nanocore | hxxps://www[.]mediafire[.]com/download/0s20ba0bp6fwcrd/atuamm+%284%29[.]rar

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/download/0s20ba0bp6fwcrd/atuamm+%284%29.rar

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 5 IoCs

Processes:

rc7.exeCrack 1.exe2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

pid	process
5848	rc7.exe
6124	Crack 1.exe
668	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
2064	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

Loads dropped DLL 2 IoCs

Processes:

2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

pid process

4552 2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
4552 2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

pid	process
4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Crack 1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Monitor = "C:\\Program Files (x86)\\DDP Monitor\\ddpmon.exe"	Crack 1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Crack 1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Crack 1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crack 1.exe

Drops file in System32 directory 43 IoCs

Processes:

2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\msvcp_win.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\profapi.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\user32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\msvcrt.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\SHLWAPI.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\apphelp.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\ucrtbase.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\bcryptPrimitives.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\MSCTF.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\shcore.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.DLL	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\combase.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\RPCRT4.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\GDI32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\shell32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\imm32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\Wldp.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\psapi.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\KERNELBASE.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\gdi32full.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\version.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\wininet.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\win32u.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\ole32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\sechost.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\kernel.appcore.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
File opened for modification	C:\Windows\SysWOW64\PROPSYS.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

Drops file in Program Files directory 2 IoCs

Processes:

Crack 1.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Monitor\ddpmon.exe	Crack 1.exe
File opened for modification	C:\Program Files (x86)\DDP Monitor\ddpmon.exe	Crack 1.exe

Drops file in Windows directory 1 IoCs

Processes:

2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

description	ioc	process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4052 schtasks.exe
1588 schtasks.exe

pid	process
4052	schtasks.exe
1588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

7zFM.exeCrack 1.exe2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

pid	process
5220	7zFM.exe
5220	7zFM.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
6124	Crack 1.exe
4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
5220	7zFM.exe
5220	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeCrack 1.exe

pid process

5220 7zFM.exe
6124 Crack 1.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7zFM.exeCrack 1.exe2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

description	pid	process
Token: SeRestorePrivilege	5220	7zFM.exe
Token: 35	5220	7zFM.exe
Token: SeSecurityPrivilege	5220	7zFM.exe
Token: SeSecurityPrivilege	5220	7zFM.exe
Token: SeDebugPrivilege	6124	Crack 1.exe
Token: SeSecurityPrivilege	5220	7zFM.exe
Token: SeDebugPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeTcbPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeTcbPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeLoadDriverPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeCreateGlobalPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: 33	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeSecurityPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeTakeOwnershipPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeManageVolumePrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeBackupPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeCreatePagefilePrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeShutdownPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeRestorePrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: 33	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Token: SeIncBasePriorityPrivilege	4552	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zFM.exe2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

pid process

5220 7zFM.exe
5220 7zFM.exe
5220 7zFM.exe
5220 7zFM.exe
4552 2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7zFM.exeCrack 1.exe2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

description	pid	process	target process
PID 5220 wrote to memory of 5848	5220	7zFM.exe	rc7.exe
PID 5220 wrote to memory of 5848	5220	7zFM.exe	rc7.exe
PID 5220 wrote to memory of 5848	5220	7zFM.exe	rc7.exe
PID 5220 wrote to memory of 6124	5220	7zFM.exe	Crack 1.exe
PID 5220 wrote to memory of 6124	5220	7zFM.exe	Crack 1.exe
PID 5220 wrote to memory of 6124	5220	7zFM.exe	Crack 1.exe
PID 6124 wrote to memory of 4052	6124	Crack 1.exe	schtasks.exe
PID 6124 wrote to memory of 4052	6124	Crack 1.exe	schtasks.exe
PID 6124 wrote to memory of 4052	6124	Crack 1.exe	schtasks.exe
PID 6124 wrote to memory of 1588	6124	Crack 1.exe	schtasks.exe
PID 6124 wrote to memory of 1588	6124	Crack 1.exe	schtasks.exe
PID 6124 wrote to memory of 1588	6124	Crack 1.exe	schtasks.exe
PID 5220 wrote to memory of 668	5220	7zFM.exe	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 5220 wrote to memory of 668	5220	7zFM.exe	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 5220 wrote to memory of 668	5220	7zFM.exe	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 668 wrote to memory of 2064	668	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 668 wrote to memory of 2064	668	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 668 wrote to memory of 2064	668	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 2064 wrote to memory of 4552	2064	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 2064 wrote to memory of 4552	2064	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
PID 2064 wrote to memory of 4552	2064	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE	2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/download/0s20ba0bp6fwcrd/atuamm+%284%29.rar
1⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5644 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5844 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5404 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5916 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5936 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5496 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=2868 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=4844 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6456 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5872 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=5400 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=5364 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6480 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6696 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=5168 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6948 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7088 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7220 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7356 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7488 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7548 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=7556 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8432 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=8612 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8848 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=8988 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=9248 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9088 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=9532 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=9684 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9864 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9556 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=9288 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9100 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8920 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:6104

