xmrig | 34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda

Target

zxcvb.exe
Size

40KB
MD5

0a7b32e75a01764ef5389a1d9e72ed63
SHA1

871366f3573c3349e9dc7b67fef1ef575815c154
SHA256

34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda
SHA512

f19a7d56a825b59d2841a4f10db940458d3255239e15bb9bbe1376e1fc47d4c97aef09d4e7ecd5a3a35fca44ec92edf60edd4a07ef1845d679c3bd4fc8fe43ba

Score

10^/10

xmrig collection evasion miner persistence spyware stealer

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2564-127-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-129-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-130-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-131-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-132-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-133-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-140-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2564-141-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/2872-144-0x0000000140000000-0x00000001405E8000-memory.dmp	xmrig

Executes dropped EXE 23 IoCs

pid	Process
2564	TiWorker.exe
2592	WARZONE RAT 1.2.exe
3040	PentagonRAT Final Relase.exe
2928	1655030101000116.exe
1432	Dllhost.exe
1816	1655030101000116.exe
2956	1655030101000116.exe
1524	Death-RAT.exe
2724	123aaa.exe
2336	123aaa.exe
2160	HichamRAT v0.9d.exe
2412	Winner Rat.exe
2344	Winner Rat.exe
2252	fasfsaf2.exe
1592	fasfsaf2.exe
2228	Viral - Rat By Sameed.exe
624	res.exe
2728	res.exe
1580	res.exe
2268	fffffas.exe
2648	fffffas.exe
2788	Server.exe
1664	GoogleCrashHandler.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1916	netsh.exe
2336	netsh.exe
1224	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	123aaa.exe

Loads dropped DLL 18 IoCs

pid	Process
2676	taskeng.exe
2872	taskmgr.exe
2872	taskmgr.exe
2928	1655030101000116.exe
324	Process not Found
324	Process not Found
2640	Process not Found
2640	Process not Found
2640	Process not Found
2640	Process not Found
1700	taskmgr.exe
1700	taskmgr.exe
2344	Winner Rat.exe
2412	Winner Rat.exe
2008	taskmgr.exe
2008	taskmgr.exe
2476	taskmgr.exe
2476	taskmgr.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	123aaa.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	123aaa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaWi = "C:\\Users\\Admin\\Desktop\\fasfsaf2.exe"	fasfsaf2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server.exe = "C:\\Users\\Admin\\Desktop\\fffffas.exe"	fffffas.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Winner Rat.exe
File opened (read-only)	\??\T:	Winner Rat.exe
File opened (read-only)	\??\V:	Winner Rat.exe
File opened (read-only)	\??\W:	Winner Rat.exe
File opened (read-only)	\??\Y:	Winner Rat.exe
File opened (read-only)	\??\U:	Winner Rat.exe
File opened (read-only)	\??\X:	Winner Rat.exe
File opened (read-only)	\??\B:	Winner Rat.exe
File opened (read-only)	\??\H:	Winner Rat.exe
File opened (read-only)	\??\L:	Winner Rat.exe
File opened (read-only)	\??\P:	Winner Rat.exe
File opened (read-only)	\??\Q:	Winner Rat.exe
File opened (read-only)	\??\S:	Winner Rat.exe
File opened (read-only)	\??\E:	Winner Rat.exe
File opened (read-only)	\??\I:	Winner Rat.exe
File opened (read-only)	\??\M:	Winner Rat.exe
File opened (read-only)	\??\O:	Winner Rat.exe
File opened (read-only)	\??\Z:	Winner Rat.exe
File opened (read-only)	\??\A:	Winner Rat.exe
File opened (read-only)	\??\F:	Winner Rat.exe
File opened (read-only)	\??\G:	Winner Rat.exe
File opened (read-only)	\??\J:	Winner Rat.exe
File opened (read-only)	\??\K:	Winner Rat.exe
File opened (read-only)	\??\N:	Winner Rat.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	123aaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	123aaa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\JJkcsCg = "0"	123aaa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	123aaa.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindows.xml	WARZONE RAT 1.2x.exe
File created	C:\Windows\SysWOW64\TiWorker.exe	WARZONE RAT 1.2x.exe
File opened for modification	C:\Windows\SysWOW64\TiWorker.exe	WARZONE RAT 1.2x.exe
File created	C:\Windows\SysWOW64\config.json	WARZONE RAT 1.2x.exe
File opened for modification	C:\Windows\SysWOW64\config.json	WARZONE RAT 1.2x.exe
File created	C:\Windows\SysWOW64\MicrosoftWindows.xml	WARZONE RAT 1.2x.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2648	2268	fffffas.exe	156

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	123aaa.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	123aaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2208	1548	WerFault.exe	26
1920	2412	WerFault.exe	135
2996	2344	WerFault.exe	137

