

Modifies registry class 64 IoCs

Processes:

iexplore.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\.rar\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\rar_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\rar_auto_file\shell\Read\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000c526dc6855add6019a46e66a55add6016d1fdf6a55add60114000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\.rar	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\rar_auto_file\shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\rar_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2644 PING.EXE
6804 PING.EXE

pid	process
2644	PING.EXE
6804	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	3616	7zG.exe
Token: 35	3616	7zG.exe
Token: SeSecurityPrivilege	3616	7zG.exe
Token: SeSecurityPrivilege	3616	7zG.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe7zG.exe

pid process

4688 iexplore.exe
4688 iexplore.exe
3616 7zG.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exeAcroRd32.exe

pid	process
4688	iexplore.exe
4688	iexplore.exe
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE
4688	iexplore.exe
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE
532	OpenWith.exe
532	OpenWith.exe
532	OpenWith.exe
532	OpenWith.exe
532	OpenWith.exe
1004	AcroRd32.exe
1004	AcroRd32.exe
1004	AcroRd32.exe
1004	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeOpenWith.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4688 wrote to memory of 4956	4688	iexplore.exe	IEXPLORE.EXE
PID 4688 wrote to memory of 4956	4688	iexplore.exe	IEXPLORE.EXE
PID 4688 wrote to memory of 4956	4688	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1004	532	OpenWith.exe	AcroRd32.exe
PID 532 wrote to memory of 1004	532	OpenWith.exe	AcroRd32.exe
PID 532 wrote to memory of 1004	532	OpenWith.exe	AcroRd32.exe
PID 1004 wrote to memory of 2052	1004	AcroRd32.exe	RdrCEF.exe
PID 1004 wrote to memory of 2052	1004	AcroRd32.exe	RdrCEF.exe
PID 1004 wrote to memory of 2052	1004	AcroRd32.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2452	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe
PID 2052 wrote to memory of 2460	2052	RdrCEF.exe	RdrCEF.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

6380 attrib.exe

pid	process
6380	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/R1G9Zc79qe/Malware_Testing_rar
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4688 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4688 CREDAT:82962 /prefetch:2
2⤵
PID:6060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Malware Testing.rar"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4058C5B041C65B3A54B3D8539BEC5047 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=590602626E43F7116EA9D661F8BB3EEB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=590602626E43F7116EA9D661F8BB3EEB --renderer-client-id=2 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E64527789EBA1E36E19AB481F89C4E37 --mojo-platform-channel-handle=2208 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=089EA9653947E1D0CB875CE6C930204A --mojo-platform-channel-handle=1852 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Malware Testing\" -spe -an -ai#7zMap8821:88:7zEvent26677
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4044

C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe
"C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe"
1⤵
- Executes dropped EXE
PID:3300

C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe
"C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4768

C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe
"C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe"
1⤵
PID:5416

C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe
"C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe"
2⤵
PID:5484

C:\Users\Admin\Desktop\Malware Testing\samples\-Ocx1CuSyqt6ElMulHFQ.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\-Ocx1CuSyqt6ElMulHFQ.exe"
3⤵
PID:5628

C:\Users\Admin\Desktop\Malware Testing\samples\-s-BvOfb5zImsnahTeGm.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\-s-BvOfb5zImsnahTeGm.exe"
3⤵
PID:5660

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Malware Testing\samples\-s-BvOfb5zImsnahTeGm.exe" "-s-BvOfb5zImsnahTeGm.exe" ENABLE
4⤵
PID:5112

C:\Users\Admin\Desktop\Malware Testing\samples\-tOpNHfiM-Je1ouTobBH.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\-tOpNHfiM-Je1ouTobBH.exe"
3⤵
PID:5676

C:\Users\Admin\Desktop\Malware Testing\samples\-USF6RoDbOxnv-oJ7i3M.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\-USF6RoDbOxnv-oJ7i3M.exe"
3⤵
PID:5700

C:\Users\Admin\Desktop\Malware Testing\samples\0dnmBaAIMGFGEN24BzPl.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\0dnmBaAIMGFGEN24BzPl.exe"
3⤵
PID:5732

C:\Users\Admin\Desktop\Malware Testing\samples\0mQGAY7vOHNXbHq8QgH3.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\0mQGAY7vOHNXbHq8QgH3.exe"
3⤵
PID:5780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.baidu.com?s=32&v=33&c=12&a=123&m=&t=1232434
4⤵
PID:5960

C:\Users\Admin\Desktop\Malware Testing\samples\17f8zQsiA_dr7HHDiEt5.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\17f8zQsiA_dr7HHDiEt5.exe"
3⤵
PID:5800

C:\Users\Admin\Desktop\Malware Testing\samples\1roiR4e9N-5s-irPH3Ti.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\1roiR4e9N-5s-irPH3Ti.exe"
3⤵
PID:5820

C:\Users\Admin\Desktop\Malware Testing\samples\-Byv21MKIbXxeiZfFJUJ.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\-Byv21MKIbXxeiZfFJUJ.exe"
3⤵
PID:5604

C:\Users\Admin\Desktop\Malware Testing\samples\1uGE2CVJgR7E9PP_XgHi.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\1uGE2CVJgR7E9PP_XgHi.exe"
3⤵
PID:5892

C:\Users\Admin\Desktop\Malware Testing\samples\1UYvaiirDeBqRBO5j5Cy.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\1UYvaiirDeBqRBO5j5Cy.exe"
3⤵
PID:5924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min extrac32 readme.txt:meta /Y /E /L C:\Users\Admin\AppData\Local\Temp | more & wscript C:\Users\Admin\AppData\Local\Temp\start.vbs
4⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start /min extrac32 readme.txt:meta /Y /E /L C:\Users\Admin\AppData\Local\Temp "
5⤵
PID:2744

C:\Windows\system32\extrac32.exe
extrac32 readme.txt:meta /Y /E /L C:\Users\Admin\AppData\Local\Temp
6⤵
PID:4620

C:\Windows\system32\more.com
more
5⤵
PID:1432

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\start.vbs
5⤵
PID:5260

C:\Users\Admin\Desktop\Malware Testing\samples\1Y0DHUDUZ9kSKXGQEQbt.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\1Y0DHUDUZ9kSKXGQEQbt.exe"
3⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\Desktop\Malware Testing\samples\1Y0DHUDUZ9kSKXGQEQbt.exe"
4⤵
PID:2392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
5⤵
- Runs ping.exe
PID:2644