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\atuamm (4).rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5220

C:\Users\Admin\AppData\Local\Temp\7zO4647B318\rc7.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4647B318\rc7.exe"
2⤵
- Executes dropped EXE
PID:5848

C:\Users\Admin\AppData\Local\Temp\7zO464C2008\Crack 1.exe
"C:\Users\Admin\AppData\Local\Temp\7zO464C2008\Crack 1.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6124

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B77.tmp"
3⤵
- Creates scheduled task(s)
PID:4052

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6CB0.tmp"
3⤵
- Creates scheduled task(s)
PID:1588

C:\Users\Admin\AppData\Local\Temp\7zO46463A28\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
"C:\Users\Admin\AppData\Local\Temp\7zO46463A28\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\7zO46463A28\"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\7zO46463A28\"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=8904 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=4156 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO46463A28\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Filesize
3.9MB

MD5
ea3726dec12657f20ad2c861464dd434

SHA1
36eb78d12e0c211ca72de08a2267a1a82e6a0dc5

SHA256
1f44175232113cf3f570e863f8e9e0db15b1d30364498c93cdeccf0d768f3cfe

SHA512
85399babecf1b3a96b2a500d19776547d43c282995d77dbf2c2586f6055da498667872fd1f5790c74b62a23e7efb56494f51d0990434ef75e64fe01f77230c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4647B318\rc7.exe
Filesize
3.5MB

MD5
f0a4c5f4e4edfc4cbc9f4a7b44213d5c

SHA1
32243e1662a9c981e57caeb0a34f947b635a24dd

SHA256
062ea895cfe9043208806ec7a1d61f43058c6cf00c9b7dd1d6ca0ae710eb47ef

SHA512
cfe37c8f76dece3ce479aed4fead2aee21d55a53fe92a58ce1c4d4783654ae09d43db22320ec59face94f19a664ded4a66979ca12f18bf8848db6f995fe015ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO464C2008\Crack 1.exe
Filesize
203KB

MD5
fab0fd8badc89eb728d3b2e25ec1ed62

SHA1
f98bb0418c89a02bc6448978b550bea467d20606

SHA256
d14aa767cb2918c470812bc2590b59111df563f5a7c0d896e26095ce9578446f

SHA512
44edb10668de054fe0de75f8f6a7f5ab6e93b376671f59d4fb5ba7eb4a311e13b09fe4fcb8109c3ad007b5e134c8751cb5effed7ead561b5b636df99028648ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Filesize
193KB

MD5
6852660b8cbb67ee3f1e31bf2f1e0afd

SHA1
c1b790e062f3a13d3e2f90c58e92ded585abbe3b

SHA256
cd86234cf14dfc0e66ae9e575326fd0cf74723a5a60337f7079c0540b6da5c8b

SHA512
5722ebf6bef799721464094c6d6a81931bf8f78bdd1fbe12b153cf7b0e4e9e7307fa7a01e0cc16ce885c20c3a0a3cc95d6a7d86413f0c61cca3450fa565dd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\CET_Archive.dat
Filesize
3.7MB