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	fffffas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fffffas.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	fffffas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fffffas.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2772	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1168	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	fasfsaf2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	fasfsaf2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F9DEFD1-EBFA-11EC-B1EC-4659A2147DF1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Death-RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	Winner Rat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	Death-RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Winner Rat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 030000000c00000002000000040000000b0000000a00000009000000080000000700000006000000050000000100000000000000ffffffff	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Viral - Rat By Sameed.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Viral - Rat By Sameed.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	WARZONE RAT 1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	WARZONE RAT 1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	Viral - Rat By Sameed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\NodeSlot = "22"	Viral - Rat By Sameed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WARZONE RAT 1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Viral - Rat By Sameed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Viral - Rat By Sameed.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WARZONE RAT 1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell	Viral - Rat By Sameed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\SniffedFolderType = "Generic"	Viral - Rat By Sameed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Winner Rat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	Viral - Rat By Sameed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Viral - Rat By Sameed.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	PentagonRAT Final Relase.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Winner Rat.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Winner Rat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Viral - Rat By Sameed.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 080000000700000006000000040000000500000002000000010000000300000000000000ffffffff	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	PentagonRAT Final Relase.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 09000000040000000800000007000000060000000500000002000000010000000300000000000000ffffffff	WARZONE RAT 1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Viral - Rat By Sameed.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WARZONE RAT 1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Winner Rat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Death-RAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	Death-RAT.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WARZONE RAT 1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	PentagonRAT Final Relase.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	PentagonRAT Final Relase.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Winner Rat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Viral - Rat By Sameed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	PentagonRAT Final Relase.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WARZONE RAT 1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	Winner Rat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0b000000030000000a000000090000000400000008000000070000000600000005000000020000000100000000000000ffffffff	Winner Rat.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	PentagonRAT Final Relase.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	WARZONE RAT 1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	PentagonRAT Final Relase.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Death-RAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Winner Rat.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A5D6032D6D9ED6DDC1EF263822F5B22C340F22C\Blob = 19000000010000001000000030d3504b2a0192308c25f1a83eaa90fe0f0000000100000020000000d9c511c664be0b609aaa02b4981c4fcda30f3d97b928cd06db96e7b1d35fc1ff0300000001000000140000001a5d6032d6d9ed6ddc1ef263822f5b22c340f22c140000000100000014000000b70b9c89d5eaaf1505aa8508219263d513d2bcd7200000000100000002050000308204fe308202e6020101300d06092a864886f70d01010b05003045310b3009060355040613025553311a3018060355040a0c114d6963726f736f66742057696e646f7773311a301806035504030c114d6963726f736f66742057696e646f7773301e170d3138303731323131303035365a170d3231303731313131303035365a3045310b3009060355040613025553311a3018060355040a0c114d6963726f736f66742057696e646f7773311a301806035504030c114d6963726f736f66742057696e646f777330820222300d06092a864886f70d01010105000382020f003082020a0282020100c15f2a2cdfbbf8865049e184ab3f4b74828b480008b366559d928071fdfbfc6608966e57eba07ad4d107a16689d5d88e14c4a66d17ecc7b2a57fc963ff5bff93bba83f7a8223e929670a815d976e39e998cfdc738f60e0e88d9a1d0aa542068de2c839a27eff9ab1ade2644d15eb097f51dcf14caf0b3e4767fac3542d948ca02e9798a3159f926608484cb1a0c9413b86de62015cf0b2fd3c85ccd10a23e4f6784b8a943ceb61ea94b0d8eef7b033fa7ec7040c18f5408a96931d47a0339ea3265c16cf945e057cb209d6005d0b37855e518db93b2089dec7f9a9e34cdda865ad22510ee4999ce042bf81eaf96e581658cf2364a550dc0e74bd7300a64b68020821c1c98eaf2565203810439e5a4261dd26249c869e502b6d0754126ca6bb1f4e7da0a3187556375ec24993b54036bc3ce80daecab76c77cd98311c64be0df1b2cefa2fe5ba600cf3e285cee17271494168541e4bee04b4cb03735bac76fdc1bd959b032ca1c23554189d903b9a352e2e494824df6bc38601087a3e8ada6ccf99fdeaca2f8ea8c4ee850260be6da2d36091461d9f8ffc117890bf4026ea8976f733c86af3a0ec8490a764434c4c26f862cdc7032aeae831c52b7c2b3a3084a4bc44b9eccfddd1e5af2cf0208685fe41520de2a2135b95c35c8dc5bd96e8f41b198cc0f0cb2bb48da29d9aa89c8fd85b846e2e7304f60e3e7d23256f2e0962a10203010001300d06092a864886f70d01010b05000382020100a97c5234a2f72fb0446b99e6e366841f293ec9ea32ae06b6189be69622c8b3c768c5811c4adae7953774f6cf44a5263e5cbda9c5274026f8e17729126c4d428091a9c61a8b41309c14ed9a068a7f2b3a1725407da7e57326a1a6baa6d8fa66837ec3963e2199466f79e3427867f5b1891f7c0ec5be577c64e6c685508ec97fb8d1f0357f4742acba57609b9a585c2cf94817d1d40859648c921a2dacc520ee466a328855297f65a3cb2bc6c79265d94eddd03425cdcc4c800ea6b8adaded1b1f0f4e244bf7eb9e1d3be0e15fd76327d2661e4a0af376df3c5f8396649519dc5d7574a4b3a10cc43903bc290f8dec92e63a1d5b71a4980efcb8dce7cda8f04af9528f74f4235abf19dfced939e5086d8500f1b5c450b14c9b16e06d8ec8d51c175d3e686bf3626265e977e34e3abbcc764ad8d5b2c8b692a3d4b69974c4d9992bb77ed792a4eda536a6cb7283f76abe282d58263f6b493122c6edfa76fff0c5220f7ba651dfdca5c628a9dbddaee5a5f02c77cd984e3b27f30b3919b5972c3b7fd4707b78f9f093dc9b6bd580198e88f926604142c032a3c429e304b09a6d6648a7390b09d256b98a18f3adf2ee651713942ae2b0716341b7443718c92a93e84514d398202832610d510394d8651aaf72426b44d80246c0852c16793897c3b58d0e85c02f5f07be96eb4b9808c8e8da7ec12f96560b9513d86c1e6610b99fe272	