C:\Users\Admin\Desktop\Malware Testing\samples\2DU8dHQhjXH7U6aTrrIz.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\2DU8dHQhjXH7U6aTrrIz.exe"
3⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\Desktop\Malware Testing\samples\2DU8dHQhjXH7U6aTrrIz.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
4⤵
PID:3096

C:\Users\Admin\Desktop\Malware Testing\samples\2fL498FMVwkk3luEevhW.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\2fL498FMVwkk3luEevhW.exe"
3⤵
PID:6072

C:\Users\Admin\Desktop\Malware Testing\samples\2SvURHHvaB384crWb7Qw.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\2SvURHHvaB384crWb7Qw.exe"
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\mad\file.bat" "
4⤵
PID:5232

C:\Windows\SysWOW64\mode.com
mode con:cols=110 lines=25
5⤵
PID:4024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im iexplore.exe
5⤵
- Kills process with taskkill
PID:3268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im dllhost.exe
5⤵
- Kills process with taskkill
PID:6984

C:\Users\Admin\Desktop\Malware Testing\samples\3a2yyJXoXUAqPbkavD0H.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\3a2yyJXoXUAqPbkavD0H.exe"
3⤵
PID:2684

C:\Users\Admin\Desktop\Malware Testing\samples\3IMw4yW8sz73Aa47MQH1.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\3IMw4yW8sz73Aa47MQH1.exe"
3⤵
PID:4696

C:\Users\Admin\Desktop\Malware Testing\samples\3pIQSsf9wpj-yCv4IooM.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\3pIQSsf9wpj-yCv4IooM.exe"
3⤵
PID:3544

C:\Users\Admin\Desktop\Malware Testing\samples\3xqDOLXmu4ERneZ2F_63.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\3xqDOLXmu4ERneZ2F_63.exe"
3⤵
PID:3012

C:\Users\Admin\Desktop\Malware Testing\samples\4ACL1HyNicD6PT3ZfXuH.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\4ACL1HyNicD6PT3ZfXuH.exe"
3⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\sfy.exe,"
4⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\sfy.exe,"
5⤵
PID:4060

C:\Users\Admin\sfy.exe
"C:\Users\Admin\sfy.exe"
4⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
5⤵
PID:6820

C:\Users\Admin\Desktop\Malware Testing\samples\523hQXfB6wABzadwlRhN.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\523hQXfB6wABzadwlRhN.exe"
3⤵
PID:5256

C:\Users\Admin\Desktop\Malware Testing\samples\5AyyoX_qsxw1Y7Xh02zT.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5AyyoX_qsxw1Y7Xh02zT.exe"
3⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /cschtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
4⤵
PID:1180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
5⤵
- Creates scheduled task(s)
PID:204

C:\ProgramData\DaemonL\Daemon.exe
C:\ProgramData\DaemonL\Daemon.exe
4⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /cschtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
5⤵
PID:4832

C:\ProgramData\DaemonL\PhoenixMiner.exe
"C:\ProgramData\DaemonL\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.hi -gpow 30 -gt 6 -log 0
4⤵
PID:4780

C:\Users\Admin\Desktop\Malware Testing\samples\5m2RChDBFCESkrBzJycV.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5m2RChDBFCESkrBzJycV.exe"
3⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1180
4⤵
- Program crash
PID:1172

C:\Users\Admin\Desktop\Malware Testing\samples\5m2RChDBFCESkrBzJycV.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5m2RChDBFCESkrBzJycV.exe"
4⤵
PID:1496

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
5⤵
PID:5208

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\Desktop\Malware Testing\samples\5m2RChDBFCESkrBzJycV.exe" "C:\Program Files (x86)\autochkl2kdl.pif" /V
6⤵
PID:6440

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\Malware Testing\samples\5m2RChDBFCESkrBzJycV.exe"
6⤵
PID:6860

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
5⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\sail2st-cr.exe
"C:\Users\Admin\AppData\Local\Temp\sail2st-cr.exe"
4⤵
PID:4000

C:\Users\Admin\Desktop\Malware Testing\samples\5nJHrRqfHjX55FHaGWzn.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5nJHrRqfHjX55FHaGWzn.exe"
3⤵
PID:4776

C:\Users\Admin\Desktop\Malware Testing\samples\5oXjUK2yzIIqkDpFxb0N.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5oXjUK2yzIIqkDpFxb0N.exe"
3⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\is-IEGTM.tmp\5oXjUK2yzIIqkDpFxb0N.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IEGTM.tmp\5oXjUK2yzIIqkDpFxb0N.tmp" /SL5="$204FA,1156381,436224,C:\Users\Admin\Desktop\Malware Testing\samples\5oXjUK2yzIIqkDpFxb0N.exe"
4⤵
PID:1932

C:\Users\Admin\Desktop\Malware Testing\samples\5TewUBqy41lEN1IKZNWW.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5TewUBqy41lEN1IKZNWW.exe"
3⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
4⤵
PID:5260

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
5⤵
PID:3788

C:\Users\Admin\Desktop\Malware Testing\samples\5znh5oR8Xcy7GX2v004V.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\5znh5oR8Xcy7GX2v004V.exe"
3⤵
PID:5480

C:\Users\Admin\Desktop\Malware Testing\samples\6C63K1IQZHQUjdHC8kA8.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\6C63K1IQZHQUjdHC8kA8.exe"
3⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4N7T4CLR.bat" "C:\Users\Admin\Desktop\Malware Testing\samples\6C63K1IQZHQUjdHC8kA8.exe" "
4⤵
PID:5496

C:\Windows\SysWOW64\netsh.exe
netsh winsock reset
5⤵
PID:1280

C:\Users\Admin\Desktop\Malware Testing\samples\6NI7nkgyo4-c30AsR3Q_.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\6NI7nkgyo4-c30AsR3Q_.exe"
3⤵
PID:5164

C:\Program Files (x86)\Microsoft Edzswh\Edzswhl.exe
"C:\Program Files (x86)\Microsoft Edzswh\Edzswhl.exe"
4⤵
PID:3908

C:\Picture.exe
"C:\Picture.exe"
5⤵
PID:6964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Picture.exe > nul
6⤵
PID:7096

C:\Users\Admin\Desktop\Malware Testing\samples\6zK6huWx_7Ogiv-HXZfq.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\6zK6huWx_7Ogiv-HXZfq.exe"
3⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\is-E14FT.tmp\is-2N59U.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E14FT.tmp\is-2N59U.tmp" /SL4 $30386 "C:\Users\Admin\Desktop\Malware Testing\samples\6zK6huWx_7Ogiv-HXZfq.exe" 251497 50688
4⤵
PID:2828