MD5
fcfcc486e4c100f20d99df8f71f63d2e

SHA1
390702a8db8af3cc3a608747e28aeb350af50ad7

SHA256
e8608c6bd3e575965e1a4cceba36fc6be4e9be86d479fc8ce4aa2a3f97611acc

SHA512
090de36e6c28783bc58b89a671ecf78d63cb5c5918d30f81312270c5a1fc7977d23990319ca57b7a2bd57910dfac12783765388515aed0a7a9f205e5d0ee9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\2 Minute Memcheck Bypass Made By Mortalkombatman2 And Alusion.EXE
Filesize
7.6MB

MD5
6302f6714dc29921a6bf886fcd4d8a6c

SHA1
df012bad4ef9b4e2a2554891ced21632a699deb5

SHA256
cfd5367ffbf2211e819423ba186e5e35389eb84597bd610fba7653e19d945b13

SHA512
5247a4e7f5f04a83d0c3e36215feaec7b0db409503437b1daf069f2ba5d7cd04ca715fd0796fbbe3b52b4440f50a7f8e73ce6d8e1e812013cf293fa9b5bb3078

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\CET_TRAINER.CETRAINER
Filesize
823B

MD5
0770967b7c5f87672aa6d81b0e18108d

SHA1
d0d391759180ca631ccbfdb029fe4e4466549a81

SHA256
01edf510a69848e82eb6ab0cb3488d81fc529cde186f7d928a1fb3c9a359fe0c

SHA512
2a2afe48dc47d65d125dedf6384d655731bfa857f70b88f07e8e4deda327362b6c9ae787986c89fe1756b92bdeee642475d74bc7c7bfe42d94215daac3424ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\defines.lua
Filesize
5KB

MD5
1dc41a0a351e745085fcc98a3933d91f

SHA1
bf1e7d333e6d7b3d4bfe5cdcada19af1931dbe15

SHA256
a2e02dd32f0245ff31190288b368b3efbbe7c48a95dd22c321231c2f46597d9b

SHA512
76f171411d028e72613859332f381f8f26e85d1844c143a8888e4937ca72d7b38ffe66ce617eee5e8155ba034dcc559a9417b5def056bb74227b9bae392d1440

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\lua53-32.dll
Filesize
491KB

MD5
c8f47a0e750e07d86a47b3296fb59a97

SHA1
1f894c9aa88dd2448e50ab5e7277cd4b4c629c6d

SHA256
dcfd91f21dee9e70179337a85d21b3ca925f1a6c21de9576aa5219732b7c7a86

SHA512
e154a097e8e174a47fea76c96d1c27d93cf9bfbdc47eeef56486cc3d2e661649a1d7da5cfe0ce220ea172f4646ab4eecbd2e1594011d0a8ca1eb416cd84b8b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET774E.tmp\extracted\win32\dbghelp.dll
Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B77.tmp
Filesize
1KB

MD5
70ad87269e59eced50a09684783a6fc2

SHA1
2ed5124a2a01fe6a4b1299611b4d85dfae7d6e5f

SHA256
1e69207cd1a917df5cf6b5a657ffe2b31165bdf158b65e6afd5e70f64d944463

SHA512
649494aa796ccc398e51f41fdbbfc08b362ecf3c68ee7579742601cb1434f33343d390335d429d86834e9f8d5bad9be434f79dc05268e7adbf55a3f7496978ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CB0.tmp
Filesize
1KB

MD5
2db700bd58966294a18b181535d57b7c

SHA1
3693d2a9da766af84c8bf0a7e53071f356ea5ac5

SHA256
6c96706f92685f44eebb1b28814c3a2b3a62d364ff28ecb6e94438dd73d3be89

SHA512
debaede4771770ad2964f6806b5d08c9ec7af93fedb0f96b9f8054805ce9bbe8b30977a6a0d0fe7333da7003601fa11a25ae97a79f24d0d5f171e91513a55125

Download Submit
memory/6124-22-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/6124-20-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/6124-19-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/6124-18-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/6124-58-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/6124-59-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/6124-60-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download