fasfsaf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A5D6032D6D9ED6DDC1EF263822F5B22C340F22C	fasfsaf2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A5D6032D6D9ED6DDC1EF263822F5B22C340F22C\Blob = 0f0000000100000020000000d9c511c664be0b609aaa02b4981c4fcda30f3d97b928cd06db96e7b1d35fc1ff0300000001000000140000001a5d6032d6d9ed6ddc1ef263822f5b22c340f22c200000000100000002050000308204fe308202e6020101300d06092a864886f70d01010b05003045310b3009060355040613025553311a3018060355040a0c114d6963726f736f66742057696e646f7773311a301806035504030c114d6963726f736f66742057696e646f7773301e170d3138303731323131303035365a170d3231303731313131303035365a3045310b3009060355040613025553311a3018060355040a0c114d6963726f736f66742057696e646f7773311a301806035504030c114d6963726f736f66742057696e646f777330820222300d06092a864886f70d01010105000382020f003082020a0282020100c15f2a2cdfbbf8865049e184ab3f4b74828b480008b366559d928071fdfbfc6608966e57eba07ad4d107a16689d5d88e14c4a66d17ecc7b2a57fc963ff5bff93bba83f7a8223e929670a815d976e39e998cfdc738f60e0e88d9a1d0aa542068de2c839a27eff9ab1ade2644d15eb097f51dcf14caf0b3e4767fac3542d948ca02e9798a3159f926608484cb1a0c9413b86de62015cf0b2fd3c85ccd10a23e4f6784b8a943ceb61ea94b0d8eef7b033fa7ec7040c18f5408a96931d47a0339ea3265c16cf945e057cb209d6005d0b37855e518db93b2089dec7f9a9e34cdda865ad22510ee4999ce042bf81eaf96e581658cf2364a550dc0e74bd7300a64b68020821c1c98eaf2565203810439e5a4261dd26249c869e502b6d0754126ca6bb1f4e7da0a3187556375ec24993b54036bc3ce80daecab76c77cd98311c64be0df1b2cefa2fe5ba600cf3e285cee17271494168541e4bee04b4cb03735bac76fdc1bd959b032ca1c23554189d903b9a352e2e494824df6bc38601087a3e8ada6ccf99fdeaca2f8ea8c4ee850260be6da2d36091461d9f8ffc117890bf4026ea8976f733c86af3a0ec8490a764434c4c26f862cdc7032aeae831c52b7c2b3a3084a4bc44b9eccfddd1e5af2cf0208685fe41520de2a2135b95c35c8dc5bd96e8f41b198cc0f0cb2bb48da29d9aa89c8fd85b846e2e7304f60e3e7d23256f2e0962a10203010001300d06092a864886f70d01010b05000382020100a97c5234a2f72fb0446b99e6e366841f293ec9ea32ae06b6189be69622c8b3c768c5811c4adae7953774f6cf44a5263e5cbda9c5274026f8e17729126c4d428091a9c61a8b41309c14ed9a068a7f2b3a1725407da7e57326a1a6baa6d8fa66837ec3963e2199466f79e3427867f5b1891f7c0ec5be577c64e6c685508ec97fb8d1f0357f4742acba57609b9a585c2cf94817d1d40859648c921a2dacc520ee466a328855297f65a3cb2bc6c79265d94eddd03425cdcc4c800ea6b8adaded1b1f0f4e244bf7eb9e1d3be0e15fd76327d2661e4a0af376df3c5f8396649519dc5d7574a4b3a10cc43903bc290f8dec92e63a1d5b71a4980efcb8dce7cda8f04af9528f74f4235abf19dfced939e5086d8500f1b5c450b14c9b16e06d8ec8d51c175d3e686bf3626265e977e34e3abbcc764ad8d5b2c8b692a3d4b69974c4d9992bb77ed792a4eda536a6cb7283f76abe282d58263f6b493122c6edfa76fff0c5220f7ba651dfdca5c628a9dbddaee5a5f02c77cd984e3b27f30b3919b5972c3b7fd4707b78f9f093dc9b6bd580198e88f926604142c032a3c429e304b09a6d6648a7390b09d256b98a18f3adf2ee651713942ae2b0716341b7443718c92a93e84514d398202832610d510394d8651aaf72426b44d80246c0852c16793897c3b58d0e85c02f5f07be96eb4b9808c8e8da7ec12f96560b9513d86c1e6610b99fe272	fasfsaf2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A5D6032D6D9ED6DDC1EF263822F5B22C340F22C\Blob = 140000000100000014000000b70b9c89d5eaaf1505aa8508219263d513d2bcd70300000001000000140000001a5d6032d6d9ed6ddc1ef263822f5b22c340f22c0f0000000100000020000000d9c511c664be0b609aaa02b4981c4fcda30f3d97b928cd06db96e7b1d35fc1ff200000000100000002050000308204fe308202e6020101300d06092a864886f70d01010b05003045310b3009060355040613025553311a3018060355040a0c114d6963726f736f66742057696e646f7773311a301806035504030c114d6963726f736f66742057696e646f7773301e170d3138303731323131303035365a170d3231303731313131303035365a3045310b3009060355040613025553311a3018060355040a0c114d6963726f736f66742057696e646f7773311a301806035504030c114d6963726f736f66742057696e646f777330820222300d06092a864886f70d01010105000382020f003082020a0282020100c15f2a2cdfbbf8865049e184ab3f4b74828b480008b366559d928071fdfbfc6608966e57eba07ad4d107a16689d5d88e14c4a66d17ecc7b2a57fc963ff5bff93bba83f7a8223e929670a815d976e39e998cfdc738f60e0e88d9a1d0aa542068de2c839a27eff9ab1ade2644d15eb097f51dcf14caf0b3e4767fac3542d948ca02e9798a3159f926608484cb1a0c9413b86de62015cf0b2fd3c85ccd10a23e4f6784b8a943ceb61ea94b0d8eef7b033fa7ec7040c18f5408a96931d47a0339ea3265c16cf945e057cb209d6005d0b37855e518db93b2089dec7f9a9e34cdda865ad22510ee4999ce042bf81eaf96e581658cf2364a550dc0e74bd7300a64b68020821c1c98eaf2565203810439e5a4261dd26249c869e502b6d0754126ca6bb1f4e7da0a3187556375ec24993b54036bc3ce80daecab76c77cd98311c64be0df1b2cefa2fe5ba600cf3e285cee17271494168541e4bee04b4cb03735bac76fdc1bd959b032ca1c23554189d903b9a352e2e494824df6bc38601087a3e8ada6ccf99fdeaca2f8ea8c4ee850260be6da2d36091461d9f8ffc117890bf4026ea8976f733c86af3a0ec8490a764434c4c26f862cdc7032aeae831c52b7c2b3a3084a4bc44b9eccfddd1e5af2cf0208685fe41520de2a2135b95c35c8dc5bd96e8f41b198cc0f0cb2bb48da29d9aa89c8fd85b846e2e7304f60e3e7d23256f2e0962a10203010001300d06092a864886f70d01010b05000382020100a97c5234a2f72fb0446b99e6e366841f293ec9ea32ae06b6189be69622c8b3c768c5811c4adae7953774f6cf44a5263e5cbda9c5274026f8e17729126c4d428091a9c61a8b41309c14ed9a068a7f2b3a1725407da7e57326a1a6baa6d8fa66837ec3963e2199466f79e3427867f5b1891f7c0ec5be577c64e6c685508ec97fb8d1f0357f4742acba57609b9a585c2cf94817d1d40859648c921a2dacc520ee466a328855297f65a3cb2bc6c79265d94eddd03425cdcc4c800ea6b8adaded1b1f0f4e244bf7eb9e1d3be0e15fd76327d2661e4a0af376df3c5f8396649519dc5d7574a4b3a10cc43903bc290f8dec92e63a1d5b71a4980efcb8dce7cda8f04af9528f74f4235abf19dfced939e5086d8500f1b5c450b14c9b16e06d8ec8d51c175d3e686bf3626265e977e34e3abbcc764ad8d5b2c8b692a3d4b69974c4d9992bb77ed792a4eda536a6cb7283f76abe282d58263f6b493122c6edfa76fff0c5220f7ba651dfdca5c628a9dbddaee5a5f02c77cd984e3b27f30b3919b5972c3b7fd4707b78f9f093dc9b6bd580198e88f926604142c032a3c429e304b09a6d6648a7390b09d256b98a18f3adf2ee651713942ae2b0716341b7443718c92a93e84514d398202832610d510394d8651aaf72426b44d80246c0852c16793897c3b58d0e85c02f5f07be96eb4b9808c8e8da7ec12f96560b9513d86c1e6610b99fe272	fasfsaf2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2984	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
572	chrome.exe
2480	chrome.exe
2660	chrome.exe
1592	WARZONE RAT 1.2x.exe
1592	WARZONE RAT 1.2x.exe
1592	WARZONE RAT 1.2x.exe
1592	WARZONE RAT 1.2x.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe

Suspicious behavior: GetForegroundWindowSpam 8 IoCs

pid	Process
2872	taskmgr.exe
3040	PentagonRAT Final Relase.exe
1524	Death-RAT.exe
2592	WARZONE RAT 1.2.exe
1700	taskmgr.exe
2344	Winner Rat.exe
2252	fasfsaf2.exe
2228	Viral - Rat By Sameed.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	zxcvb.exe
Token: 33	2684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2684	AUDIODG.EXE
Token: 33	2684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2684	AUDIODG.EXE
Token: SeLockMemoryPrivilege	2564	TiWorker.exe
Token: SeDebugPrivilege	2592	WARZONE RAT 1.2.exe
Token: SeDebugPrivilege	2872	taskmgr.exe
Token: SeDebugPrivilege	1432	Dllhost.exe
Token: SeDebugPrivilege	2724	123aaa.exe
Token: SeDebugPrivilege	1700	taskmgr.exe
Token: SeDebugPrivilege	1592	fasfsaf2.exe
Token: SeDebugPrivilege	2252	fasfsaf2.exe
Token: SeDebugPrivilege	2008	taskmgr.exe
Token: SeDebugPrivilege	2268	fffffas.exe
Token: SeDebugPrivilege	2648	fffffas.exe
Token: SeDebugPrivilege	2476	taskmgr.exe
Token: SeDebugPrivilege	1664	GoogleCrashHandler.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3040	PentagonRAT Final Relase.exe
1524	Death-RAT.exe
2892	iexplore.exe
2892	iexplore.exe
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2592	WARZONE RAT 1.2.exe
2592	WARZONE RAT 1.2.exe
2344	Winner Rat.exe
2344	Winner Rat.exe
2412	Winner Rat.exe
2252	fasfsaf2.exe
2252	fasfsaf2.exe
1592	fasfsaf2.exe
1592	fasfsaf2.exe
1592	fasfsaf2.exe
2228	Viral - Rat By Sameed.exe
2648	fffffas.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1552	1984	chrome.exe	28
PID 1984 wrote to memory of 1552	1984	chrome.exe	28
PID 1984 wrote to memory of 1552	1984	chrome.exe	28
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 992	1984	chrome.exe	29
PID 1984 wrote to memory of 1188	1984	chrome.exe	30
PID 1984 wrote to memory of 1188	1984	chrome.exe	30
PID 1984 wrote to memory of 1188	1984	chrome.exe	30
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31
PID 1984 wrote to memory of 2004	1984	chrome.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	123aaa.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	123aaa.exe

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 20
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 20
    3⤵
    - Delays execution with timeout.exe
    PID:1168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1252
  2⤵
  - Program crash
  PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb4f4f50,0x7fefb4f4f60,0x7fefb4f4f70
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3288 /prefetch:2
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=692 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3944 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=536 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,8956761155741615518,17228147842926002046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  PID:2900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1700

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2056

C:\Users\Admin\Desktop\WARZONE RAT 1.2x.exe
"C:\Users\Admin\Desktop\WARZONE RAT 1.2x.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
  2⤵
  PID:2612
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:1988
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "WindowsUpdate"
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
  2⤵
  PID:188
- - C:\Windows\system32\schtasks.exe
    schtasks /Delete /TN "WindowsUpdate" /F
    3⤵
    PID:388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  PID:1740
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  PID:2304
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
  2⤵
  PID:2508
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
    3⤵
    - Creates scheduled task(s)
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  PID:2756
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
    3⤵
    PID:904
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
  2⤵
  PID:2860
- - C:\Windows\system32\certutil.exe
    certutil –addstore –f root MicrosoftWindows.crt
    3⤵
    PID:1928
- C:\Users\Admin\Desktop\WARZONE RAT 1.2.exe
  "C:\Users\Admin\Desktop\WARZONE RAT 1.2.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2592
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://xakfor.net/forum/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2892
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2284

C:\Windows\system32\taskeng.exe
taskeng.exe {A963F3AB-DB5A-4A4D-AAA7-EE88C97CEF34} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2676
- C:\Windows\SysWOW64\TiWorker.exe
  C:\Windows\SysWOW64\TiWorker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Users\Admin\Desktop\PentagonRAT Final Relasex.exe
"C:\Users\Admin\Desktop\PentagonRAT Final Relasex.exe"
1⤵
PID:2984
- C:\Users\Admin\Desktop\PentagonRAT Final Relase.exe
  "C:\Users\Admin\Desktop\PentagonRAT Final Relase.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3040

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2524

C:\Users\Admin\Desktop\1655030101000116.exe
"C:\Users\Admin\Desktop\1655030101000116.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928
- C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432

C:\Users\Admin\Desktop\1655030101000116.exe
"C:\Users\Admin\Desktop\1655030101000116.exe"
1⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\Desktop\1655030101000116.exe
"C:\Users\Admin\Desktop\1655030101000116.exe"
1⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\Desktop\Death-RATx.exe
"C:\Users\Admin\Desktop\Death-RATx.exe"
1⤵
PID:2004
- C:\Users\Admin\Desktop\Death-RAT.exe
  C:\Users\Admin\Desktop\Death-RAT.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1524

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2840

C:\Users\Admin\Desktop\123aaa.exe
"C:\Users\Admin\Desktop\123aaa.exe"
1⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Accesses Microsoft Outlook profiles
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2724

C:\Users\Admin\Desktop\123aaa.exe
"C:\Users\Admin\Desktop\123aaa.exe"
1⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\Desktop\HichamRAT v0.9dx.exe
"C:\Users\Admin\Desktop\HichamRAT v0.9dx.exe"
1⤵
PID:2792
- C:\Users\Admin\Desktop\HichamRAT v0.9d.exe
  "C:\Users\Admin\Desktop\HichamRAT v0.9d.exe"
  2⤵
  - Executes dropped EXE
  PID:2160

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\Desktop\Winner Ratx.exe
"C:\Users\Admin\Desktop\Winner Ratx.exe"
1⤵
PID:1224
- C:\Users\Admin\Desktop\Winner Rat.exe
  "C:\Users\Admin\Desktop\Winner Rat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2412
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2412 -s 512
    3⤵
    - Program crash
    PID:1920

C:\Users\Admin\Desktop\Winner Ratx.exe
"C:\Users\Admin\Desktop\Winner Ratx.exe"
1⤵
PID:1164
- C:\Users\Admin\Desktop\Winner Rat.exe
  "C:\Users\Admin\Desktop\Winner Rat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2344
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2344 -s 1512
    3⤵
    - Program crash
    PID:2996