C:\Users\Admin\Desktop\Malware Testing\samples\7sm_AJBbxSWN_UN6qCph.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\7sm_AJBbxSWN_UN6qCph.exe"
3⤵
PID:3972

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c taskkill /IM Gwx.exe /F
4⤵
PID:6712

C:\Windows\system32\taskkill.exe
taskkill /IM Gwx.exe /F
5⤵
- Kills process with taskkill
PID:6920

C:\Users\Admin\Desktop\Malware Testing\samples\84uHqhZf_IBoVdtOa9uy.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\84uHqhZf_IBoVdtOa9uy.exe"
3⤵
PID:6040

C:\Users\Admin\Desktop\Malware Testing\samples\84uHqhZf_IBoVdtOa9uy.exe
C:\Users\Admin\Desktop\Malware Testing\samples\84uHqhZf_IBoVdtOa9uy.exe"
4⤵
PID:3008

C:\Users\Admin\Desktop\Malware Testing\samples\87EH0eKUgwO8a5UKZdUu.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\87EH0eKUgwO8a5UKZdUu.exe"
3⤵
PID:5964

C:\Users\Admin\Desktop\Malware Testing\samples\91foJjTIFZJH6Qv31J-_.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\91foJjTIFZJH6Qv31J-_.exe"
3⤵
PID:660

C:\Users\Admin\Desktop\Malware Testing\samples\9cPjQAbAiYzIEHlPxRAS.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\9cPjQAbAiYzIEHlPxRAS.exe"
3⤵
PID:2480

C:\Users\Admin\Desktop\Malware Testing\samples\9GIt9TwREOUUIh5vzFnu.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\9GIt9TwREOUUIh5vzFnu.exe"
3⤵
PID:5828

C:\Users\Admin\Desktop\Malware Testing\samples\9I9G8mH0v0SRT-T2ITlG.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\9I9G8mH0v0SRT-T2ITlG.exe"
3⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\is-HKA2A.tmp\is-O73F7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HKA2A.tmp\is-O73F7.tmp" /SL4 $204F6 "C:\Users\Admin\Desktop\Malware Testing\samples\9I9G8mH0v0SRT-T2ITlG.exe" 2677250 52224
4⤵
PID:4756

C:\Users\Admin\Desktop\Malware Testing\samples\9lvzjXk9YR90Ptdx_sAH.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\9lvzjXk9YR90Ptdx_sAH.exe"
3⤵
PID:5352

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\TEMP\csonhost.bat
4⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundllhost.exe" /f
5⤵
PID:6392

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
5⤵
PID:6560

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 5
5⤵
- Runs ping.exe
PID:6804

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
4⤵
PID:3840

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
4⤵
PID:4828

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
4⤵
PID:3400

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
4⤵
PID:5804

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
4⤵
PID:5060

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
4⤵
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
5⤵
PID:6184

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
4⤵
PID:4172

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
4⤵
PID:1768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
5⤵
PID:6204

C:\Windows\SysWOW64\net1.exe
net1 user mm123$ /del
4⤵
PID:5624

C:\Windows\SysWOW64\net.exe
net user mm123$ /del
4⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user mm123$ /del
5⤵
PID:6248

C:\Windows\SysWOW64\sc.exe
sc delete lanmanserver
4⤵
PID:4604

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED 2>nul
4⤵
PID:5672

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
4⤵
PID:4308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
5⤵
PID:6228

C:\Windows\SysWOW64\sc.exe
sc delete SetPipAtcivator
4⤵
PID:3988

C:\Windows\SysWOW64\net.exe
net stop SetPipAtcivator
4⤵
PID:2108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SetPipAtcivator
5⤵
PID:6212

C:\Windows\SysWOW64\sc.exe
sc delete MetPipAtcivator
4⤵
PID:3860

C:\Windows\SysWOW64\net.exe
net stop MetPipAtcivator
4⤵
PID:4656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MetPipAtcivator
5⤵
PID:6220

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
4⤵
PID:4524

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
5⤵
- Views/modifies file attributes
PID:6380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Malware Testing\samples\tem.vbs"
4⤵
PID:6884

C:\Users\Admin\Desktop\Malware Testing\samples\9UPMqYKFwisYSpY8LG--.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\9UPMqYKFwisYSpY8LG--.exe"
3⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
4⤵
PID:6196

C:\Windows\SysWOW64\at.exe
AT /delete /yes
5⤵
PID:6428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
4⤵
PID:6616

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
5⤵
PID:6928

C:\Users\Admin\Desktop\Malware Testing\samples\A-I_1mZuPReW3mHgMpct.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\A-I_1mZuPReW3mHgMpct.exe"
3⤵
PID:6448

C:\Users\Admin\Desktop\Malware Testing\samples\A0C3MXQhvI_YaFkB7l34.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\A0C3MXQhvI_YaFkB7l34.exe"
3⤵
PID:6752

C:\Users\Admin\Desktop\Malware Testing\samples\afBz4S1fNu0427u7fk5D.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\afBz4S1fNu0427u7fk5D.exe"
3⤵
PID:6848

C:\Users\Admin\Desktop\Malware Testing\samples\aGEpkKhPjvcGLzyztFAC.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\aGEpkKhPjvcGLzyztFAC.exe"
3⤵
PID:7008

C:\Users\Admin\Desktop\Malware Testing\samples\agZca4RPvYBtDuN_zZNJ.exe
"C:\Users\Admin\Desktop\Malware Testing\samples\agZca4RPvYBtDuN_zZNJ.exe"
3⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\Desktop\MALWAR~1\samples\AGZCA4~1.EXE > nul
4⤵
PID:676

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
1⤵
PID:5640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "serivecs"
1⤵
PID:1212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "serivecs"
1⤵
PID:1240

C:\Windows\SysWOW64\serivecs.exe
C:\Windows\system32\serivecs.exe "c:\windows\system32\259377343.dll",MainThread
2⤵
PID:2348

C:\ProgramData\lvumdt\jwiduo.exe
C:\ProgramData\lvumdt\jwiduo.exe start
1⤵
PID:5244

C:\ProgramData\DaemonL\Daemon.exe
C:\ProgramData\DaemonL\Daemon.exe
1⤵
PID:6936

C:\Program Files (x86)\Microsoft Edzswh\Edzswhl.exe
"C:\Program Files (x86)\Microsoft Edzswh\Edzswhl.exe"
1⤵
PID:6996

C:\Program Files (x86)\Microsoft Edzswh\Edzswhl.exe
"C:\Program Files (x86)\Microsoft Edzswh\Edzswhl.exe"
2⤵
PID:7128

