azorult | b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

Analysis

max time kernel
153s
max time network
191s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Size

1.6MB
MD5

e6f466381d62de836b5a8cf53cf571bb
SHA1

28f597812740bd57e12ec472f0f6c3ae12b46103
SHA256

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033
SHA512

0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Score

10^/10

azorult formbook nanocore pony dt discovery evasion infostealer keylogger rat spyware stealer suricata trojan upx

Malware Config

Extracted

Family

azorult

https://www.interactiveresumebuilder.com/admin/images/icons/FTP/index.php

Extracted

Family

nanocore

Version

1.2.2.0

blackhill.ddns.net:54984

185.125.205.75:54984

Mutex

c7192853-3ef1-495d-8d9e-aa7345c98e7f

Attributes

activate_away_mode
true
backup_connection_host
185.125.205.75
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-28T15:08:16.000917836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Lord
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c7192853-3ef1-495d-8d9e-aa7345c98e7f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
blackhill.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

pony

https://www.interactiveresumebuilder.com/admin/processImage/image/Panel/gate.php

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

adelparis.com

maheandco.com

workersoflight.net

lacrosseparts.com

cuzcu.info

respectchoice.net

dietdreambiz.com

lrmduxiufs.biz

kdnbooks.com

gkg8.com

niun.ltd

91socang.com

thaimedicalweed.com

memechapin.com

jennifersclark.com

americanwornjeans.com

cheok.group

theloans.store

ashlyanderson.net

sportsbettingbigdata.com

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1092-150-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1092-151-0x000000000041B600-mapping.dmp	formbook

Executes dropped EXE 8 IoCs

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exerundll.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exenetwork.exe.exe

pid	process
1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1376	rundll.exe
1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
772	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
620	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1092	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1144	network.exe.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/772-111-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/772-118-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1908-135-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1908-137-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1908-138-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1908-143-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1908-142-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1908-145-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1908-157-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

pid process

620 b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

pid	process
620	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

Loads dropped DLL 11 IoCs

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe

pid	process
860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
772	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
772	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

description	pid	process	target process
PID 860 set thread context of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 set thread context of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 set thread context of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 set thread context of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 set thread context of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1748 772 WerFault.exe b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe

pid	pid_target	process	target process
1748	772	WerFault.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

rundll.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exeb67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

pid	process
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
620	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
620	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
620	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1092	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe
1376	rundll.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

pid process

860 b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeDebugPrivilege	1376	rundll.exe
Token: SeDebugPrivilege	620	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeImpersonatePrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeTcbPrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeChangeNotifyPrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeCreateTokenPrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeBackupPrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeRestorePrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeIncreaseQuotaPrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Token: SeAssignPrimaryTokenPrivilege	1908	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
"C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1700

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
"C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\rundll.exe
C:\Users\Admin\AppData\Local\Temp\rundll.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
"C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 180
4⤵
- Program crash
PID:1748

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
"C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
"C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
"C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\network.exe.exe"
2⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\network.exe.exe
"C:\Users\Admin\AppData\Local\Temp\network.exe.exe"
3⤵
- Executes dropped EXE
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
Filesize
106KB

MD5
fe36fb1073e6f8fa14d7250501a29aaf

SHA1
6c7e01278362797dabcff3e666b68227cb9af10f

SHA256
f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6

SHA512
8584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f

Download Submit
C:\Users\Admin\AppData\Local\Temp\network.exe.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll.exe
Filesize
8KB

MD5
3b43488997e498313ddf322481621b2b

SHA1
ca9329e3129fe83fe0b084b91a6016a16edcb9c0

SHA256
3a5bf0b0c1650b75a6cc29186456666bee4be6cb0573377bb8e1af777eed169c

SHA512
4931eb21aa376d6b0728f75ee97020d0ec14d1aec5773e29fa61a7a087ecc1e960837a39a5563d789e680d0c94389f383d35d7c074df133c2aa964c0d514f8ec