C:\Users\Admin\Desktop\fasfsaf2.exe
"C:\Users\Admin\Desktop\fasfsaf2.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Users\Admin\Desktop\fasfsaf2.exe
"C:\Users\Admin\Desktop\fasfsaf2.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\Desktop\Viral - Rat By Sameedx.exe
"C:\Users\Admin\Desktop\Viral - Rat By Sameedx.exe"
1⤵
PID:2776
- C:\Users\Admin\Desktop\Viral - Rat By Sameed.exe
  "C:\Users\Admin\Desktop\Viral - Rat By Sameed.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2228
- - C:\Users\Admin\Desktop\res.exe
    C:\Users\Admin\Desktop\res.exe -extract C:\Users\Admin\Desktop\AssemblyChange.exe,C:\Users\Admin\Desktop\assemblychange.res,VERSIONINFO,,
    3⤵
    - Executes dropped EXE
    PID:624
- - C:\Users\Admin\Desktop\res.exe
    C:\Users\Admin\Desktop\res.exe -delete C:\Users\Admin\Desktop\fffffas.exe,C:\Users\Admin\Desktop\res.exe,VERSIONINFO,,
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Users\Admin\Desktop\res.exe
    C:\Users\Admin\Desktop\res.exe -addoverwrite C:\Users\Admin\Desktop\fffffas.exe,C:\Users\Admin\Desktop\fffffas.exe,C:\Users\Admin\Desktop\assemblychange.res,VERSIONINFO,1,
    3⤵
    - Executes dropped EXE
    PID:1580

C:\Users\Admin\Desktop\fffffas.exe
"C:\Users\Admin\Desktop\fffffas.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2268
- C:\Users\Admin\Desktop\fffffas.exe
  "C:\Users\Admin\Desktop\fffffas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2648

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\About.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2984

C:\Users\Admin\Desktop\Datas\vncviewer.exe
"C:\Users\Admin\Desktop\Datas\vncviewer.exe"
1⤵
PID:544

C:\Users\Admin\Desktop\Server.exe
"C:\Users\Admin\Desktop\Server.exe"
1⤵
- Executes dropped EXE
PID:2788
- C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
  "C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe" "GoogleCrashHandler.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1224

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

Filesize
1KB

MD5
1bb617d3aab1dbe2ec2e4a90bf824846

SHA1
bbe179f1bdc4466661da3638420e6ca862bd50ca

SHA256
1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580

SHA512
ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

Download Submit
C:\Users\Admin\Desktop\AddGet.TS

Filesize
240KB

MD5
ca024f72c0f41bdbcfd3c382325c1449

SHA1
a96f12fbcd9bc12f4d6fdbe24e1ccf7800e889e7

SHA256
ee6c4b7ee53776898d0734d814d8e432db20ded289005bf0808757832d186534

SHA512
322d5723773d4d2a4bb439722749b2b0f1ee19ed7d3af6be4fec4c7b4eaab19d1a8d1aa9b3709035a5b88a2884cf554707b69186c9a6323d8da5f86f94a0c4f8

Download Submit
C:\Users\Admin\Desktop\CompareClose.raw

Filesize
191KB

MD5
c80ac3a323151b98d0a1cc72b57fecf5

SHA1
6667c0a5a8d400fe7a56f99c26815de674e4e1e3

SHA256
30198c157a22f3bc75bb5f806acd24a40a924b88901ebea624d4421e4acd1a8d

SHA512
3b05f12a07c9849efa865a06f8b99f66da9413915e301d52bb62cc78275eb627a06820683556e55f494448db7a13a63fc13444e91d1f6174c1c8b3dce61e625d

Download Submit
C:\Users\Admin\Desktop\CompleteImport.3gpp

Filesize
162KB

MD5
ae490631e8380c093d12163079f0c411

SHA1
809db3f830e890c3d30960b0bdc2f9f8c416c3aa

SHA256
4be8bb5181777f53c423034f2371d5051f1f37d3b4c4c12230a4e431e20ecfb4

SHA512
da7b05139c77a89a2344dfd120453e91a532d9dede114f13f694fe63ad9eeaab96c64acad0ca85da22793d270d649b9c44a64eb6d25d2d98a583b07a145fc536

Download Submit
C:\Users\Admin\Desktop\ConfirmInstall.html

Filesize
122KB

MD5
be8b3cfb2c7bfc98e560051a0e64303b

SHA1
69bbb5ef76af8069471514e49f7a6a8de72fd435

SHA256
cb88b548562af7f71a80fe54b28912d74c3ef20e95530c8b71d1a982c41f5da9

SHA512
28c8098b5e2526e15c68637fa721f690168cc55b3b9ccc57aef159d0a2a7a0107eb5e6f03f7b4e35d5c56855292844135d9c354913e7592a76dcac294fcf947d

Download Submit
C:\Users\Admin\Desktop\ConfirmOpen.dwg

Filesize
289KB

MD5
bb815ea27d7cf5281511bfad2cfadd28

SHA1
0ec167e7a1d3ede47a6e5de25b6214fd9eba70b5

SHA256
a4c65ed24e64099a05a903837f073dad533186bf66e83d9122e11279b2f89dca

SHA512
612ba7e15f8d46558309e2c3a67b82b3806a052aa4de59f9739f29a3d46f404d139e6af60507499bacdb866de207d3976bae1406dfd0e8232246966bca5e901c

Download Submit
C:\Users\Admin\Desktop\DebugSwitch.vdw

Filesize
309KB

MD5
a8f98289702f0c152861563132418af1

SHA1
600a3cde2f3cedbb8db219de4e913e432a078fd5

SHA256
123d7f8bf966426e6ee3537d0e2d43984e8ff540664ec08c3b807a284a073abc

SHA512
649eeee4d2ae4ba7ef9c8ed14bfb4d4bbedf390d23d356a631f2c7dc8d3f80bee16fd95a0b73aaa21725d8d6b0cf1ee9269184eacad56be2bd012b1a59f4a778

Download Submit
C:\Users\Admin\Desktop\EnableRead.xls

Filesize
142KB

MD5
022dd849e8ebd8095369d201dd65af4b

SHA1
f06a9ddc147cb16b25cd114b142ed30bd4f47b0f

SHA256
8c38fc6c459661c6dea420330327131c8d89e210e59670775b8480856874e028

SHA512
a00a8b236e7477b71494ac5f083d828c4c72160ae5614a20c2545604ec257de8571e0605eec3b53e796d63cc351644820ad70492564d0c90081a7149beca5bfa

Download Submit
C:\Users\Admin\Desktop\ExitMeasure.7z

Filesize
319KB

MD5
0ec6471c9f9bdfbeaf474751a17cd94a

SHA1
6cc097c971e7c42d1a2454dff333900de3886dad

SHA256
0e5f6cc1c5ca94c5447fc9402cddd3fa07d52fdbedb2cfe6e23022e186ab5b8e

SHA512
10cedee5bc698662e4c1cc7d5d521e797c49c69121b735b347c0d2f7d77a164948e99ac935a5fc341b91b6c5ccfcb924b3ce6c25f83a4e138d9fb4735da03e20