C:\Windows\SysWOW64\Bskbs.exe
C:\Windows\SysWOW64\Bskbs.exe -auto
1⤵
PID:7056

C:\Windows\SysWOW64\Bskbs.exe
C:\Windows\SysWOW64\Bskbs.exe -acsi
2⤵
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 244
2⤵
- Program crash
PID:7148

C:\Windows\SysWOW64\Bskbs.exe
C:\Windows\SysWOW64\Bskbs.exe -auto
1⤵
PID:5632

C:\Windows\SysWOW64\Bskbs.exe
C:\Windows\SysWOW64\Bskbs.exe -acsi
2⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 248
2⤵
- Program crash
PID:5200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
38bdb804fe403c85e0f0ae8d9344c3fe

SHA1
de1bdece409c29986a609b4812ed2284fb60fad9

SHA256
685b1478ef39ceca3c7b0a30609da3e378c81de3822286e80b3b08ed080a597e

SHA512
5ef12c4f6d4d5d3df31afafc5a69bb73d8cb3d8cb5c525afda91a01fbc033ed9dbc68291e00f8e11a98934962813b50b8672c0354af33c011de0f980a98bd06c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
794449c10c41574a155c708455a3b31a

SHA1
df5a5fd142feabeebbafd393f9d7214f559c9907

SHA256
edb5259aef94907ea2a88f1c0cc5882ca39198a6cae1dc2d48358bc1e5d5e2f5

SHA512
44b37202caf55a4da9b37f94114fe9c22d86033fd590b45a6062292cbc530254ac89493b79d25bd9ad82e1b1011a561d371c60fbbdbd56e37283b741a5466a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_74769C49053B24360F9391815BF0585B
MD5
f05d07c74138b7114785ac7229912421

SHA1
6405dc8cb7cee1f1f4dad00ad4c1e23b8cc10ad0

SHA256
f29fc0378977f4a8b5198d2c516818a0075973a77e42f2c24a230132737a1a04

SHA512
86ae29f4f12a12d1348218028902b9d921816c909c2c9c0865cb497e3c6dea7c79213af7a58487d6a90357dd98e92d875e5a18826fa8f3b8f14429ce6a9ff39e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
4ac38ff2679aa24018ee2f089c705834

SHA1
5cd3399885c768db7410f12a9d09be3c6d609eaf

SHA256
eba8a3c97ec7dd81a2473c987ce0f0dfae2484516566e7ed5af5da50092a879a

SHA512
335210cde0e18b217e0a5f3ed7d1a1896150f869d64576b710e5baeeb95d8f39f1cde97c9bce1f69307ed2526e7ca9de54dd2ac2093957d5f40fc1631b8ea6b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d0530c1c741cf3c663f441cc1f9bd021

SHA1
079e72c96d2016820de7332b0a8a6e6935c83122

SHA256
b3df5c3cbacfbe5c6749b6fb05a7f3439bb951915a0bec3b580833680a8bc4d9

SHA512
cf24dc16b924565a7814ef4664efe42f9764b873a5a0db6340506fb49a9c52fe9d718338814440de1bbbd38825af25c8affd3f22bd5c0a2ef3075f787087d25b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_74769C49053B24360F9391815BF0585B
MD5
872e46f0e7650e3996260879da253338

SHA1
78d5d0b40d005b4d269fadec04309852816dcf61

SHA256
8b8d765f8fdb5951df9f133828c9c0d3ac477792e4cfc13d4d57a3ec757d4565

SHA512
511567736bc651aed6f9307e0fedb072458d0fb40c51229558a1b43c08e62c0d99b43b0b7c7e78f2b533829322278b91304cc3d50f66c5dfe6fac1becfd6a85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G049F69B.cookie
MD5
241f60a649aa4deca01e56830c4a3712

SHA1
694f859376ca95bf787a55ba37f21beade488a91

SHA256
b8538ad7769b5c98bbae01a021023d305b25a7f2902b668793e2cf3d3bb8b4f9

SHA512
941677d20111766d230c2fd35cd06b50328dade26d119a53d109528f490e65b687946774cb9f71401f87369dc927c8d0886483345fa1211267cfeeb433617ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O1EP7GGT.cookie
MD5
f9b1c28ebe1a411c87570c847c850c14

SHA1
d9d2155f5931dc193df49145d8ddbba8f9df0dc9

SHA256
d03555e346b08ce25e549bf37adb9fbdd558d4c1fdeabe50aeaaa39cd88d704e

SHA512
ad37842e33e83d956ab5c3e1d94f480d19b8132cd87287589042128effcdf333228158f319318ce26d9601c1dc590b6fed8aa26d1bcd2ca33ed98ecfe59fe122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RC2ML0Q6.cookie
MD5
9914d6def515b373f777b2dd1ba88733

SHA1
30099749a0145bff629ec2d56608473919a560d9

SHA256
1a192165530336d3b2a5077cd125fcbf06146055bdaf9c75104e50df00f857a5

SHA512
229731acbcb21ef2b9db65510a6e216e7a46aca10b8bfe7775415b43d9420d501cbb0460680851ce2516e02aeb2a875f3980cda098443ceeeb6c27b1092e8458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\VCRUNTIME140.dll
MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_bz2.pyd
MD5
5a8b3602b3560868bd819b10c6343874

SHA1
73a5ce4d07479894f24b776eb387abd33deb83a9

SHA256
00d2f34aee55b473bcc11838469b94a62d01fdf4465e19f7d7388c79132f019e

SHA512
2f2f8305fd8853c479b5d2a442110efc3ad41a3c482cd554ebcc405fcf097e230f5cd45dbfb44050b5bd6fae662ce7cac0583c9784050f0c7d09a678768587db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_ctypes.pyd
MD5
e1ef9f5c77b01c82cf72522ec96b2a11

SHA1
e83daa56a104f6ea6235822c644b6554c3958cfe

SHA256
a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023

SHA512
4231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_hashlib.pyd
MD5
8f7edaff246c46dbf09ab5554b918b37

SHA1
c14c33b14419f5d24fb36e5f1bf1760a9c63228b

SHA256
9154b36c178d84a901edad689a53148451ef3c851a91447a0654f528a620d944

SHA512
1947a1010fa1b07671aa471d5821792dee7f2b0cd1937d3f944cd0201a299e6cb37a41debbbd1bc6e774186f6d08ad6264055cba7652b0d5bd22691431cb360e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_lzma.pyd
MD5
caa58290ab4414e2e22cc0b6ff4b2d29