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
Filesize
1.6MB

MD5
e6f466381d62de836b5a8cf53cf571bb

SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103

SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033

SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
Filesize
106KB

MD5
fe36fb1073e6f8fa14d7250501a29aaf

SHA1
6c7e01278362797dabcff3e666b68227cb9af10f

SHA256
f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6

SHA512
8584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f

Download Submit
\Users\Admin\AppData\Local\Temp\b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
Filesize
106KB

MD5
fe36fb1073e6f8fa14d7250501a29aaf

SHA1
6c7e01278362797dabcff3e666b68227cb9af10f

SHA256
f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6

SHA512
8584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f

Download Submit
\Users\Admin\AppData\Local\Temp\rundll.exe
Filesize
8KB

MD5
3b43488997e498313ddf322481621b2b

SHA1
ca9329e3129fe83fe0b084b91a6016a16edcb9c0

SHA256
3a5bf0b0c1650b75a6cc29186456666bee4be6cb0573377bb8e1af777eed169c

SHA512
4931eb21aa376d6b0728f75ee97020d0ec14d1aec5773e29fa61a7a087ecc1e960837a39a5563d789e680d0c94389f383d35d7c074df133c2aa964c0d514f8ec

Download Submit
\Users\Admin\AppData\Local\Temp\rundll.exe
Filesize
8KB

MD5
3b43488997e498313ddf322481621b2b

SHA1
ca9329e3129fe83fe0b084b91a6016a16edcb9c0

SHA256
3a5bf0b0c1650b75a6cc29186456666bee4be6cb0573377bb8e1af777eed169c

SHA512
4931eb21aa376d6b0728f75ee97020d0ec14d1aec5773e29fa61a7a087ecc1e960837a39a5563d789e680d0c94389f383d35d7c074df133c2aa964c0d514f8ec

Download Submit
\Users\Admin\AppData\Local\Temp\~TM23D7.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM284A.tmp
Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/620-122-0x000000000041E792-mapping.dmp

Download
memory/620-130-0x00000000005A0000-0x00000000005BE000-memory.dmp

Filesize
120KB

Download
memory/620-127-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-129-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/620-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-131-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/620-121-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/772-115-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/772-114-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/772-113-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/772-117-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/772-118-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/772-100-0x0000000000000000-mapping.dmp

Download
memory/772-111-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/860-60-0x0000000004540000-0x000000000454C000-memory.dmp

Filesize
48KB

Download
memory/860-55-0x0000000000560000-0x000000000058A000-memory.dmp

Filesize
168KB

Download
memory/860-56-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/860-58-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/860-61-0x0000000004560000-0x000000000456C000-memory.dmp

Filesize
48KB

Download
memory/860-54-0x0000000000BC0000-0x0000000000D56000-memory.dmp

Filesize
1.6MB

Download
memory/1060-153-0x0000000000000000-mapping.dmp

Download
memory/1092-156-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1092-147-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1092-151-0x000000000041B600-mapping.dmp

Download
memory/1092-150-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1092-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1144-154-0x0000000000000000-mapping.dmp

Download
memory/1376-80-0x0000000000000000-mapping.dmp

Download
memory/1524-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-94-0x0000000000420000-mapping.dmp

Download
memory/1524-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-59-0x0000000000000000-mapping.dmp

Download
memory/1816-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-74-0x000000000040C194-mapping.dmp

Download
memory/1816-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-145-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-142-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-143-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-139-0x000000000041AF70-mapping.dmp

Download
memory/1908-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-134-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-157-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 860 wrote to memory of 2040	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 2040	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 2040	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 2040	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 1700	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 1700	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 1700	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 1700	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	cmd.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1816	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 1816 wrote to memory of 1376	1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	rundll.exe
PID 1816 wrote to memory of 1376	1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	rundll.exe
PID 1816 wrote to memory of 1376	1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	rundll.exe
PID 1816 wrote to memory of 1376	1816	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	rundll.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1524	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 1524 wrote to memory of 772	1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
PID 1524 wrote to memory of 772	1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
PID 1524 wrote to memory of 772	1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
PID 1524 wrote to memory of 772	1524	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033mgr.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 620	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1908	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe
PID 860 wrote to memory of 1092	860	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe	b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033.exe