Download Submit
C:\Users\Admin\Desktop\FormatConvert.php

Filesize
231KB

MD5
751497e40a33bb1bdc1b08d109a52b5e

SHA1
823997f758178b6b030763f8478b928342de33ee

SHA256
3a2d2f97410d94e15f5acd4903f72b1834a33526f1daf342b3ed13ee44af98d1

SHA512
12902d9f78c3a6762b35e337d9e664b9004b0c8a4a543e6fb57dd7618069495deb296c2dedb125d079e159320a24ce0ad15dc796eb6a886bf87c76a1d5d77da1

Download Submit
C:\Users\Admin\Desktop\ImportNew.xps

Filesize
481KB

MD5
708586ca1219a613f71441479b402ded

SHA1
da84d9e02c937f6f03b75821c9119ca66f75c1a1

SHA256
50949bd27e84b3784b11c527c7400262b4b7a1418415f4812b0691c6adac93ca

SHA512
25cc00547a9e6e7414a6a91d86aa4de5e6858948b7dc88ce4fedc320f237817d9313cadf77b1dbd9852c9a6ff3ec2920dae2e41bebd86033a9ca33d1b1cf088d

Download Submit
C:\Users\Admin\Desktop\InstallTest.mhtml

Filesize
181KB

MD5
30d6455379e689bcc267bba934dd8d56

SHA1
4c4bd136b430104355ee893cc3bc891bc73b5ca4

SHA256
c3e6b0be99eb0b5f26f27bc798612c56ac842805f35cb556862bd42ae3c8fff7

SHA512
b1f837f39146d62a4bc23711a0b9e594954b70b70200382ab35bb0344067dd5acfa9adc504b5cda019c64baae9fca00941501f995e15e19724fc4928fab1f4c5

Download Submit
C:\Users\Admin\Desktop\InvokeConfirm.pptx

Filesize
250KB

MD5
6d54108b1e5d9ff1da2d76e3bab97c47

SHA1
03422493d06d5ae02badc809062bdd04ebeb09c1

SHA256
c24aa6fa66d66ae56d59d192cc868bda64585a5ff7eb839f6fc8f6c43dcfe9dc

SHA512
291e08510cf2fc5511a0db563fc2adde0acc8ef8ddc2f90bc8bf34d2101f08d5c66fccaa4da85a644098b1fe54da11c4f45930d68942c25891c213f86bab37db

Download Submit
C:\Users\Admin\Desktop\JoinEnter.raw

Filesize
348KB

MD5
782e71a382ecb196c739f0fc360c3dcc

SHA1
6834976cbf61d8e765776ba7ffafc2f2d90310fb

SHA256
32cbbce8300cceebea8936326e7480146d4f055da6f5c029499f1de3ee69c871

SHA512
6d0cf05c7b4149489f1e4ac17e311ecfb38f895b63f50720fa8f03572ae0bd4e5f48adb3c0c9a99c87213ec012f1869c9d9758c31bb851fbe125721789e847fa

Download Submit
C:\Users\Admin\Desktop\LimitUpdate.ogg

Filesize
260KB

MD5
69fcabd8a3bcaa0ccb7b0346c6eae9c2

SHA1
50e2d007f4473ecb772d44265e3897d9c880c464

SHA256
8eef58350eaa6f5150abe664f1b3e17225b173bb67d8b390be9d1f72467d536e

SHA512
1733853172aa17f28b90af3191ef4f892b766362b64eabf1c2560aee627d3443b7b2177f4fe56adfee80892d83fb1de689efb7d88279385f2d94c39f2ade9cc4

Download Submit
C:\Users\Admin\Desktop\LockSave.jpg

Filesize
132KB

MD5
2b4557ad10772d39e379f4a1be1a25bb

SHA1
7920b2ffdb5fe53d5d5e9dfc7c7e5e96b38a43e9

SHA256
cf64623b95c48f63e6648840a1aa452dc5d442026013c707b576185a57e24913

SHA512
c6b605703bcc45a9c7dcbec2cc135970439880e853f580073218d449aab01a616b09bd15b9e1a19bf9a0f0242b943c1fe7252e2358997b0b37396395422dfe3b

Download Submit
C:\Users\Admin\Desktop\MeasureExport.dotx

Filesize
299KB

MD5
dcd30af717eb9468a7f7673385c03267

SHA1
88d86928ea63eb131fc8e21ace65bafc80fdc908

SHA256
0afc077ed1fc0c29131bc78c3849b021e7b3102ba197ce1fbdce428ade49da3b

SHA512
69d114c84e82d55a4f2f4c4e9b4b9455debd21fe663bf36de68ccca3a39ddc34ca393ab477b2e99044c5b79e27d45978c6209d5c3e233456120213aafc470037

Download Submit
C:\Users\Admin\Desktop\MergeUnprotect.emf

Filesize
172KB

MD5
b497128a226c33eaa0f73498270d56c1

SHA1
2f1b6965ab00dafb0f855f7b6696a33c08d5a71a

SHA256
4c84381628c74f055db737d90ff2ba02a60a2efba3d401e926c6649ec7f80f2f

SHA512
99d0556e570c2dc88968af072e195ecc52d7757ac209291a928785400a1ee7ccd2f10d7f2846f92a13c4321a7f03c8e801e571e96b890e1afd0b159441624aed

Download Submit
C:\Users\Admin\Desktop\MountImport.wvx

Filesize
152KB

MD5
7fe97dd075c1dfde09f6e611d4a8d3c6

SHA1
9dfbf4b5ffcdde79b067951fea0e4b18f7756351

SHA256
28a99f12a22498c5a64fd29740c2de05b6300476a058152810ceb2bebf5a040a

SHA512
45267378caf101548a53c3a2f92c5ba95b8d00a490b4f2b021dc4e44f7300f6bb2ab554ba29699d0b2c2699210f28bd9be7abcf78e4d2d7659e87411042eea46

Download Submit
C:\Users\Admin\Desktop\PingPublish.htm

Filesize
221KB

MD5
74c9fa3e86180650d7f5f4eee0d1e472

SHA1
eceb74cd17b2e88a91e6f72663728f856e0fa782

SHA256
3c7f2bf09252b159638101fa546bb15cab35143024c9751f5df6880485a109ac

SHA512
fa2a3651cf6dfd32b51b275e41def83ad5684f15496a9e49df541dd1c3968ed1349731fc0b9a79668fddd6bdb023ebb7d00c20ceedc2ea5edfd5789faeae335a

Download Submit
C:\Users\Admin\Desktop\ReadInvoke.vssx

Filesize
280KB

MD5
d2bdc8b3f72d738c4616579e97296938

SHA1
77e32c0f7b08458fb79b8658826fb34c81ebddca

SHA256
b84105bc1577327b96f787d6c4f7e81ea46046542c1f4047a606b392520ad817

SHA512
d82fb7da21b2042c1a43fdd91a208ed59b7ec9995adbd8bd16bfc632fa431d6c6c64cd76012b6b52975a05293dfcb7f9220498545dd9d49b289ac5cff89ec70c