SHA1
840902aaf7db40da17018776e5c842014c3a81ac

SHA256
185d407bcca7399c458133f2ce1efa938352b8093b2de040c91c3c3088ab173f

SHA512
a82e380ab1676424e52a36c08eabd572375dd36a7fe2b9df51d48c368aed6c04b0b3674bc6a9787efedd0ed70bb1869ed1a2f3a1f4238485710092b9cbadd00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_queue.pyd
MD5
671a9ac9b34f07ada65bf1635e4626c5

SHA1
d4a6e478caaacdbdb52f57d12e16ba96671d30f2

SHA256
3f1fc09b3f0a5c8c7aff4223d002952ab26f462aa390940a9f00454815204739

SHA512
92617258ef747f93ab2c378f5c9a2aac14668d834df15939c1ef83a555490b9ee3380d7341bee60c33057482736a595593749b8794ddeaa9649339363095108c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_socket.pyd
MD5
e71c0c49f7e2bd39cafeed1dca29455b

SHA1
22cb314298c6c38e3246f73dc7277ed00d6b8449

SHA256
3b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622

SHA512
4c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\_ssl.pyd
MD5
39919e97dc418e0099b2a0bb332a8c77

SHA1
f04c9d78b3d5e2a95ea3535c363d8b05d666d39e

SHA256
b38b09bf0421b1f49338ded8021d7bc56be19902d9b21a9b6e9c8df448f93eb2

SHA512
f179ebe84ae065ed63e71f2855b2b69cdedfc8be70dace0eb07c8b191768eace1312562e27e77492481f214f85d31f35c88c2b1f7a3881cee9dffffa7ffc668a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\base_library.zip
MD5
19c75a14b49aa613275ba842521fb134

SHA1
55e7fac43ecbd6dc6b9efaaadc02fe9041711778

SHA256
c8ad21c79004502dfe07d53bff3798e7dccb774c078f3d066257a333b3db7b55

SHA512
4fd2c0a8f8f7a3658fa9b2a92b401ac614f24b7ba44bc1586ff503aca85ab2d56ea0d3f94d6a70910f3091bf1ccd869088da55508737b82b03ecbd3a0b1e167d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\certifi\cacert.pem
MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\libcrypto-1_1.dll
MD5
aa811bb63dbd4c5859b68332326f60b1

SHA1
6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977

SHA256
00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0

SHA512
dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\libssl-1_1.dll
MD5
2335285f5ac87173bd304efeddfa1d85

SHA1
64558d2150120abed3514db56299721c42c6fe58

SHA256
1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94

SHA512
82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\python39.dll
MD5
088904a7f5b53107db42e15827e3af98

SHA1
1768e7fb1685410e188f663f5b259710f597e543

SHA256
3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718

SHA512
c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\select.pyd
MD5
1e74ba085eb08a3affe5f5fabaaa6caf

SHA1
46e3efbd21dc0a2c7650ed949bc7e7e91b37efea

SHA256
36be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511

SHA512
517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33002\unicodedata.pyd
MD5
06092dbacf3b009ad11376dfc5ed2acd

SHA1
2597d23469d65936fca20906ef41e1f999944210

SHA256
2f9e76a8148029ade3e8f61d014d79a9b1c154cc9b5d6608f50fc478170ff676

SHA512
c782ebb9139a6b358d6e55cca3f018e421747984245fafbd150696b152763f2a6d08a21a0185f49df867dfabf5f066631a55f324abfed4e8bece8f85ead81c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\VCRUNTIME140.dll
MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\_ctypes.pyd
MD5
e1ef9f5c77b01c82cf72522ec96b2a11

SHA1
e83daa56a104f6ea6235822c644b6554c3958cfe

SHA256
a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023

SHA512
4231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\_socket.pyd
MD5
e71c0c49f7e2bd39cafeed1dca29455b

SHA1
22cb314298c6c38e3246f73dc7277ed00d6b8449

SHA256
3b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622

SHA512
4c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\base_library.zip
MD5
19c75a14b49aa613275ba842521fb134

SHA1
55e7fac43ecbd6dc6b9efaaadc02fe9041711778

SHA256
c8ad21c79004502dfe07d53bff3798e7dccb774c078f3d066257a333b3db7b55

SHA512
4fd2c0a8f8f7a3658fa9b2a92b401ac614f24b7ba44bc1586ff503aca85ab2d56ea0d3f94d6a70910f3091bf1ccd869088da55508737b82b03ecbd3a0b1e167d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\python39.dll
MD5
088904a7f5b53107db42e15827e3af98

SHA1
1768e7fb1685410e188f663f5b259710f597e543

SHA256
3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718

SHA512
c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54162\select.pyd
MD5
1e74ba085eb08a3affe5f5fabaaa6caf

SHA1
46e3efbd21dc0a2c7650ed949bc7e7e91b37efea

SHA256
36be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511

SHA512
517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8

Download Submit
C:\Users\Admin\Desktop\Malware Testing.rar.wq45n7a.partial
MD5
b52774579e3421c42bc532472777f59a

SHA1
290ba08ee02b851fe169e7e0beb6d163edba199f

SHA256
d484c9eacd94df01ad1f0f2d2c6cd8a9c5f14811a8a9f0f70a93fc7b6867b514

SHA512
2a6ce52737ffab39738cdbf1c837489d079ba0b5a3ab8e5d5dff85980e6d756939fcb79b42f2f4db6dbd006af81b8ca25fcb4570ecde17f7dcf7295774165db8

Download Submit
C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe
MD5
53be36b74b6124f80cede2e9fe49ef35

SHA1
aec8c32b3c3b8a0100b930cdf6b6632da2509ec4

SHA256
66056e1c2ae89e116d235f70b838391efec6b33e93d09de0b3f66507e3087e4f

SHA512
902d80e35c4b3778b68a0c94b3bb6a007c6f5232a53f6d907c0cf1b639df1ce17d685a98035b0fcfcf306500a46617c51bafb36bba4ab81f15f8cf96bfb9b6f4

Download Submit
C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe
MD5
53be36b74b6124f80cede2e9fe49ef35

SHA1
aec8c32b3c3b8a0100b930cdf6b6632da2509ec4

SHA256
66056e1c2ae89e116d235f70b838391efec6b33e93d09de0b3f66507e3087e4f

SHA512
902d80e35c4b3778b68a0c94b3bb6a007c6f5232a53f6d907c0cf1b639df1ce17d685a98035b0fcfcf306500a46617c51bafb36bba4ab81f15f8cf96bfb9b6f4

Download Submit
C:\Users\Admin\Desktop\Malware Testing\MalwareDownloader2.1.exe
MD5
53be36b74b6124f80cede2e9fe49ef35

SHA1
aec8c32b3c3b8a0100b930cdf6b6632da2509ec4

SHA256
66056e1c2ae89e116d235f70b838391efec6b33e93d09de0b3f66507e3087e4f

SHA512
902d80e35c4b3778b68a0c94b3bb6a007c6f5232a53f6d907c0cf1b639df1ce17d685a98035b0fcfcf306500a46617c51bafb36bba4ab81f15f8cf96bfb9b6f4

Download Submit
C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe
MD5
8b8e6515a9dd689aee25aa930e86395b

SHA1
f3073a4b2a53ef8227225b311508e61cd9831269

SHA256
47872b11a9b1f8ad4fe2ff441fab2af5663366b659577f5a50d1382dc87bb7b8

SHA512
531fead759ae5468584da00e6fae6970bea39bd2ef7139737a6c7adac3f1312b5fa06f035700d46223bffffb5a139ff6647c097d34152455d0edf83a3c826516

Download Submit
C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe
MD5
8b8e6515a9dd689aee25aa930e86395b

SHA1
f3073a4b2a53ef8227225b311508e61cd9831269

SHA256
47872b11a9b1f8ad4fe2ff441fab2af5663366b659577f5a50d1382dc87bb7b8

SHA512
531fead759ae5468584da00e6fae6970bea39bd2ef7139737a6c7adac3f1312b5fa06f035700d46223bffffb5a139ff6647c097d34152455d0edf83a3c826516

Download Submit
C:\Users\Admin\Desktop\Malware Testing\Run_samples.exe
MD5
8b8e6515a9dd689aee25aa930e86395b

SHA1
f3073a4b2a53ef8227225b311508e61cd9831269

SHA256
47872b11a9b1f8ad4fe2ff441fab2af5663366b659577f5a50d1382dc87bb7b8

SHA512
531fead759ae5468584da00e6fae6970bea39bd2ef7139737a6c7adac3f1312b5fa06f035700d46223bffffb5a139ff6647c097d34152455d0edf83a3c826516

Download Submit
C:\Users\Admin\Desktop\Malware Testing\samples\-Byv21MKIbXxeiZfFJUJ.exe
MD5
e2ff7edc253e402e457c311df047f211

SHA1
fe4be72f2db592acc47a2b9809f77af86eb30b09

SHA256
b1bfc64b0b5890c39650f9ec6a12bb8b7c4b84654de8898d694f199f359b12a5

SHA512
6fd31aceb61a1fc5dfa89039e51a360b4180db96c6b9cb33bc445ae15bc54d42f599d6166d6659e69c1d1e6ab76b4fc5a187ab6e543e2eaf9102a03954eca46c

Download Submit
C:\Users\Admin\Desktop\Malware Testing\samples\-Byv21MKIbXxeiZfFJUJ.exe
MD5
e2ff7edc253e402e457c311df047f211

SHA1
fe4be72f2db592acc47a2b9809f77af86eb30b09

SHA256
b1bfc64b0b5890c39650f9ec6a12bb8b7c4b84654de8898d694f199f359b12a5

SHA512
6fd31aceb61a1fc5dfa89039e51a360b4180db96c6b9cb33bc445ae15bc54d42f599d6166d6659e69c1d1e6ab76b4fc5a187ab6e543e2eaf9102a03954eca46c

Download Submit
C:\Users\Admin\Desktop\Malware Testing\samples\-Ocx1CuSyqt6ElMulHFQ.exe
MD5
3bc59cead4694e2c1ac6180d0bd77911

SHA1
4327d86c2ee93968f33f1ecf042a617a228e9491

SHA256
2cba7569fc0d1b991734fdc617a03fe425edeff12546d81702254404b0bf33ab

SHA512
dbca643579a88882a88b43591320aca39be52f0add164498938a140d3e0fcdda64f78580490b44acf5a5eababab54c80b71260bd98d7c426051e3a96384ff120

Download Submit
C:\Users\Admin\Desktop\Malware Testing\samples\-s-BvOfb5zImsnahTeGm.exe
MD5
da5f2763cf0fa84529d7ba0747010f5e

SHA1
044d55baf6d230de0b283937f173bf7ed9118df1

SHA256
917e6769c889cf377bd6f602a13648ec4087b3fa0fb17cbe04d480ed7469f4fb

SHA512
12f5e9e3bbc33799cf1d6955562a8078ead772cd0cabb8e7a347f67fead33526cfdae1705463da35d7b4c3810b7e77f8dc2d70aacb15cec79aaab3c805313a4c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\VCRUNTIME140.dll
MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_bz2.pyd
MD5
5a8b3602b3560868bd819b10c6343874

SHA1
73a5ce4d07479894f24b776eb387abd33deb83a9

SHA256
00d2f34aee55b473bcc11838469b94a62d01fdf4465e19f7d7388c79132f019e

SHA512
2f2f8305fd8853c479b5d2a442110efc3ad41a3c482cd554ebcc405fcf097e230f5cd45dbfb44050b5bd6fae662ce7cac0583c9784050f0c7d09a678768587db

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_ctypes.pyd
MD5
e1ef9f5c77b01c82cf72522ec96b2a11

SHA1
e83daa56a104f6ea6235822c644b6554c3958cfe

SHA256
a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023

SHA512
4231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_hashlib.pyd
MD5
8f7edaff246c46dbf09ab5554b918b37

SHA1
c14c33b14419f5d24fb36e5f1bf1760a9c63228b

SHA256
9154b36c178d84a901edad689a53148451ef3c851a91447a0654f528a620d944

SHA512
1947a1010fa1b07671aa471d5821792dee7f2b0cd1937d3f944cd0201a299e6cb37a41debbbd1bc6e774186f6d08ad6264055cba7652b0d5bd22691431cb360e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_lzma.pyd
MD5
caa58290ab4414e2e22cc0b6ff4b2d29

SHA1
840902aaf7db40da17018776e5c842014c3a81ac

SHA256
185d407bcca7399c458133f2ce1efa938352b8093b2de040c91c3c3088ab173f

SHA512
a82e380ab1676424e52a36c08eabd572375dd36a7fe2b9df51d48c368aed6c04b0b3674bc6a9787efedd0ed70bb1869ed1a2f3a1f4238485710092b9cbadd00e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_queue.pyd
MD5
671a9ac9b34f07ada65bf1635e4626c5