Download Submit
C:\Users\Admin\Desktop\ReadUnregister.temp

Filesize
339KB

MD5
ebfe60f45dacf46b4806ac153f176a92

SHA1
fe01d48fe70b07c8bc39d210a295148919a8a7f0

SHA256
8f8ec7955fb8bd2b5584ebc96b1a87fd473541a1247f0bf896baa6af3e1a145c

SHA512
d5a115c59d870f74ece19486d5e3114011a0a11a6a7f4c63bfdfe8379bacb827c5d28c702ed59fe2c7e1b69d3c56c8c558476aefe869864cbf46e44814565883

Download Submit
C:\Users\Admin\Desktop\RedoCompress.pcx

Filesize
329KB

MD5
b679de92a3a53ce9180439d7ed51cb59

SHA1
a36ac33c602f5c912772fd8a6fd041e646d618d5

SHA256
b7b36f6321957e96edb0657840134b23eb9f8722a77e624ffe2373fb1429ea46

SHA512
32e964cc37ecd1ba6425c244a55c72dad014cd954322b41908a968bc7ff82982eb97fa98d51f7e9a65855c4083448c8ec88f63ef9ad12df149895333871d6b1c

Download Submit
C:\Users\Admin\Desktop\ResolveDeny.xlsx

Filesize
270KB

MD5
64cbc1db75301714f4f5d5d94fc06365

SHA1
9fdc9d8fadff106e600f1b67c0f1119d37e32fd5

SHA256
468484faec5e4c5e57c23262d5009d34b0abcf4cc73093c7139162606c74bf47

SHA512
2c0fe2b3237eeab0b22e1ebd5766a9e8798f2032fbbe9a367e472b3749d513c421e5641021e401b23de6289156c60ae71b6104d0223665c4bc29b5041b4da9e8

Download Submit
C:\Users\Admin\Desktop\SelectConvertFrom.xlt

Filesize
211KB

MD5
57a273a4f5f34f2e1859706096c2f130

SHA1
cbbcfa50eac35a85f3db93e08f9a4926432fbec2

SHA256
09b65030372d189d97a5521ae9aa8685feaec44d8db2fa76a35403855a807cdc

SHA512
6a794b62ac7675d68e290ce645842460b967d6f52037f2f96934c85fa3c3b34bfcef4db40f7ed8f226b737d775b86ea6caa230711c7c2827528f984da9516374

Download Submit
C:\Users\Admin\Desktop\SkipEdit.wax

Filesize
201KB

MD5
e2daf0362123f7b1610e62190339ffc4

SHA1
851a893702cc2f97503f366c6bf1fb2dae6e3e6b

SHA256
d73f0aaac6786a6dbba6ea2253711c9dc92e134e5cb44617bc338a7dcd93cb5d

SHA512
fd9511c256dde94f0d267ff06fef595cdf46edadca013bf678dc9eae463f03a1e69e9933d4bd0d57b256c52c6524bb57d23b42630b784306153b35cdd93bf0bc

Download Submit
C:\Users\Admin\Desktop\WARZONE RAT 1.2.exe

Filesize
6.1MB

MD5
8343f68babf00770aa40ae3fa5df7ba2

SHA1
e93b250005ce958b7f7f8d0bf7ee84bfe328c382

SHA256
55d0b00754ee1c92657006a812b9013b4aed9c7877db45aef6a50fdf339491e6

SHA512
e08c94c1a0ee7d479555f14365720c740141a4a15082b3d0aefc543f78cba5d5d928213414d9d753ca587e23457a92c2cedee8b4581b3e6015191d87c1aa37ed

Download Submit
C:\Users\Admin\Desktop\WARZONE RAT 1.2.exe

Filesize
6.1MB

MD5
8343f68babf00770aa40ae3fa5df7ba2

SHA1
e93b250005ce958b7f7f8d0bf7ee84bfe328c382

SHA256
55d0b00754ee1c92657006a812b9013b4aed9c7877db45aef6a50fdf339491e6

SHA512
e08c94c1a0ee7d479555f14365720c740141a4a15082b3d0aefc543f78cba5d5d928213414d9d753ca587e23457a92c2cedee8b4581b3e6015191d87c1aa37ed

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
1KB

MD5
09bae029e59263c80cc2ac50b32d2dff

SHA1
7e252189d0fb5012ac2e085020d0a310b18098c5

SHA256
2d0e6d9117a6be875cd40558fd2f41d49606fcdeefd1ef301aac93d4bf9ea688

SHA512
b4c8d0f330454fa91de6f3f039d4795347fc3c828374e044f7303d69ea7159b5c513910f3e95907349ebe71ca77059cf26e2144394583deae7a4856659c1384b

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
931B

MD5
ac5f8700d364ac506e926ad32241bbfa

SHA1
a030d2bcf878df1ba9ab7d7f71bbad0af1160529

SHA256
7a08a5e706fefc0e9787c4cf46b403a90d53fb6f8dc4aecca6c31b087fbda9e8

SHA512
a2442927dc6db9e8e553df26d445bf1c3e7ffe1e29b001a182c1621d8fedf617ca975486d8412930aa019d9f15750ab3cce3582badfb6146bc6d4cc4fea70255

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
f87e9a0e5e9255778957607d47926979

SHA1
6f1b4dd4124155c4a0179139f3e0ebb68b976c62

SHA256
98e24a9a44e36bab3e7b35fb95faa76ec8cdaed9786733733e3f09a1a359c56f

SHA512
2e80272601f15f946e39220fa56c91f3ddbe64fc3d1523b8534492ce8f3987d2d38b4b4005d0e91a89f63d640eb020a5a4d7c85f03f0648f6f0a07b608ca1103

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
878B

MD5
fcefdaab50ec2d330e8904f2ad21f730

SHA1
91220fc91681995183e17c5b5b40416cc5c27ee4

SHA256
c1c56e0017ff62aadc3cb419bd6ea85a2005bf6327b7bbd80f74b07d3f690f18

SHA512
77aa98035f417d9ce40bd72521b64ffc3ab96c90341a9c49a2f7d461536474c94777af5b6aaa0b1f9c846f0f5530eb40443902fcad39d75c2c914c8a8fce63d1

Download Submit
C:\Windows\SysWOW64\MicrosoftWindows.xml

Filesize
4KB

MD5
b1cbfcc7b7a5716a30b77f5dc5bb6135

SHA1
5c397ffd7a845b2fdf9e82ff73698784a91a2fb9

SHA256
96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430

SHA512
d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

Download Submit
C:\Windows\SysWOW64\TiWorker.exe

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
C:\Windows\SysWOW64\config.json