SHA1
d4a6e478caaacdbdb52f57d12e16ba96671d30f2

SHA256
3f1fc09b3f0a5c8c7aff4223d002952ab26f462aa390940a9f00454815204739

SHA512
92617258ef747f93ab2c378f5c9a2aac14668d834df15939c1ef83a555490b9ee3380d7341bee60c33057482736a595593749b8794ddeaa9649339363095108c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_socket.pyd
MD5
e71c0c49f7e2bd39cafeed1dca29455b

SHA1
22cb314298c6c38e3246f73dc7277ed00d6b8449

SHA256
3b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622

SHA512
4c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\_ssl.pyd
MD5
39919e97dc418e0099b2a0bb332a8c77

SHA1
f04c9d78b3d5e2a95ea3535c363d8b05d666d39e

SHA256
b38b09bf0421b1f49338ded8021d7bc56be19902d9b21a9b6e9c8df448f93eb2

SHA512
f179ebe84ae065ed63e71f2855b2b69cdedfc8be70dace0eb07c8b191768eace1312562e27e77492481f214f85d31f35c88c2b1f7a3881cee9dffffa7ffc668a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\libcrypto-1_1.dll
MD5
aa811bb63dbd4c5859b68332326f60b1

SHA1
6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977

SHA256
00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0

SHA512
dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\libcrypto-1_1.dll
MD5
aa811bb63dbd4c5859b68332326f60b1

SHA1
6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977

SHA256
00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0

SHA512
dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\libssl-1_1.dll
MD5
2335285f5ac87173bd304efeddfa1d85

SHA1
64558d2150120abed3514db56299721c42c6fe58

SHA256
1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94

SHA512
82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\python39.dll
MD5
088904a7f5b53107db42e15827e3af98

SHA1
1768e7fb1685410e188f663f5b259710f597e543

SHA256
3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718

SHA512
c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\select.pyd
MD5
1e74ba085eb08a3affe5f5fabaaa6caf

SHA1
46e3efbd21dc0a2c7650ed949bc7e7e91b37efea

SHA256
36be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511

SHA512
517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI33002\unicodedata.pyd
MD5
06092dbacf3b009ad11376dfc5ed2acd

SHA1
2597d23469d65936fca20906ef41e1f999944210

SHA256
2f9e76a8148029ade3e8f61d014d79a9b1c154cc9b5d6608f50fc478170ff676

SHA512
c782ebb9139a6b358d6e55cca3f018e421747984245fafbd150696b152763f2a6d08a21a0185f49df867dfabf5f066631a55f324abfed4e8bece8f85ead81c85

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI54162\VCRUNTIME140.dll
MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI54162\_ctypes.pyd
MD5
e1ef9f5c77b01c82cf72522ec96b2a11

SHA1
e83daa56a104f6ea6235822c644b6554c3958cfe

SHA256
a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023

SHA512
4231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI54162\_socket.pyd
MD5
e71c0c49f7e2bd39cafeed1dca29455b

SHA1
22cb314298c6c38e3246f73dc7277ed00d6b8449

SHA256
3b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622

SHA512
4c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI54162\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI54162\python39.dll
MD5
088904a7f5b53107db42e15827e3af98

SHA1
1768e7fb1685410e188f663f5b259710f597e543

SHA256
3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718

SHA512
c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI54162\select.pyd
MD5
1e74ba085eb08a3affe5f5fabaaa6caf

SHA1
46e3efbd21dc0a2c7650ed949bc7e7e91b37efea

SHA256
36be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511

SHA512
517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8

Download Submit
memory/452-187-0x0000000000000000-mapping.dmp

Download
memory/1004-9-0x0000000000000000-mapping.dmp

Download
memory/1172-221-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1280-202-0x0000000000000000-mapping.dmp

Download
memory/1432-133-0x0000000000000000-mapping.dmp

Download
memory/1496-239-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-242-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1496-237-0x0000000000BB0000-0x0000000000ED0000-memory.dmp

Filesize
3.1MB

Download
memory/1692-113-0x0000000000000000-mapping.dmp

Download
memory/1896-217-0x0000000006B50000-0x0000000006B71000-memory.dmp

Filesize
132KB

Download
memory/1896-230-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/1896-168-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1896-165-0x0000000000000000-mapping.dmp

Download
memory/1896-182-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/1896-231-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/1896-172-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1896-170-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1896-185-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1896-244-0x0000000005021000-0x0000000005022000-memory.dmp

Filesize
4KB

Download
memory/1896-167-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/1932-161-0x0000000000000000-mapping.dmp

Download
memory/1932-164-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2052-12-0x0000000000000000-mapping.dmp

Download
memory/2104-24-0x00000000778C2000-0x00000000778C200C-memory.dmp

Filesize
12B

Download
memory/2104-25-0x0000000000000000-mapping.dmp

Download
memory/2160-159-0x0000000000000000-mapping.dmp

Download
memory/2348-135-0x0000000000000000-mapping.dmp

Download
memory/2392-130-0x0000000000000000-mapping.dmp

Download
memory/2452-13-0x00000000778C2000-0x00000000778C200C-memory.dmp

Filesize
12B

Download
memory/2452-14-0x0000000000000000-mapping.dmp

Download
memory/2460-17-0x0000000000000000-mapping.dmp

Download
memory/2460-15-0x00000000778C2000-0x00000000778C200C-memory.dmp

Filesize
12B

Download
memory/2480-218-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2480-211-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-212-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2644-141-0x0000000000000000-mapping.dmp

Download
memory/2648-229-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-269-0x0000000008630000-0x000000000863B000-memory.dmp

Filesize
44KB

Download
memory/2648-240-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2648-271-0x00000000053A1000-0x00000000053A2000-memory.dmp

Filesize
4KB

Download
memory/2648-270-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/2684-116-0x0000000000000000-mapping.dmp

Download
memory/2720-163-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2720-160-0x0000000000000000-mapping.dmp

Download
memory/2744-131-0x0000000000000000-mapping.dmp

Download
memory/2828-193-0x0000000000000000-mapping.dmp

Download
memory/2828-198-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2936-132-0x0000000000000000-mapping.dmp

Download
memory/2936-149-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2936-146-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/2936-144-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2936-143-0x00000000053B0000-0x00000000053CE000-memory.dmp

Filesize
120KB

Download
memory/2936-140-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/2936-190-0x00000000053E1000-0x00000000053E2000-memory.dmp

Filesize
4KB

Download
memory/2936-136-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2936-134-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-266-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-139-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/3012-128-0x0000000000000000-mapping.dmp

Download
memory/3012-148-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3012-147-0x0000000002430000-0x0000000002439000-memory.dmp

Filesize
36KB

Download
memory/3052-22-0x0000000000000000-mapping.dmp

Download
memory/3052-21-0x00000000778C2000-0x00000000778C200C-memory.dmp

Filesize
12B

Download
memory/3084-243-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/3096-129-0x0000000000000000-mapping.dmp

Download
memory/3176-156-0x0000000000000000-mapping.dmp

Download
memory/3256-151-0x0000000000000000-mapping.dmp

Download
memory/3544-126-0x0000000000000000-mapping.dmp

Download
memory/3972-196-0x00007FFEE5790000-0x00007FFEE617C000-memory.dmp

Filesize
9.9MB

Download
memory/3972-247-0x00000289EA5A5000-0x00000289EA5A6000-memory.dmp

Filesize
4KB

Download
memory/3972-208-0x00000289EA5A3000-0x00000289EA5A5000-memory.dmp

Filesize
8KB

Download
memory/3972-251-0x00000289EA5A7000-0x00000289EA5A8000-memory.dmp

Filesize
4KB

Download
memory/3972-194-0x0000000000000000-mapping.dmp

Download
memory/3972-204-0x00000289EA5A0000-0x00000289EA5A2000-memory.dmp

Filesize
8KB

Download
memory/3972-199-0x00000289E87B0000-0x00000289E87B1000-memory.dmp

Filesize
4KB

Download
memory/3972-252-0x00000291EFD80000-0x00000291EFD81000-memory.dmp

Filesize
4KB

Download
memory/4024-152-0x0000000000000000-mapping.dmp

Download
memory/4060-162-0x0000000000000000-mapping.dmp

Download
memory/4244-153-0x0000000000000000-mapping.dmp

Download
memory/4244-181-0x0000000001FE0000-0x0000000001FE5000-memory.dmp

Filesize
20KB

Download
memory/4312-127-0x0000000000000000-mapping.dmp

Download
memory/4620-138-0x0000000000000000-mapping.dmp

Download
memory/4696-123-0x0000000002941000-0x0000000002943000-memory.dmp

Filesize
8KB

Download
memory/4696-120-0x0000000000000000-mapping.dmp

Download
memory/4696-121-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/4696-122-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/4756-233-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4768-29-0x0000000000000000-mapping.dmp

Download
memory/4776-157-0x0000000000000000-mapping.dmp

Download
memory/4956-2-0x0000000000000000-mapping.dmp

Download
memory/5112-166-0x0000000000000000-mapping.dmp

Download
memory/5164-191-0x0000000000000000-mapping.dmp

Download
memory/5164-195-0x0000000010001000-0x000000001030E000-memory.dmp

Filesize
3.1MB

Download
memory/5208-248-0x0000000002ED0000-0x00000000031F0000-memory.dmp

Filesize
3.1MB

Download
memory/5208-249-0x0000000000A70000-0x0000000000A77000-memory.dmp

Filesize
28KB

Download
memory/5208-250-0x00000000006D0000-0x00000000006F3000-memory.dmp

Filesize
140KB

Download
memory/5232-150-0x0000000000000000-mapping.dmp

Download
memory/5244-253-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/5256-142-0x0000000000000000-mapping.dmp

Download
memory/5260-145-0x0000000000000000-mapping.dmp

Download
memory/5260-158-0x0000015EB9D40000-0x0000015EB9D44000-memory.dmp

Filesize
16KB

Download
memory/5480-176-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/5480-186-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/5480-184-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/5480-183-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/5480-174-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/5480-188-0x00000000094A0000-0x000000000D49D000-memory.dmp

Filesize
64.0MB

Download
memory/5480-173-0x0000000000000000-mapping.dmp

Download
memory/5484-66-0x0000000000000000-mapping.dmp

Download
memory/5496-189-0x0000000000000000-mapping.dmp

Download
memory/5604-82-0x0000000000000000-mapping.dmp

Download
memory/5612-192-0x0000000000000000-mapping.dmp

Download
memory/5612-197-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/5628-85-0x0000000000000000-mapping.dmp

Download
memory/5640-108-0x0000000002B50000-0x0000000002B52000-memory.dmp

Filesize
8KB

Download
memory/5640-98-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/5640-99-0x0000000002E40000-0x0000000002E72000-memory.dmp

Filesize
200KB

Download
memory/5640-111-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/5640-86-0x0000000000000000-mapping.dmp

Download
memory/5660-93-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/5660-88-0x0000000000000000-mapping.dmp

Download
memory/5660-101-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/5676-89-0x0000000000000000-mapping.dmp

Download
memory/5676-91-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/5700-100-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/5700-90-0x0000000000000000-mapping.dmp

Download
memory/5732-92-0x0000000000000000-mapping.dmp

Download
memory/5780-95-0x0000000000000000-mapping.dmp

Download
memory/5800-96-0x0000000000000000-mapping.dmp

Download
memory/5820-125-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5820-124-0x0000000002CC0000-0x0000000002CDB000-memory.dmp

Filesize
108KB

Download
memory/5820-119-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/5820-97-0x0000000000000000-mapping.dmp

Download
memory/5828-220-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/5828-234-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/5828-219-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/5828-232-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/5892-102-0x0000000000000000-mapping.dmp

Download
memory/5892-107-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/5924-103-0x0000000000000000-mapping.dmp

Download
memory/5944-104-0x0000000000000000-mapping.dmp

Download
memory/5960-105-0x0000000000000000-mapping.dmp

Download
memory/5964-206-0x0000000000000000-mapping.dmp

Download
memory/5972-106-0x0000000000000000-mapping.dmp

Download
memory/6040-207-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/6040-201-0x0000000000000000-mapping.dmp

Download
memory/6040-224-0x00000000029A0000-0x00000000029A7000-memory.dmp

Filesize
28KB

Download
memory/6060-109-0x0000000000000000-mapping.dmp

Download
memory/6072-110-0x0000000000000000-mapping.dmp

Download
memory/6072-115-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/6072-114-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/6072-112-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/6448-264-0x0000000005980000-0x0000000005982000-memory.dmp

Filesize
8KB

Download
memory/6448-265-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/6448-257-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/6448-256-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/6820-285-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6820-287-0x000000006B7C0000-0x000000006BEAE000-memory.dmp

Filesize
6.9MB

Download
memory/6848-272-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/6964-273-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/7008-281-0x0000000000660000-0x0000000000663000-memory.dmp

Filesize
12KB

Download
memory/7056-276-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/7148-282-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download