Filesize
1011B

MD5
3da156f2d3307118a8e2c569be30bc87

SHA1
335678ca235af3736677bd8039e25a6c1ee5efca

SHA256
f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb

SHA512
59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

Download Submit
\??\c:\windows\syswow64\tiworker.exe

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
\Windows\SysWOW64\TiWorker.exe

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
memory/1432-163-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1432-170-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-179-0x0000000000B06000-0x0000000000B17000-memory.dmp

Filesize
68KB

Download
memory/1524-175-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-180-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-181-0x0000000000B06000-0x0000000000B17000-memory.dmp

Filesize
68KB

Download
memory/1524-178-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-176-0x0000000000B06000-0x0000000000B17000-memory.dmp

Filesize
68KB

Download
memory/1548-54-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/1548-55-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1592-222-0x0000000000AD6000-0x0000000000AF5000-memory.dmp

Filesize
124KB

Download
memory/1592-220-0x0000000000AD6000-0x0000000000AF5000-memory.dmp

Filesize
124KB

Download
memory/1592-215-0x000007FEF3790000-0x000007FEF41B3000-memory.dmp

Filesize
10.1MB

Download
memory/1592-216-0x000007FEEE620000-0x000007FEEF6B6000-memory.dmp

Filesize
16.6MB

Download
memory/1700-195-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1700-196-0x0000000003320000-0x0000000003CEB000-memory.dmp

Filesize
9.8MB

Download
memory/1700-91-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1816-166-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-165-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-119-0x00000000FF2D1000-0x00000000FF2D3000-memory.dmp

Filesize
8KB

Download
memory/2008-225-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-226-0x0000000003490000-0x0000000003E5B000-memory.dmp

Filesize
9.8MB

Download
memory/2008-228-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-224-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-227-0x0000000003490000-0x0000000003E5B000-memory.dmp

Filesize
9.8MB

Download
memory/2008-229-0x0000000003490000-0x0000000003E5B000-memory.dmp

Filesize
9.8MB

Download
memory/2008-230-0x0000000003490000-0x0000000003E5B000-memory.dmp

Filesize
9.8MB

Download
memory/2160-191-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-190-0x0000000002686000-0x0000000002697000-memory.dmp

Filesize
68KB

Download
memory/2160-189-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-193-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-192-0x0000000002686000-0x0000000002697000-memory.dmp

Filesize
68KB

Download
memory/2228-235-0x000007FEF3790000-0x000007FEF41B3000-memory.dmp

Filesize
10.1MB

Download
memory/2228-236-0x000007FEEE620000-0x000007FEEF6B6000-memory.dmp

Filesize
16.6MB

Download
memory/2252-221-0x0000000000B26000-0x0000000000B45000-memory.dmp

Filesize
124KB

Download
memory/2252-213-0x000007FEF3790000-0x000007FEF41B3000-memory.dmp

Filesize
10.1MB

Download
memory/2252-214-0x000007FEEE620000-0x000007FEEF6B6000-memory.dmp

Filesize
16.6MB

Download
memory/2252-219-0x0000000000B26000-0x0000000000B45000-memory.dmp

Filesize
124KB

Download
memory/2344-208-0x00000000004C6000-0x00000000004E5000-memory.dmp

Filesize
124KB

Download
memory/2344-232-0x00000000004C6000-0x00000000004E5000-memory.dmp

Filesize
124KB

Download
memory/2344-210-0x00000000004C6000-0x00000000004E5000-memory.dmp

Filesize
124KB

Download
memory/2344-206-0x000007FEEE620000-0x000007FEEF6B6000-memory.dmp

Filesize
16.6MB

Download
memory/2344-205-0x000007FEF3790000-0x000007FEF41B3000-memory.dmp

Filesize
10.1MB

Download
memory/2412-201-0x000007FEF3790000-0x000007FEF41B3000-memory.dmp

Filesize
10.1MB

Download
memory/2412-212-0x0000000000566000-0x0000000000585000-memory.dmp

Filesize
124KB

Download
memory/2412-209-0x0000000000566000-0x0000000000585000-memory.dmp

Filesize
124KB

Download
memory/2412-207-0x0000000000566000-0x0000000000585000-memory.dmp

Filesize
124KB

Download
memory/2412-202-0x000007FEEE620000-0x000007FEEF6B6000-memory.dmp

Filesize
16.6MB

Download
memory/2488-90-0x0000000072C81000-0x0000000072C83000-memory.dmp

Filesize
8KB

Download
memory/2564-127-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-115-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-117-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-121-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-129-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-130-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-131-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-132-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-133-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-140-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2564-141-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/2592-135-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2592-125-0x0000000001240000-0x000000000185A000-memory.dmp

Filesize
6.1MB

Download
memory/2592-128-0x0000000000B90000-0x0000000000C4A000-memory.dmp

Filesize
744KB

Download
memory/2592-142-0x00000000050B5000-0x00000000050C6000-memory.dmp

Filesize
68KB

Download
memory/2592-138-0x00000000050B5000-0x00000000050C6000-memory.dmp

Filesize
68KB

Download
memory/2592-136-0x0000000005820000-0x0000000005904000-memory.dmp

Filesize
912KB

Download
memory/2592-185-0x00000000050B5000-0x00000000050C6000-memory.dmp

Filesize
68KB

Download
memory/2648-252-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2648-255-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2648-254-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2648-248-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2648-247-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2648-251-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-114-0x00000000012B0000-0x0000000001C7B000-memory.dmp

Filesize
9.8MB

Download
memory/2676-139-0x00000000012B0000-0x0000000001C7B000-memory.dmp

Filesize
9.8MB

Download
memory/2724-184-0x0000000002B30000-0x0000000002BB4000-memory.dmp

Filesize
528KB

Download
memory/2872-146-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2872-144-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2872-145-0x0000000003640000-0x000000000400B000-memory.dmp

Filesize
9.8MB

Download
memory/2928-159-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-162-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-169-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-168-0x000000006BAF0000-0x000000006C09B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-171-0x0000000005BE5000-0x0000000005BF6000-memory.dmp

Filesize
68KB

Download
memory/3040-149-0x0000000001330000-0x000000000218A000-memory.dmp

Filesize
14.4MB

Download
memory/3040-154-0x0000000005BE5000-0x0000000005BF6000-memory.dmp

Filesize
68KB

Download
memory/3040-152-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/3040-156-0x0000000006170000-0x00000000061C2000-memory.dmp

Filesize
328KB

Download
memory/3040-155-0x0000000005BE5000-0x0000000005BF6000-memory.dmp

Filesize
68KB

Download
memory/3040-151-0x0000000000A60000-0x0000000000A9E000-memory.dmp

Filesize
248KB

Download
memory/3040-153-0x000000000AA70000-0x000000000AF64000-memory.dmp

Filesize
5.0MB

Download